Skip to content

Commit

Permalink
refactor(RELEASE-1041): move and rename iib pipeline
Browse files Browse the repository at this point in the history 
this PR moves the IIB internal pipeline and tasks
to the release-service-catalog and renames it to
update-fbc-catalog.

also adds a workspace to save files that are
used by the task and tests.

Signed-off-by: Leandro Mendes <[email protected]>
  • Loading branch information
@theflockers
theflockers committed Jan 16, 2025
1 parent 8def2fe commit f8774fa
Show file tree
Hide file tree
Showing 15 changed files with 1,078 additions and 2 deletions.
1 change: 1 addition & 0 deletions internal/resources/update-fbc-catalog-pipeline.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../pipelines/internal/update-fbc-catalog/update-fbc-catalog-pipeline.yaml
1 change: 1 addition & 0 deletions internal/resources/update-fbc-catalog-task.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../tasks/internal/update-fbc-catalog-task/update-fbc-catalog-task.yaml
16 changes: 16 additions & 0 deletions pipelines/internal/update-fbc-catalog/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# update-fbc-catalog pipeline

Tekton pipeline add/update FBC fragments to the FBC catalog by interacting with IIB service for File Based Catalogs

## Parameters

| Name | Description | Optional | Default value |
|-------------------------|-----------------------------------------------------------------------------|----------|---------------------|
| iibServiceAccountSecret | Secret containing the credentials for IIB service | yes | iib-service-account |
| fbcFragment | FBC fragment built by HACBS | no | - |
| fromIndex | Index image (catalog of catalogs) the FBC fragment will be added to | no | - |
| buildTags | List of additional tags the internal index image copy should be tagged with | yes | '[]' |
| addArches | List of arches the index image should be built for | yes | '[]' |
| hotfix | Whether this build is a hotfix build | yes | false |
| stagedIndex | Whether this build is a staged index build | yes | false |
| buildTimeoutSeconds | IIB Build Service timeout seconds | no | - |
86 changes: 86 additions & 0 deletions pipelines/internal/update-fbc-catalog/update-fbc-catalog-pipeline.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: update-fbc-catalog
labels:
app.kubernetes.io/version: "1.0.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: fbc
spec:
description: >-
Tekton pipeline add/update FBC fragments to the FBC catalog by interacting with IIB service for File Based Catalogs
params:
- name: iibServiceAccountSecret
type: string
description: Secret containing the credentials for IIB service
default: iib-service-account
- name: fbcFragment
type: string
description: FBC fragment built by HACBS
- name: fromIndex
type: string
description: >-
Index image (catalog of catalogs) the FBC fragment will be added to
- name: targetIndex
type: string
description: >-
Target index is the pullspec the FBC catalog will be pushed to
- name: buildTags
type: string
default: '[]'
description: >-
List of additional tags the internal index image copy should be
tagged with
- name: addArches
type: string
default: '[]'
description: List of arches the index image should be built for
- name: hotfix
type: string
default: "false"
description: Whether this build is a hotfix build
- name: stagedIndex
type: string
default: "false"
description: Whether this build is a staged index build
- name: buildTimeoutSeconds
type: string
description: IIB Build Service timeout seconds
tasks:
- name: update-fbc-catalog-task
taskRef:
name: update-fbc-catalog-task
params:
- name: iibServiceAccountSecret
value: $(params.iibServiceAccountSecret)
- name: fbcFragment
value: $(params.fbcFragment)
- name: fromIndex
value: $(params.fromIndex)
- name: targetIndex
value: $(params.targetIndex)
- name: buildTags
value: $(params.buildTags)
- name: addArches
value: $(params.addArches)
- name: hotfix
value: $(params.hotfix)
- name: stagedIndex
value: $(params.stagedIndex)
- name: buildTimeoutSeconds
value: $(params.buildTimeoutSeconds)
results:
- name: jsonBuildInfo
value: $(tasks.update-fbc-catalog-task.results.jsonBuildInfo)
- name: buildState
value: $(tasks.update-fbc-catalog-task.results.buildState)
- name: genericResult
value: $(tasks.update-fbc-catalog-task.results.genericResult)
- name: indexImageDigests
value: $(tasks.update-fbc-catalog-task.results.indexImageDigests)
- name: iibLog
value: $(tasks.update-fbc-catalog-task.results.iibLog)
- name: exitCode
value: $(tasks.update-fbc-catalog-task.results.exitCode)
14 changes: 14 additions & 0 deletions tasks/internal/update-fbc-catalog-task/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# update-fbc-catalog task

Tekton task to submit a IIB build request to add/update a fbc-fragment to an index image

| Name | Description | Optional | Default value |
| ----------------------- | ---------------------------------------------------------------------------- | -------- | ------------- |
| fbcFragment | FBC fragment built by HACBS | No | - |
| fromIndex | Index image (catalog of catalogs) the FBC fragment will be added to | No | - |
| buildTags | List of additional tags the internal index image copy should be tagged with. | No | - |
| addArches | List of arches the index image should be built for. | No | - |
| buildTimeoutSeconds | Timeout seconds to receive the build state | Yes | "300" |
| iibServiceAccountSecret | Secret with IIB credentials to be used | No | - |
| hotfix | Whether this build is a hotfix build | Yes | "false" |
| stagedIndex | Whether this build is for a staged index build | Yes | "false" |
139 changes: 139 additions & 0 deletions tasks/internal/update-fbc-catalog-task/tests/mocks.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
#!/usr/bin/env bash
set -x

# seed for the build status
yq -o json <<< '
items:
- id: 1
distribution_scope: "stage"
fbc_fragment: "registry.io/image0@sha256:0000"
internal_index_image_copy: "registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:1"
index_image_resolved: "registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib@sha256:0000"
logs:
url: "https://fakeiib.host/api/v1/builds/1/logs"
request_type: "fbc-operations"
state: "in_progress"
state_reason: "The request was initiated"
state_history:
- state: "in_progress"
state_reason: "The request was initiated"
user: "iib@kerberos"' > /tmp/build-seed

buildSeed=$(cat /tmp/build-seed)
buildJson=$(jq -cr '.items[0]' <<< "${buildSeed}")

export buildSeed buildJson calls

function mock_build_progress() {

state_reason[1]="Resolving the fbc fragment"
state_reason[2]="Resolving the container images"
state_reason[3]="The FBC fragment was successfully added in the index image"

encoded_script="$2"
calls="$1"
mock_error="$3"

build="$(base64 -d <<< "$encoded_script")"
if [ -n "$mock_error" ]; then
build=$(jq -rc '.state |= "failed"' <<< "$build")
build=$(jq -rc '.state_reason |= "IIB Mocked Error"' <<< "${build}")
jq -rc --argjson progress "{ \"state\": \"failed\", \"state_reason\": \"IIB Mocked Error\" }" '.state_history |= [$progress] + .' <<< "${build}"
exit
fi

if [ "$calls" -gt "${#state_reason[@]}" ]; then
jq -cr . <<< "${build}"
elif [ "$calls" -eq "${#state_reason[@]}" ]; then
build=$(jq -rc '.state |= "complete"' <<< "$build")
build=$(jq -rc '.state_reason |= "The FBC fragment was successfully added in the index image"' <<< "${build}")
jq -rc --argjson progress "{ \"state\": \"complete\", \"state_reason\": \"${state_reason[$calls]}\" }" '.state_history |= [$progress] + .' <<< "${build}"
if [[ "$(context.taskRun.name)" =~ test-update-fbc-catalog-retry-outdated* ]]; then
build=$(jq -rc '.items[0].retry = "outdated"' <<< "${build}")
fi
exit
else
jq -rc --argjson progress "{ \"state\": \"in_progress\", \"state_reason\": \"${state_reason[$calls]}\" }" '.state_history |= [$progress] + .' <<< "${build}"
fi
}

function curl() {
params="$*"

if [[ "$params" =~ "--negotiate -u: https://pyxis.engineering.redhat.com/v1/repositories/registry/quay.io/repository/repo/image -o"* ]]; then
tempfile="$5"
echo -e '{ "fbc_opt_in": true }' > "$tempfile"

elif [[ "$params" =~ "-s https://fakeiib.host/builds?user=iib@kerberos&from_index=quay.io/scoheb/fbc-index-testing:"* ]]; then
if [[ "$(context.taskRun.name)" =~ "test-update-fbc-catalog-retry-in-progress"* ]]; then
echo -en "${buildSeed}"
elif [[ "$(context.taskRun.name)" =~ test-update-fbc-catalog-retry* ]]; then
build=$(jq -rc '.items[0].state = "complete"' <<< "$buildSeed")
build=$(jq -rc '.items[0].state_reason = "The FBC fragment was successfully added in the index image"' <<< "${build}")

if [[ "$(context.taskRun.name)" =~ test-update-fbc-catalog-retry-outdated* ]]; then
build=$(jq -rc '.items[0].retry = "outdated"' <<< "${build}")
fi
fi

elif [[ "$params" == "-s https://fakeiib.host/builds/1" ]]; then
echo "$*" >> mock_build_progress_calls
if [[ "$(context.taskRun.name)" =~ "test-update-fbc-catalog-error"* ]]; then
mock_error="true"
fi

mock_build_progress "$(awk 'END{ print NR }' mock_build_progress_calls)" "$(base64 <<< "${buildJson}")" "$mock_error" | tee build_json
export -n buildJson
buildJson=$(cat build_json)
export buildJson

elif [[ "$params" == "-s https://fakeiib.host/api/v1/builds/1/logs" ]]; then
echo "Logs are for weaks"

elif [[ "$params" =~ "-u : --negotiate -s -X POST -H Content-Type: application/json -d@".*" --insecure https://fakeiib.host/builds/fbc-operations" ]]; then
echo -en "${buildJson}" | jq -cr

else
echo ""

fi
}

function opm() {
echo '{ "schema": "olm.bundle", "image": "quay.io/repo/image@sha256:abcd1234"}'
}

function base64() {
echo "decrypted-keytab"
}

function kinit() {
echo "Ok"
}

function skopeo() {
today="$(date --iso-8601="seconds")"
yesterday="$(date --date="yesterday" --iso-8601="seconds")"
tomorrow="$(date --date="tomorrow" --iso-8601="seconds")"

shift
if [[ "$*" == "--raw docker://registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:1" ]]; then
echo '{"manifests": [ { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "digest": "sha256:000" }]}'
fi

if [[ "$*" == "--config docker://registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib@sha256:0000" ]]; then
echo '{"created": "'"${today}"'"}'
fi

if [[ "$*" == "--config docker://quay.io/fbc/catalog:complete" ]]; then
echo '{"created": "'"${yesterday}"'"}'
fi

if [[ "$*" == "--config docker://quay.io/fbc/catalog:outdated" ]]; then
echo '{"created": "'"${tomorrow}"'"}'
fi
}

# the watch_build_state can't reach some mocks by default, so exporting them fixes it.
export -f curl
export -f mock_build_progress
24 changes: 24 additions & 0 deletions tasks/internal/update-fbc-catalog-task/tests/pre-apply-task-hook.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash
#
# Install the CRDs so we can create/get them
.github/scripts/install_crds.sh

# Add RBAC so that the SA executing the tests can retrieve CRs
kubectl apply -f .github/resources/crd_rbac.yaml

# create required secrets
kubectl create secret generic iib-service-account-secret \
--from-literal=principal="iib@kerberos" \
--from-literal=keytab="something"
kubectl create secret generic iib-services-config \
--from-literal=krb5.conf="" \
--from-literal=url="https://fakeiib.host"

kubectl create secret generic iib-overwrite-fromimage-credentials \
--from-literal=username="bot+user" \
--from-literal=token="token"
# Add mocks to the beginning of task step script
TASK_PATH="$1"
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
yq -i '.spec.steps[0].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH"
yq -i '.spec.steps[1].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[1].script' "$TASK_PATH"
98 changes: 98 additions & 0 deletions tasks/internal/update-fbc-catalog-task/tests/test-update-fbc-catalog-error.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-update-fbc-catalog-error
spec:
description: Tests a production FBC release, but with a failure scenario due to an error returned by IIB
tasks:
- name: run-task
taskRef:
name: update-fbc-catalog-task
params:
- name: fbcFragment
value: "registry.io/image0@sha256:0000"
- name: fromIndex
value: "quay.io/scoheb/fbc-index-testing:error"
- name: targetIndex
value: "quay.io/fbc/catalog:test"
- name: buildTags
value: "[]"
- name: addArches
value: "[]"
- name: iibServiceAccountSecret
value: "iib-service-account-secret"
- name: check-result
params:
- name: jsonBuildInfo
value: $(tasks.run-task.results.jsonBuildInfo)
- name: buildState
value: $(tasks.run-task.results.buildState)
- name: genericResult
value: $(tasks.run-task.results.genericResult)
- name: indexImageDigests
value: $(tasks.run-task.results.indexImageDigests)
- name: iibLog
value: $(tasks.run-task.results.iibLog)
- name: exitCode
value: $(tasks.run-task.results.exitCode)
taskSpec:
params:
- name: jsonBuildInfo
type: string
- name: buildState
type: string
- name: genericResult
type: string
- name: indexImageDigests
type: string
- name: iibLog
type: string
- name: exitCode
type: string
steps:
- name: check-result
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/bin/bash
set -x
# the jsonBuild mockes has 10 keys on it
keyLength=$(jq '. | length' <<< '$(params.jsonBuildInfo)')
if [ "$keyLength" -ne 10 ]; then
echo "The task did not save a valid json in jsonBuildInfo result"
exit 1
fi
# shellcheck disable=SC2046 # (warning): Quote this to prevent word splitting
# reason: wrapping the tekton parameters in the following line with double quotes is adding unwanted
# quotes to the contained json, breaking jq.
state="$(jq -cr '.state' <<< $(params.buildState))"
if [ "$state" != "failed" ]; then
echo "The task did not save a completed IIB build in buildState result"
exit 1
fi
# shellcheck disable=SC2046 # (warning): Quote this to prevent word splitting
# reason: wrapping the tekton parameters in the following line with double quotes is adding unwanted
# quotes to the contained json, breaking jq.
genericResult=$(jq -r \
'. |[.fbc_opt_in, .overwrite_fromindex_image, .publish_index_image,.sign_index_image] |@csv' \
<<< $(params.genericResult))
if [ "$genericResult" != '"true","true","true","true"' ]; then
echo "The stask did not save the correct values in genericResult result"
exit 1
fi
iibLog=$(awk '{match($0, /https.*/); print(substr($0, RSTART)) }' <<< "$(params.iibLog)")
if [ "$iibLog" != "https://fakeiib.host/api/v1/builds/1/logs" ]; then
echo "The task did not save a valid iib log url in the iibLog result"
exit 1
fi
if [ "$(params.exitCode)" != "1" ]; then
echo "The task did not finish with a fail exit code"
exit 1
fi
runAfter:
- run-task
Loading

0 comments on commit f8774fa

Please sign in to comment.