feat: krw test for rh-push-to-external-registry

scoheb · scoheb · commit 0275776bc1b7 · 2025-07-15T12:54:23.000-04:00
- add new test for rh-push-to-external-registry pipeline
- add new script that gets a result from a task run in a
  pipelinerun
- add check for imageIds that were created.

Signed-off-by: Scott Hebert &lt;scoheb@gmail.com&gt;
diff --git a/integration-tests/rh-push-to-external-registry/README.md b/integration-tests/rh-push-to-external-registry/README.md
@@ -0,0 +1,78 @@
+# rh-push-to-external-registry test
+## Setup
+### Dependencies
+* GitHub repo: https://github.com/scoheb/e2e-base
+* GitHub personal access token (classic) for above repo with **admin:repo_hook**, **delete_repo**, **repo** scopes.
+* The password to the vault files. (Contact a member of the Release team should you want to run this
+  test suite.)
+* Access to the target cluster and tenant and managed namespaces
+  * This test uses stg-rh01 and the dev-release-team-tenant and managed-release-team-tenant namespaces.
+### Required Environment Variables
+- GITHUB_TOKEN
+  - The GitHub personal access token needed for repo operations
+  - The repo in question can be located in [test.env](test.env)
+- VAULT_PASSWORD_FILE
+  - This is the path to a file that contains the ansible vault
+    password needed to decrypt the secrets needed for testing.
+- RELEASE_CATALOG_GIT_URL
+  - The release service catalog URL to use in the RPA
+  - This is provided when testing PRs
+- RELEASE_CATALOG_GIT_REVISION
+  - The release service catalog revision to use in the RPA
+  - This is provided when testing PRs
+### Optional Environment Variables
+- KUBECONFIG
+  - The KUBECONFIG file to used to login to the target cluster
+  - This is provided when testing PRs
+### Test Properties
+#### [test.env](test.env)
+- This file contains resource names and configuration values needed for testing.
+- Since this test requires internal services, the tenant and managed namespaces
+  should remain as-is.
+### Test Functions
+#### [lib/test-functions.sh](../lib/test-functions.sh)
+- This file contains re-usable functions for tests
+### Secrets
+- Secrets needed for testing are stored in ansible vault files.
+  - [vault/collector-managed-secrets.yaml](vault/collector-managed-secrets.yaml)
+  - [vault/collector-tenant-secrets.yaml](vault/collector-tenant-secrets.yaml)
+- Most secrets required are contained in the files above.
+- Some tests have their secret name hardcoded and therefore must exist prior to running this test:
+  - konflux-advisory-jira-secret
+### Running the test
+
+The test has 2 modes:
+* With a CVE included and involved. (default mode)
+
+```shell
+run-test.sh
+```
+
+* Without a CVE involved.
+
+```shell
+run-test.sh --no-cve
+```
+
+### Debugging
+
+There is a `--skip-cleanup` option to the script in the event that you want to examine the resources
+after a test has ended.
+
+### Maintenance
+- Should you require to add or update a secret, follow these steps:
+```shell
+ansible-vault decrypt vault/tenant-secrets.yaml --output "/tmp/tenant-secrets.yaml" --vault-password-file <vault password file>
+```
+
+```shell
+vi /tmp/tenant-secrets.yaml
+```
+
+```shell
+ansible-vault encrypt /tmp/tenant-secrets.yaml --output "vault/tenant-secrets.yaml" --vault-password-file <vault password file>
+```
+
+```shell
+rm /tmp/tenant-secrets.yaml
+```
diff --git a/integration-tests/rh-push-to-external-registry/resources/managed/ec-policy.yaml b/integration-tests/rh-push-to-external-registry/resources/managed/ec-policy.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: EnterpriseContractPolicy
+metadata:
+  name: standard-${component_name}
+  labels:
+    originating-tool: "${originating_tool}"
+spec:
+  description: >-
+    Includes rules for levels 1, 2 & 3 of SLSA v0.1.
+  publicKey: "k8s://openshift-pipelines/public-key"
+  sources:
+    - name: Release Policies
+      data:
+        - github.com/release-engineering/rhtap-ec-policy//data
+        - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+      policy:
+        - oci::quay.io/enterprise-contract/ec-release-policy:konflux
+      volatileConfig:
+        exclude:
+          - value: cve.cve_blockers
+            effectiveUntil: "2025-02-01T00:00:00Z"
+      config:
+        exclude: []
+        include:
+          - '@minimal'
+          - '@slsa3'
diff --git a/integration-tests/rh-push-to-external-registry/resources/managed/kustomization.yaml b/integration-tests/rh-push-to-external-registry/resources/managed/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+
+namespace: ${managed_namespace}
+resources:
+  - sa.yaml
+  - sa-rolebinding.yaml
+  - rpa.yaml
+  - ec-policy.yaml
+  - secrets/managed-secrets.yaml
diff --git a/integration-tests/rh-push-to-external-registry/resources/managed/rpa.yaml b/integration-tests/rh-push-to-external-registry/resources/managed/rpa.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: ReleasePlanAdmission
+metadata:
+  name: ${release_plan_admission_name}
+  labels:
+    originating-tool: "${originating_tool}"
+spec:
+  applications:
+    - ${application_name}
+  data:
+    pyxis:
+      server: stage
+      secret: pyxis-${component_name}
+    mapping:
+      defaults:
+        tags:
+          - latest
+        pushSourceContainer: false
+      components:
+        - name: ${component_name}
+          repository: quay.io/redhat-pending/rhtap----rh-advisories-component
+  origin: ${tenant_namespace}
+  pipeline:
+    pipelineRef:
+      params:
+        - name: url
+          value: "${RELEASE_CATALOG_GIT_URL}"
+        - name: revision
+          value: "${RELEASE_CATALOG_GIT_REVISION}"
+        - name: pathInRepo
+          value: pipelines/managed/rh-push-to-external-registry/rh-push-to-external-registry.yaml
+      resolver: git
+    serviceAccountName: ${managed_sa_name}
+    timeouts:
+      pipeline: 4h0m0s
+      tasks: 4h0m0s
+  policy: standard-${component_name}
diff --git a/integration-tests/rh-push-to-external-registry/resources/managed/sa-rolebinding.yaml b/integration-tests/rh-push-to-external-registry/resources/managed/sa-rolebinding.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: managed-release-pipeline-resource-role-binding-for-${managed_sa_name}
+  labels:
+    originating-tool: "${originating_tool}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: release-pipeline-resource-role
+subjects:
+  - kind: ServiceAccount
+    name: ${managed_sa_name}
+    namespace: ${managed_namespace}
diff --git a/integration-tests/rh-push-to-external-registry/resources/managed/sa.yaml b/integration-tests/rh-push-to-external-registry/resources/managed/sa.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${managed_sa_name}
+  labels:
+    originating-tool: "${originating_tool}"
+secrets:
+  - name: konflux-ci-konflux-release-trusted-artifacts-pull-secret-${component_name}
+  - name: push-${component_name}
+  - name: pyxis-${component_name}
+imagePullSecrets:
+  - name: push-${component_name}
+  - name: konflux-ci-konflux-release-trusted-artifacts-pull-secret-${component_name}
diff --git a/integration-tests/rh-push-to-external-registry/resources/tenant/application.yaml b/integration-tests/rh-push-to-external-registry/resources/tenant/application.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: Application
+metadata:
+  name: ${application_name}
+  labels:
+    originating-tool: "${originating_tool}"
+spec:
+  displayName: ${application_name}
diff --git a/integration-tests/rh-push-to-external-registry/resources/tenant/component.yaml b/integration-tests/rh-push-to-external-registry/resources/tenant/component.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: Component
+metadata:
+  annotations:
+    git-provider: github
+    build.appstudio.openshift.io/request: configure-pac
+    image.redhat.com/generate: '{"visibility": "public"}'
+    build.appstudio.openshift.io/pipeline: '{"name": "docker-build-multi-platform-oci-ta", "bundle": "latest"}'
+  name: ${component_name}
+  labels:
+    originating-tool: "${originating_tool}"
+spec:
+  application: ${application_name}
+  componentName: ${component_name}
+  secret: pipelines-as-code-secret-${component_name}
+  source:
+    git:
+      dockerfileUrl: Dockerfile
+      revision: ${component_branch}
+      url: "${component_git_url}"
diff --git a/integration-tests/rh-push-to-external-registry/resources/tenant/kustomization.yaml b/integration-tests/rh-push-to-external-registry/resources/tenant/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ${tenant_namespace}
+resources:
+  - application.yaml
+  - component.yaml
+  - sa-rolebinding.yaml
+  - rp.yaml
+  - secrets/tenant-secrets.yaml
diff --git a/integration-tests/rh-push-to-external-registry/resources/tenant/rp.yaml b/integration-tests/rh-push-to-external-registry/resources/tenant/rp.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: ReleasePlan
+metadata:
+  labels:
+    release.appstudio.openshift.io/auto-release: 'true'
+    release.appstudio.openshift.io/standing-attribution: 'true'
+    release.appstudio.openshift.io/releasePlanAdmission: "${release_plan_admission_name}"
+    originating-tool: "${originating_tool}"
+  name: ${release_plan_name}
+spec:
+  application: ${application_name}
+  target: ${managed_namespace}
diff --git a/integration-tests/rh-push-to-external-registry/resources/tenant/sa-rolebinding.yaml b/integration-tests/rh-push-to-external-registry/resources/tenant/sa-rolebinding.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: release-pipeline-resource-role-binding-for-${component_name}
+  namespace: ${tenant_namespace}
+  labels:
+    originating-tool: "${originating_tool}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: release-pipeline-resource-role
+subjects:
+  - kind: ServiceAccount
+    name: ${managed_sa_name}
+    namespace: ${managed_namespace}
diff --git a/integration-tests/rh-push-to-external-registry/test.env b/integration-tests/rh-push-to-external-registry/test.env
@@ -0,0 +1,28 @@
+uuid=$(openssl rand -hex 4)
+
+export originating_tool="rh-push-to-external-registry-e2e-test"
+
+# Namespaces
+export tenant_namespace=dev-release-team-tenant
+#
+## Since this is a test that requires internal services,
+## this name should not change.
+#
+export managed_namespace=managed-release-team-tenant
+
+export application_name=e2eapp-${uuid}
+export component_type=rh-push-to-external-registry
+export component_name=${component_type}-${uuid}
+export component_branch=${component_name}
+## do not change this. it is a known branch created by Konflux
+export appstudio_component_branch="appstudio-${component_name}"
+
+export component_base_branch=rh-push-to-external-registry-base
+export component_repo_name=scoheb/e2e-base #konflux-ci/release-service-catalog-e2e-base
+export component_git_url=https://github.com/$component_repo_name
+
+export tenant_sa_name=rh-push-to-external-registry-sa-${uuid}
+export release_plan_name=rh-push-to-external-registry-rp-${uuid}
+
+export managed_sa_name=rh-push-to-external-registry-sa-${uuid}
+export release_plan_admission_name=rh-push-to-external-registry-rpa-${uuid}
diff --git a/integration-tests/rh-push-to-external-registry/test.sh b/integration-tests/rh-push-to-external-registry/test.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+#
+# --- Global Script Variables (Defaults) ---
+CLEANUP="true"
+NO_CVE="true" # Default to false
+
+# Function to verify Release contents
+# Relies on global variables: RELEASE_NAME, RELEASE_NAMESPACE, SUITE_DIR, managed_namespace
+verify_release_contents() {
+    echo "Verifying Release contents for ${RELEASE_NAME} in namespace ${RELEASE_NAMESPACE}..."
+    local release_json
+    release_json=$(kubectl get release/"${RELEASE_NAME}" -n "${RELEASE_NAMESPACE}" -ojson)
+    if [ -z "$release_json" ]; then
+        log_error "Could not retrieve Release JSON for ${RELEASE_NAME}"
+    fi
+
+    # get the oci artifact for the create-pyxis image so that we can get all the imageIds
+    # created
+    local pyxis_url="https://pyxis.preprod.api.redhat.com/"
+    local managed_plr=$(jq -r '.status.managedProcessing?.pipelineRun' <<< "${release_json}")
+    local managed_plr_name=$(cut -f2 -d/ <<< "${managed_plr}")
+
+    local uri=$("${SCRIPT_DIR}/scripts/get-taskrun-result.sh" "${managed_plr_name}" "create-pyxis-image" \
+        "sourceDataArtifact" "${managed_namespace}")
+    local oci_artifact="${uri#*:}" # Assuming the URI might have a scheme like "oci:"
+    echo "oci_artifact: ${oci_artifact}"
+
+    local oci_artifact_dir=$(mktemp -d -p "$(pwd)")
+    oras blob fetch "${oci_artifact}" --output - | tar -C "${oci_artifact_dir}" --no-overwrite-dir -zxmf -
+    echo "Restored artifact ${ociArtifact} to ${oci_artifact_dir}"
+
+    local failures=0
+    local image_url image_arch
+
+    image_url=$(jq -r '.status.artifacts.images[0]?.urls[0] // ""' <<< "${release_json}")
+    image_arch=$(jq -r '.status.artifacts.images[0]?.arches[0] // ""' <<< "${release_json}")
+
+    echo "Checking Image URL..."
+    if [ -n "${image_url}" ]; then
+        echo "✅️ image_url: ${image_url}"
+    else
+        echo "🔴 image_url was empty"
+        failures=$((failures+1))
+    fi
+    echo "Checking Image Arch..."
+    if [ -n "${image_arch}" ]; then
+        echo "✅️ image_arch: ${image_arch}"
+    else
+        echo "🔴 image_arch was empty"
+        failures=$((failures+1))
+    fi
+
+    echo "Checking Image IDs..."
+    pyxisDataFile=$(find ${oci_artifact_dir} -name "pyxis.json")
+    imageIds=$(jq -r '[.components[].pyxisImages[].imageId] | join(" ")' "${pyxisDataFile}")
+    imageIdsFound=false
+
+    # prepare pyxis credentials
+    cert_secret_encoded_value=$(yq '. | select(.metadata.name | contains("pyxis-")) | .data.cert' ${SUITE_DIR}/resources/managed/secrets/managed-secrets.yaml)
+    key_secret_encoded_value=$(yq '. | select(.metadata.name | contains("pyxis-")) | .data.key' ${SUITE_DIR}/resources/managed/secrets/managed-secrets.yaml)
+    cert_secret_value=$(base64 -d <<< "${cert_secret_encoded_value}" > /tmp/cert)
+    key_secret_value=$(base64 -d <<< "${key_secret_encoded_value}" > /tmp/key)
+
+    for imageId in ${imageIds}; do
+        result_image_json="$(curl --cert /tmp/cert --key /tmp/key ${pyxis_url}v1/images/id/${imageId})"
+        result_image_id=$(jq -r '._id' <<< "${result_image_json}")
+        if [ "${result_image_id}" == "${imageId}" ]; then
+            echo "✅️ Found imageId: ${result_image_id} in pyxis"
+        else
+            echo "🔴 imageId: ${result_image_id} did not match expected imageId: ${imageId}"
+            failures=$((failures+1))
+        fi
+        imageIdsFound=true
+    done
+
+    if [ "${imageIdsFound}" = false ]; then
+        echo "🔴 imageIdsFound was false. No imageIds were found."
+        failures=$((failures+1))
+    fi
+
+    if [ "${failures}" -gt 0 ]; then
+      echo "🔴 Test has FAILED with ${failures} failure(s)!"
+      exit 1
+    else
+      echo "✅️ All release checks passed. Success!"
+    fi
+}
diff --git a/integration-tests/rh-push-to-external-registry/vault/managed-secrets.yaml b/integration-tests/rh-push-to-external-registry/vault/managed-secrets.yaml
diff --git a/integration-tests/rh-push-to-external-registry/vault/tenant-secrets.yaml b/integration-tests/rh-push-to-external-registry/vault/tenant-secrets.yaml
diff --git a/integration-tests/scripts/add-file-to-branch.sh b/integration-tests/scripts/add-file-to-branch.sh
diff --git a/integration-tests/scripts/get-taskrun-result.sh b/integration-tests/scripts/get-taskrun-result.sh
