securesign · JasonPowr · Feb 4, 2026
diff --git a/pipelines/integration-test/pco-operator-upgrade.yaml b/pipelines/integration-test/pco-operator-upgrade.yaml
@@ -0,0 +1,379 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: policy-controller-operator-upgrade-
+spec:
+  description: |
+    An integration test which provisions an ephemeral Hypershift cluster, and runs the 
+    policy controller operators upgrade scenario.
+  workspaces:
+    - name: work
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
+  pipelineSpec:
+    params:
+      - name: SNAPSHOT
+      - name: OCP_VERSION
+        default: "4.19"
+      - name: RHTAS_BUNDLE_IMAGE
+        default: registry.redhat.io/rhtas/rhtas-operator-bundle:1.3.1
+      - name: TAS_DEPLOY_NAMESPACE
+        default: tas
+      - name: POLICY_CONTROLLER_OPERATOR_GIT_URL
+        default: https://github.com/securesign/policy-controller-operator
+      - name: RHTAS_GIT_URL
+        default: https://github.com/securesign/secure-sign-operator
+      - name: RHTAS_GIT_REVISION
+        default: main
+    workspaces:
+      - name: work
+    tasks:
+      - name: parse-metadata
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://github.com/konflux-ci/tekton-integration-catalog
+            - name: revision
+              value: main
+            - name: pathInRepo
+              value: tasks/test-metadata/0.3/test-metadata.yaml
+        params:
+          - name: SNAPSHOT
+            value: $(params.SNAPSHOT)
+      - name: clone-tas-operator-source-code
+        runAfter:
+          - parse-metadata
+        taskRef:
+          params:
+            - name: name
+              value: git-clone
+            - name: bundle
+              value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1
+            - name: kind
+              value: task
+          resolver: bundles
+        params:
+          - name: url
+            value: $(params.RHTAS_GIT_URL)
+          - name: revision
+            value: $(params.RHTAS_GIT_REVISION)
+          - name: subdirectory
+            value: "tas-operator"
+        workspaces:
+          - name: output
+            workspace: work
+      - name: clone-operator-source-code
+        runAfter:
+          - parse-metadata
+        taskRef:
+          params:
+            - name: name
+              value: git-clone
+            - name: bundle
+              value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1
+            - name: kind
+              value: task
+          resolver: bundles
+        params:
+          - name: url
+            value: $(params.POLICY_CONTROLLER_OPERATOR_GIT_URL)
+          - name: revision
+            value: main
+          - name: subdirectory
+            value: "operator"
+        workspaces:
+          - name: output
+            workspace: work
+      - name: provision-eaas-space
+        runAfter:
+          - parse-metadata
+        taskRef:
+          resolver: bundles
+          params:
+            - name: name
+              value: eaas-provision-space
+            - name: bundle
+              value: quay.io/konflux-ci/tekton-catalog/task-eaas-provision-space:0.1-4e4fa7355a6a51083954408e7e3b647e3bddb8d8
+            - name: kind
+              value: task
+        params:
+          - name: ownerName
+            value: $(context.pipelineRun.name)
+          - name: ownerUid
+            value: $(context.pipelineRun.uid)
+      - name: provision-cluster
+        runAfter:
+          - provision-eaas-space
+        taskSpec:
+          results:
+            - name: clusterName
+              value: "$(steps.create-cluster.results.clusterName)"
+          steps:
+            - name: pick-version
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/konflux-ci/build-definitions.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/eaas-get-latest-openshift-version-by-prefix/0.1/eaas-get-latest-openshift-version-by-prefix.yaml
+              params:
+                - name: prefix
+                  value: "$(params.OCP_VERSION)"
+            - name: create-cluster
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/konflux-ci/build-definitions.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml
+              params:
+                - name: eaasSpaceSecretRef
+                  value: $(tasks.provision-eaas-space.results.secretRef)
+                - name: version
+                  value: "$(steps.pick-version.results.version)"
+                - name: instanceType
+                  value: m5.large
+                - name: timeout
+                  value: 60m
+                - name: imageContentSources
+                  value: |
+                    - source: registry.redhat.io/rhtas/policy-controller-rhel9
+                      mirrors:
+                        - quay.io/securesign/policy-controller
+                    - source: registry.redhat.io/rhtas/policy-controller-rhel9-operator
+                      mirrors:
+                        - quay.io/securesign/policy-controller-operator
+                    - source: registry.redhat.io/rhtas/policy-controller-operator-bundle
+                      mirrors:
+                      - quay.io/securesign/policy-controller-operator-bundle
+      - name: install-rhtas-operator
+        runAfter:
+          - provision-cluster
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://github.com/securesign/pipelines.git
+            - name: revision
+              value: main
+            - name: pathInRepo
+              value: tasks/integration-test/install-operator-from-bundle.yaml
+        params:
+          - name: eaasSpaceSecretRef
+            value: $(tasks.provision-eaas-space.results.secretRef)
+          - name: clusterName
+            value: "$(tasks.provision-cluster.results.clusterName)"
+          - name: bundleImage
+            value: "$(params.RHTAS_BUNDLE_IMAGE)"
+      - name: download-binaries
+        workspaces:
+          - name: work
+            workspace: work
+        taskSpec:
+          workspaces:
+            - name: work
+          steps:
+            - name: get-cosign
+              image: registry.redhat.io/rhtas/cosign-rhel9:1.3.1
+              securityContext:
+                runAsUser: 0
+              script: |
+                mkdir -p $(workspaces.work.path)/binaries
+                cp /usr/local/bin/cosign $(workspaces.work.path)/binaries/
+      - name: prepare-tests
+        runAfter:
+          - install-rhtas-operator
+          - clone-tas-operator-source-code
+        workspaces:
+          - name: source-code
+            workspace: work
+        taskSpec:
+          results:
+            - name: oidc-hostname
+              type: string
+              value: "$(steps.install-keycloak.results.oidc-hostname)"
+            - name: fulcio-url
+              type: string
+              value: "$(steps.install-tas.results.fulcio-url)"
+            - name: tsa-url
+              type: string
+              value: "$(steps.install-tas.results.tsa-url)"
+            - name: tuf-url
+              type: string
+              value: "$(steps.install-tas.results.tuf-url)"
+            - name: rekor-url
+              type: string
+              value: "$(steps.install-tas.results.rekor-url)"
+            - name: rekor-ui-url
+              type: string
+              value: "$(steps.install-tas.results.rekor-ui-url)"
+          volumes:
+            - name: credentials
+              emptyDir: { }
+          workspaces:
+            - name: source-code
+          steps:
+            - name: get-kubeconfig
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/konflux-ci/build-definitions.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml
+              params:
+                - name: eaasSpaceSecretRef
+                  value: $(tasks.provision-eaas-space.results.secretRef)
+                - name: clusterName
+                  value: "$(tasks.provision-cluster.results.clusterName)"
+                - name: credentials
+                  value: credentials
+            - name: install-keycloak
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/securesign/pipelines.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/integration-test/install-keycloak.yaml
+              params:
+                - name: credentials
+                  value: credentials
+                - name: KUBECONFIG
+                  value: "$(steps.get-kubeconfig.results.kubeconfig)"
+                - name: workdir
+                  value: "$(workspaces.source-code.path)/tas-operator"
+            - name: install-tas
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/securesign/pipelines.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/integration-test/install-tas.yaml
+              params:
+                - name: credentials
+                  value: credentials
+                - name: KUBECONFIG
+                  value: "$(steps.get-kubeconfig.results.kubeconfig)"
+                - name: workdir
+                  value: $(workspaces.source-code.path)/tas-operator
+                - name: tas-namespace
+                  value: "$(params.TAS_DEPLOY_NAMESPACE)"
+                - name: OIDC_ISSUER_URL
+                  value: "$(steps.install-keycloak.results.oidc-issuer-url)"
+      - name: run-operator-upgrade
+        runAfter:
+          - prepare-tests
+          - download-binaries
+          - clone-operator-source-code
+        workspaces:
+          - name: source-code
+            workspace: work
+        taskSpec:
+          results:
+            - name: TEST_OUTPUT
+              description: "Full JSON summary of test results"
+          volumes:
+            - name: credentials
+              emptyDir: { }
+          workspaces:
+            - name: source-code
+          steps:
+            - name: get-kubeconfig
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/konflux-ci/build-definitions.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml
+              params:
+                - name: eaasSpaceSecretRef
+                  value: $(tasks.provision-eaas-space.results.secretRef)
+                - name: clusterName
+                  value: "$(tasks.provision-cluster.results.clusterName)"
+                - name: credentials
+                  value: credentials
+            - name: execute-test
+              onError: continue
+              image: registry.redhat.io/ubi9/go-toolset:1.25@sha256:359dd4c6c4255b3f7bce4dc15ffa5a9aa65a401f819048466fa91baa8244a793
+              env:
+                - name: OIDC_HOST
+                  value: "$(tasks.prepare-tests.results.oidc-hostname)"
+                - name: TUF_URL
+                  value: "$(tasks.prepare-tests.results.tuf-url)"
+                - name: FULCIO_URL
+                  value: "$(tasks.prepare-tests.results.fulcio-url)"
+                - name: REKOR_URL
+                  value: "$(tasks.prepare-tests.results.rekor-url)"
+                - name: REKOR_UI_URL
+                  value: "$(tasks.prepare-tests.results.rekor-ui-url)"
+                - name: TSA_URL
+                  value: "$(tasks.prepare-tests.results.tsa-url)/api/v1/timestamp"
+                - name: KUBECONFIG
+                  value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)"
+                - name: RHTAS_INSTALL_NAMESPACE
+                  value: "$(params.TAS_DEPLOY_NAMESPACE)"
+                - name: UPGRADE_FROM_OPERATOR_INDEX_IMAGE
+                  value: "registry.redhat.io/redhat/redhat-operator-index:v$(params.OCP_VERSION)"
+                - name: UPGRADE_TO_OPERATOR_INDEX_IMAGE
+                  value: "$(tasks.parse-metadata.results.container-image)"
+                - name: UPGRADE_FROM_CHANNEL
+                  value: "tech-preview"
+              volumeMounts:
+                - name: credentials
+                  mountPath: /credentials
+              workingDir: $(workspaces.source-code.path)/operator
+              script: |
+                #!/bin/sh
+                set +e -o pipefail
+                export PATH="$PATH:$(workspaces.source-code.path)/binaries"
+                openssl s_client -connect "$OIDC_HOST:443" -showcerts </dev/null > /tmp/ssl.cert
+                sed -ni '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' /tmp/ssl.cert
+                cat /tmp/ssl.cert >> /etc/pki/tls/certs/ca-bundle.crt
+                export SSL_CERT_FILE=/tmp/ssl.cert
+                export INJECT_CA=true
+                export OIDC_ISSUER_URL=https://$OIDC_HOST/auth/realms/trusted-artifact-signer
+
+                source ./test/tas-env-variables.sh
+                go mod vendor
+                mkdir -p $(workspaces.source-code.path)/dump/operator-upgrade
+                go test -count=1 -tags=upgrade -v -timeout 30m -json ./test/... > $(workspaces.source-code.path)/dump/operator-upgrade/test-result.json
+                cp test/**/k8s-dump-*.tar.gz $(workspaces.source-code.path)/dump/operator-upgrade/ || echo "no test dump files found"
+
+              securityContext:
+                runAsUser: 0
+            - name: process-test-results
+              ref:
+                resolver: git
+                params:
+                  - name: url
+                    value: https://github.com/securesign/pipelines.git
+                  - name: revision
+                    value: main
+                  - name: pathInRepo
+                    value: stepactions/integration-test/process-go-test-results.yaml
+              params:
+                - name: test_output_file
+                  value: $(workspaces.source-code.path)/dump/operator-upgrade/test-result.json
diff --git a/pipelines/integration-test/policy-controller-operator-e2e.yaml b/pipelines/integration-test/policy-controller-operator-e2e.yaml
@@ -21,7 +21,7 @@ spec:
       - name: OCP_VERSION
         default: "4.19"
       - name: RHTAS_BUNDLE_IMAGE
-        default: registry.redhat.io/rhtas/rhtas-operator-bundle:1.2.0
+        default: registry.redhat.io/rhtas/rhtas-operator-bundle:1.3.1
       - name: TAS_DEPLOY_NAMESPACE
         default: tas
       - name: POLICY_CONTROLLER_OPERATOR_NS