diff --git a/pipelines/integration-test/pco-operator-upgrade.yaml b/pipelines/integration-test/pco-operator-upgrade.yaml new file mode 100644 index 00000000..eb8e0ea3 --- /dev/null +++ b/pipelines/integration-test/pco-operator-upgrade.yaml @@ -0,0 +1,379 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: policy-controller-operator-upgrade- +spec: + description: | + An integration test which provisions an ephemeral Hypershift cluster, and runs the + policy controller operators upgrade scenario. + workspaces: + - name: work + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + pipelineSpec: + params: + - name: SNAPSHOT + - name: OCP_VERSION + default: "4.19" + - name: RHTAS_BUNDLE_IMAGE + default: registry.redhat.io/rhtas/rhtas-operator-bundle:1.3.1 + - name: TAS_DEPLOY_NAMESPACE + default: tas + - name: POLICY_CONTROLLER_OPERATOR_GIT_URL + default: https://github.com/securesign/policy-controller-operator + - name: RHTAS_GIT_URL + default: https://github.com/securesign/secure-sign-operator + - name: RHTAS_GIT_REVISION + default: main + workspaces: + - name: work + tasks: + - name: parse-metadata + taskRef: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog + - name: revision + value: main + - name: pathInRepo + value: tasks/test-metadata/0.3/test-metadata.yaml + params: + - name: SNAPSHOT + value: $(params.SNAPSHOT) + - name: clone-tas-operator-source-code + runAfter: + - parse-metadata + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1 + - name: kind + value: task + resolver: bundles + params: + - name: url + value: $(params.RHTAS_GIT_URL) + - name: revision + value: $(params.RHTAS_GIT_REVISION) + - name: subdirectory + value: "tas-operator" + workspaces: + - name: output + workspace: work + - name: clone-operator-source-code + runAfter: + - parse-metadata + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1 + - name: kind + value: task + resolver: bundles + params: + - name: url + value: $(params.POLICY_CONTROLLER_OPERATOR_GIT_URL) + - name: revision + value: main + - name: subdirectory + value: "operator" + workspaces: + - name: output + workspace: work + - name: provision-eaas-space + runAfter: + - parse-metadata + taskRef: + resolver: bundles + params: + - name: name + value: eaas-provision-space + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-eaas-provision-space:0.1-4e4fa7355a6a51083954408e7e3b647e3bddb8d8 + - name: kind + value: task + params: + - name: ownerName + value: $(context.pipelineRun.name) + - name: ownerUid + value: $(context.pipelineRun.uid) + - name: provision-cluster + runAfter: + - provision-eaas-space + taskSpec: + results: + - name: clusterName + value: "$(steps.create-cluster.results.clusterName)" + steps: + - name: pick-version + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-get-latest-openshift-version-by-prefix/0.1/eaas-get-latest-openshift-version-by-prefix.yaml + params: + - name: prefix + value: "$(params.OCP_VERSION)" + - name: create-cluster + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: version + value: "$(steps.pick-version.results.version)" + - name: instanceType + value: m5.large + - name: timeout + value: 60m + - name: imageContentSources + value: | + - source: registry.redhat.io/rhtas/policy-controller-rhel9 + mirrors: + - quay.io/securesign/policy-controller + - source: registry.redhat.io/rhtas/policy-controller-rhel9-operator + mirrors: + - quay.io/securesign/policy-controller-operator + - source: registry.redhat.io/rhtas/policy-controller-operator-bundle + mirrors: + - quay.io/securesign/policy-controller-operator-bundle + - name: install-rhtas-operator + runAfter: + - provision-cluster + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/install-operator-from-bundle.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: "$(tasks.provision-cluster.results.clusterName)" + - name: bundleImage + value: "$(params.RHTAS_BUNDLE_IMAGE)" + - name: download-binaries + workspaces: + - name: work + workspace: work + taskSpec: + workspaces: + - name: work + steps: + - name: get-cosign + image: registry.redhat.io/rhtas/cosign-rhel9:1.3.1 + securityContext: + runAsUser: 0 + script: | + mkdir -p $(workspaces.work.path)/binaries + cp /usr/local/bin/cosign $(workspaces.work.path)/binaries/ + - name: prepare-tests + runAfter: + - install-rhtas-operator + - clone-tas-operator-source-code + workspaces: + - name: source-code + workspace: work + taskSpec: + results: + - name: oidc-hostname + type: string + value: "$(steps.install-keycloak.results.oidc-hostname)" + - name: fulcio-url + type: string + value: "$(steps.install-tas.results.fulcio-url)" + - name: tsa-url + type: string + value: "$(steps.install-tas.results.tsa-url)" + - name: tuf-url + type: string + value: "$(steps.install-tas.results.tuf-url)" + - name: rekor-url + type: string + value: "$(steps.install-tas.results.rekor-url)" + - name: rekor-ui-url + type: string + value: "$(steps.install-tas.results.rekor-ui-url)" + volumes: + - name: credentials + emptyDir: { } + workspaces: + - name: source-code + steps: + - name: get-kubeconfig + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: "$(tasks.provision-cluster.results.clusterName)" + - name: credentials + value: credentials + - name: install-keycloak + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/install-keycloak.yaml + params: + - name: credentials + value: credentials + - name: KUBECONFIG + value: "$(steps.get-kubeconfig.results.kubeconfig)" + - name: workdir + value: "$(workspaces.source-code.path)/tas-operator" + - name: install-tas + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/install-tas.yaml + params: + - name: credentials + value: credentials + - name: KUBECONFIG + value: "$(steps.get-kubeconfig.results.kubeconfig)" + - name: workdir + value: $(workspaces.source-code.path)/tas-operator + - name: tas-namespace + value: "$(params.TAS_DEPLOY_NAMESPACE)" + - name: OIDC_ISSUER_URL + value: "$(steps.install-keycloak.results.oidc-issuer-url)" + - name: run-operator-upgrade + runAfter: + - prepare-tests + - download-binaries + - clone-operator-source-code + workspaces: + - name: source-code + workspace: work + taskSpec: + results: + - name: TEST_OUTPUT + description: "Full JSON summary of test results" + volumes: + - name: credentials + emptyDir: { } + workspaces: + - name: source-code + steps: + - name: get-kubeconfig + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: "$(tasks.provision-cluster.results.clusterName)" + - name: credentials + value: credentials + - name: execute-test + onError: continue + image: registry.redhat.io/ubi9/go-toolset:1.25@sha256:359dd4c6c4255b3f7bce4dc15ffa5a9aa65a401f819048466fa91baa8244a793 + env: + - name: OIDC_HOST + value: "$(tasks.prepare-tests.results.oidc-hostname)" + - name: TUF_URL + value: "$(tasks.prepare-tests.results.tuf-url)" + - name: FULCIO_URL + value: "$(tasks.prepare-tests.results.fulcio-url)" + - name: REKOR_URL + value: "$(tasks.prepare-tests.results.rekor-url)" + - name: REKOR_UI_URL + value: "$(tasks.prepare-tests.results.rekor-ui-url)" + - name: TSA_URL + value: "$(tasks.prepare-tests.results.tsa-url)/api/v1/timestamp" + - name: KUBECONFIG + value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)" + - name: RHTAS_INSTALL_NAMESPACE + value: "$(params.TAS_DEPLOY_NAMESPACE)" + - name: UPGRADE_FROM_OPERATOR_INDEX_IMAGE + value: "registry.redhat.io/redhat/redhat-operator-index:v$(params.OCP_VERSION)" + - name: UPGRADE_TO_OPERATOR_INDEX_IMAGE + value: "$(tasks.parse-metadata.results.container-image)" + - name: UPGRADE_FROM_CHANNEL + value: "tech-preview" + volumeMounts: + - name: credentials + mountPath: /credentials + workingDir: $(workspaces.source-code.path)/operator + script: | + #!/bin/sh + set +e -o pipefail + export PATH="$PATH:$(workspaces.source-code.path)/binaries" + openssl s_client -connect "$OIDC_HOST:443" -showcerts /tmp/ssl.cert + sed -ni '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' /tmp/ssl.cert + cat /tmp/ssl.cert >> /etc/pki/tls/certs/ca-bundle.crt + export SSL_CERT_FILE=/tmp/ssl.cert + export INJECT_CA=true + export OIDC_ISSUER_URL=https://$OIDC_HOST/auth/realms/trusted-artifact-signer + + source ./test/tas-env-variables.sh + go mod vendor + mkdir -p $(workspaces.source-code.path)/dump/operator-upgrade + go test -count=1 -tags=upgrade -v -timeout 30m -json ./test/... > $(workspaces.source-code.path)/dump/operator-upgrade/test-result.json + cp test/**/k8s-dump-*.tar.gz $(workspaces.source-code.path)/dump/operator-upgrade/ || echo "no test dump files found" + + securityContext: + runAsUser: 0 + - name: process-test-results + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/process-go-test-results.yaml + params: + - name: test_output_file + value: $(workspaces.source-code.path)/dump/operator-upgrade/test-result.json diff --git a/pipelines/integration-test/policy-controller-operator-e2e.yaml b/pipelines/integration-test/policy-controller-operator-e2e.yaml index b54b0dda..86e16c39 100644 --- a/pipelines/integration-test/policy-controller-operator-e2e.yaml +++ b/pipelines/integration-test/policy-controller-operator-e2e.yaml @@ -21,7 +21,7 @@ spec: - name: OCP_VERSION default: "4.19" - name: RHTAS_BUNDLE_IMAGE - default: registry.redhat.io/rhtas/rhtas-operator-bundle:1.2.0 + default: registry.redhat.io/rhtas/rhtas-operator-bundle:1.3.1 - name: TAS_DEPLOY_NAMESPACE default: tas - name: POLICY_CONTROLLER_OPERATOR_NS