Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURESIGN-1859: TAS e2e tests added to operator integration tests #84

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
+402 −89
Open

SECURESIGN-1859: TAS e2e tests added to operator integration tests #84

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
54e745f
Added .gitignore file
petrpinkas Mar 14, 2025
ef44c82
TAS e2e tests added
petrpinkas Mar 14, 2025
5217f93
Add changes accidently reverted
petrpinkas Mar 14, 2025
c775e7e
References to new branch updated
petrpinkas Mar 14, 2025
c6932cd
Use prepared image to avoid using podman inside container
petrpinkas Mar 16, 2025
ff55231
SecurityContext added
petrpinkas Mar 16, 2025
613591a
Revert all changes for prepared image
petrpinkas Mar 16, 2025
34b55c4
Add more tests
bouskaJ Mar 17, 2025
2dcb5ff
Improvements based on code review
petrpinkas Mar 17, 2025
81fa18a
Switching to oc project tas-e2e
petrpinkas Mar 17, 2025
049f3af
Update createtree image
bouskaJ Mar 17, 2025
b1e20a5
Check .env configuration
petrpinkas Mar 17, 2025
22e4c10
Temporarily disable e2e tests
petrpinkas Mar 17, 2025
c73a678
Running tests via make file
petrpinkas Mar 17, 2025
d5914d1
Fix ssl cert
bouskaJ Mar 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# editor and IDE paraphernalia
.idea
232 changes: 211 additions & 21 deletions pipelines/rhtas-operator-e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@ spec:
- input: "$(tasks.parse-metadata.results.component)"
operator: in
values: [ "fbc-v4-17", "fbc-v4-16", "fbc-v4-15", "fbc-v4-14", "fbc-v4-13" ]
- name: run-e2e
- name: prepare-tests
runAfter:
# run after either one
- install-operator-from-image
Expand All @@ -244,6 +244,9 @@ spec:
- name: namespace
value: "$(params.NAMESPACE)"
taskSpec:
results:
- name: oidc-hostname
value: "$(steps.install-keycloak.results.oidc-hostname)"
volumes:
- name: credentials
emptyDir: { }
Expand Down Expand Up @@ -275,23 +278,25 @@ spec:
- name: credentials
value: credentials
# workaround - IntegrationTest pipelines does not support workspaces ATM - it is not possible to use git-clone task
- name: git-clone
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:6a4a05d24acecde63d9c7c8c986ad9e5e20da2c2ce30312b328ed771736e7a1f
volumeMounts:
- name: git-clone-operator
ref:
resolver: git
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: ppinkas/SECURESIGN-1859
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

udate ref ppinkas/SECURESIGN-1859

- name: pathInRepo
value: stepactions/git-clone-operator.yaml
params:
- name: operator-component
value: "$(tasks.parse-metadata.results.component)"
- name: git-url
value: "$(tasks.parse-metadata.results.git-url)"
- name: git-revision
value: "$(tasks.parse-metadata.results.git-revision)"
- name: repository
mountPath: /repository
script: |
cd /repository
if [[ "$(tasks.parse-metadata.results.component)" == "rhtas-operator" || "$(tasks.parse-metadata.results.component)" == "rhtas-operator-bundle" ]]; then
echo "Cloning from $(tasks.parse-metadata.results.git-url)"
git clone "$(tasks.parse-metadata.results.git-url)" source
cd source
git checkout $(tasks.parse-metadata.results.git-revision)
else
echo "Cloning from default url"
git clone "https://github.com/securesign/secure-sign-operator.git" source
cd source
fi
value: repository
- name: install-keycloak
ref:
resolver: git
Expand All @@ -311,6 +316,26 @@ spec:
value: "$(steps.get-kubeconfig.results.kubeconfig)"
- name: workdir
value: source
- name: run-operator-e2e
runAfter:
- prepare-tests
params:
- name: namespace
value: "$(params.NAMESPACE)"
taskSpec:
volumes:
- name: credentials
emptyDir: { }
- name: repository
emptyDir: { }
- name: binaries
emptyDir: { }
- name: dump
emptyDir: { }
- name: push-creds
secret:
secretName: securesign-test-dump-oci
steps:
- name: get-tuftool
ref:
resolver: git
Expand All @@ -337,15 +362,52 @@ spec:
params:
- name: volume
value: binaries
- name: execute-e2e
- name: get-kubeconfig
ref:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/build-definitions.git
- name: revision
value: main
- name: pathInRepo
value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml
params:
- name: eaasSpaceSecretRef
value: $(tasks.provision-eaas-space.results.secretRef)
- name: clusterName
value: "$(tasks.provision-cluster.results.clusterName)"
- name: credentials
value: credentials
# workaround - IntegrationTest pipelines does not support workspaces ATM - it is not possible to use git-clone task
- name: git-clone-operator
ref:
resolver: git
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: ppinkas/SECURESIGN-1859
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update

- name: pathInRepo
value: stepactions/git-clone-operator.yaml
params:
- name: operator-component
value: "$(tasks.parse-metadata.results.component)"
- name: git-url
value: "$(tasks.parse-metadata.results.git-url)"
- name: git-revision
value: "$(tasks.parse-metadata.results.git-revision)"
- name: repository
value: repository
- name: execute-operator-e2e
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:6a4a05d24acecde63d9c7c8c986ad9e5e20da2c2ce30312b328ed771736e7a1f
onError: continue
results:
- name: status
type: string
env:
- name: OIDC_HOST
value: "$(steps.install-keycloak.results.oidc-hostname)"
value: "$(tasks.prepare-tests.results.oidc-hostname)"
- name: KUBECONFIG
value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)"
- name: CI
Expand Down Expand Up @@ -381,7 +443,7 @@ spec:
fi
- name: secure-push-oci
when:
- input: "$(steps.execute-e2e.results.status)"
- input: "$(steps.execute-operator-e2e.results.status)"
operator: notin
values: [ "success" ]
ref:
Expand All @@ -407,10 +469,138 @@ spec:
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:6a4a05d24acecde63d9c7c8c986ad9e5e20da2c2ce30312b328ed771736e7a1f
env:
- name: STATUS
value: "$(steps.execute-e2e.results.status)"
value: "$(steps.execute-operator-e2e.results.status)"
script: |
#!/bin/bash
if [ "$STATUS" != "success" ]; then
echo "Test failure"
exit 1
fi
- name: run-tas-e2e
runAfter:
- prepare-tests
params:
- name: namespace
value: "$(params.NAMESPACE)"
taskSpec:
volumes:
- name: credentials
emptyDir: { }
- name: repository
emptyDir: { }
- name: binaries
emptyDir: { }
- name: dump
emptyDir: { }
- name: push-creds
secret:
secretName: securesign-test-dump-oci
steps:
- name: get-kubeconfig
ref:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/build-definitions.git
- name: revision
value: main
- name: pathInRepo
value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml
params:
- name: eaasSpaceSecretRef
value: $(tasks.provision-eaas-space.results.secretRef)
- name: clusterName
value: "$(tasks.provision-cluster.results.clusterName)"
- name: credentials
value: credentials
- name: git-clone-operator
ref:
resolver: git
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: ppinkas/SECURESIGN-1859
- name: pathInRepo
value: stepactions/git-clone-operator.yaml
params:
- name: operator-component
value: "$(tasks.parse-metadata.results.component)"
- name: git-url
value: "$(tasks.parse-metadata.results.git-url)"
- name: git-revision
value: "$(tasks.parse-metadata.results.git-revision)"
- name: repository
value: repository
- name: install-tas
onError: continue
ref:
resolver: git
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: ppinkas/SECURESIGN-1859
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update

- name: pathInRepo
value: stepactions/install-tas.yaml
params:
- name: credentials
value: credentials
- name: repository
value: repository
- name: KUBECONFIG
value: "$(steps.get-kubeconfig.results.kubeconfig)"
- name: workdir
value: source
- name: clusterName
value: "$(tasks.provision-cluster.results.clusterName)"
- name: git-clone-tas-e2e
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:6a4a05d24acecde63d9c7c8c986ad9e5e20da2c2ce30312b328ed771736e7a1f
onError: continue
volumeMounts:
- name: repository
mountPath: /repository
script: |
cd /repository
echo "Cloning TAS e2e tests"
git clone "https://github.com/securesign/sigstore-e2e" sigstore-e2e
- name: prepare-tas-e2e
image: registry.redhat.io/openshift4/ose-cli
volumeMounts:
- name: credentials
mountPath: /credentials
- name: repository
mountPath: /repository
env:
- name: KUBECONFIG
value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)"
script: |
oc get clusterversion
oc version
oc project tas-e2e
oc get consoleclidownloads
oc get pods
cd /repository/sigstore-e2e
./tas-env-variables.sh > .env
- name: execute-tas-e2e
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:6a4a05d24acecde63d9c7c8c986ad9e5e20da2c2ce30312b328ed771736e7a1f
volumeMounts:
- name: credentials
mountPath: /credentials
- name: repository
mountPath: /repository
env:
- name: OIDC_HOST
value: "$(tasks.prepare-tests.results.oidc-hostname)"
- name: KUBECONFIG
value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)"
- name: CLI_STRATEGY
value: "openshift"
script: |
cd /repository/sigstore-e2e
export OIDC_ISSUER_URL=https://$OIDC_HOST/auth/realms/trusted-artifact-signer
openssl s_client -connect $OIDC_HOST:443 > /tmp/ssl.cert
export SSL_CERT_FILE=/tmp/ssl.cert
go mod vendor
make build
go test -v ./test/tuftool
43 changes: 43 additions & 0 deletions stepactions/git-clone-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: git-clone-operator
spec:
description: >-
This StepAction clones operator repository.
image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:6a4a05d24acecde63d9c7c8c986ad9e5e20da2c2ce30312b328ed771736e7a1f
params:
- name: repository
type: string
description: Volume with resources to be applied.
- name: operator-component
type: string
description: Operator component used (operator, operator-bundle, ...).
- name: git-url
type: string
description: Operator repository url.
- name: git-revision
type: string
description: Operator repository revision.
volumeMounts:
- name: "$(params.repository)"
mountPath: /repository
env:
- name: OPERATOR_COMPONENT
value: "$(params.operator-component)"
- name: GIT_URL
value: "$(params.git-url)"
- name: GIT_REVISION
value: "$(params.git-revision)"
script: |
cd /repository
if [[ "$OPERATOR_COMPONENT" == "rhtas-operator" || "$OPERATOR_COMPONENT" == "rhtas-operator-bundle" ]]; then
echo "Cloning from $GIT_URL"
git clone $GIT_URL source
cd source
git checkout $GIT_REVISION
else
echo "Cloning from default url"
git clone "https://github.com/securesign/secure-sign-operator.git" source
cd source
fi
45 changes: 45 additions & 0 deletions stepactions/install-tas.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: install-tas-from-repository
spec:
description: >-
This StepAction install trusted artifact signer.
image: registry.redhat.io/openshift4/ose-cli
params:
- name: credentials
type: string
description: Name of the volume with credentials.
- name: repository
type: string
description: Volume with resources to be applied.
- name: workdir
type: string
description: Repository home directory.
default: ""
- name: KUBECONFIG
type: string
description: KUBECONFIG path.
- name: clusterName
type: string
description: The name of a ClusterTemplateInstance.
volumeMounts:
- name: "$(params.credentials)"
mountPath: /credentials
- name: "$(params.repository)"
mountPath: /repository
env:
- name: KUBECONFIG
value: "/credentials/$(params.KUBECONFIG)"
- name: WORKDIR
value: "$(params.workdir)"
- name: CLUSTERNAME
value: "$(params.clusterName)"
script: |
cd /repository/$WORKDIR
sed -i 's#https://your-oidc-issuer-url#http://${CLUSTERNAME}/auth/realms/trusted-artifact-signer#' config/samples/rhtas_v1alpha1_securesign.yaml
sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml
oc create ns tas-e2e
oc create -f config/samples/rhtas_v1alpha1_securesign.yaml -n tas-e2e
sleep 1
oc wait --for=condition=Ready securesign/securesign-sample --timeout=9m -n tas-e2e