-
Notifications
You must be signed in to change notification settings - Fork 133
Expand file tree
/
Copy pathtest-create-advisory-disk-image-secrets.yaml
More file actions
301 lines (289 loc) · 10.7 KB
/
Copy pathtest-create-advisory-disk-image-secrets.yaml
File metadata and controls
301 lines (289 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-create-advisory-disk-image-secrets
spec:
description: |
Verify that for disk-image content types the task uses staging secrets when
intention is 'staging'.
params:
- name: ociStorage
description: The OCI repository where the Trusted Artifacts are stored.
type: string
- name: ociArtifactExpiresAfter
description: Expiration date for the trusted artifacts created in the
OCI repository. An empty string means the artifacts do not expire.
type: string
default: "1d"
- name: orasOptions
description: oras options to pass to Trusted Artifacts calls
type: string
default: "--insecure"
- name: trustedArtifactsDebug
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
type: string
default: ""
- name: dataDir
description: The location where data will be stored
type: string
tasks:
- name: setup
taskSpec:
results:
- name: sourceDataArtifact
type: string
- name: checksum_map
type: string
volumes:
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /var/workdir
name: workdir
env:
- name: IMAGE_EXPIRES_AFTER
value: $(params.ociArtifactExpiresAfter)
- name: "ORAS_OPTIONS"
value: "$(params.orasOptions)"
- name: "DEBUG"
value: "$(params.trustedArtifactsDebug)"
securityContext:
runAsUser: 1001
steps:
- name: create-crs
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
script: |
#!/usr/bin/env bash
set -eux
mkdir -p "$(params.dataDir)/$(context.pipelineRun.uid)/results"
cat > "$(params.dataDir)/$(context.pipelineRun.uid)/test_release_plan_admission.json" << 'EOF'
{
"apiVersion": "appstudio.redhat.com/v1alpha1",
"kind": "ReleasePlanAdmission",
"metadata": {
"name": "test",
"namespace": "default"
},
"spec": {
"applications": ["rhel-ai-app"],
"policy": "policy",
"pipeline": {
"pipelineRef": {
"resolver": "git",
"params": [
{
"name": "url",
"value": "github.com"
},
{
"name": "revision",
"value": "main"
},
{
"name": "pathInRepo",
"value": "pipeline.yaml"
}
]
}
},
"serviceAccountName": "sa"
},
"origin": "rhel-ai-tenant"
}
EOF
cat > "$(params.dataDir)/$(context.pipelineRun.uid)/test_snapshot_spec.json" << 'EOF'
{
"application": "rhel-ai-app",
"components": [
{
"name": "intel-bootc-iso-disk-image-1-5",
"repository": "quay.io/redhat-prod/rhel-ai----disk-image",
"staged": {
"files": [
{
"filename": "rhel-ai-intel-1.5.1-1749643937-x86_64.iso.gz",
"source": "install.iso.gz"
}
]
}
}
]
}
EOF
cat > "$(params.dataDir)/$(context.pipelineRun.uid)/data.json" << 'EOF'
{
"mapping": {
"components": [
{
"name": "intel-bootc-iso-disk-image-1-5",
"staged": {
"destination": "rhelai-1_DOT_5-for-rhel-9-x86_64-isos",
"version": "1.5.1",
"files": [
{
"filename": "rhel-ai-intel-1.5.1-1749643937-x86_64.iso.gz",
"source": "install.iso.gz"
}
]
},
"contentGateway": {
"contentType": "disk-image",
"productName": "Binary_RL_Red Hat Enterprise Linux AI",
"productCode": "RHELAI",
"productVersionName": "1.5.1",
"filePrefix": "rhel-ai-intel-1.5.1"
}
}
]
},
"releaseNotes": {
"content": {
"artifacts": [
{
"architecture": "x86_64",
"component": "intel-bootc-iso-disk-image-1-5",
"os": "linux",
"purl": "placeholder"
}
]
}
},
"sign": {
"configMapName": "cm"
},
"intention": "staging"
}
EOF
# Create checksum_map mock data file (will be read by oras mock)
jq -nc '[
{
"component": "intel-bootc-iso-disk-image-1-5",
"files": {
"rhel-ai-intel-1.5.1-1749643937-x86_64.iso.gz": "sha256:dummychecksum123456"
}
}
]' > "$(params.dataDir)/mock_checksum_map.json"
# Output mock OCI reference (oras mock will use the file above)
echo -n "mock-registry/checksum-map@sha256:mock" | tee "$(results.checksum_map.path)"
- name: create-trusted-artifact
ref:
name: create-trusted-artifact
params:
- name: ociStorage
value: $(params.ociStorage)
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(results.sourceDataArtifact.path)
- name: run-task
taskRef:
name: create-advisory
params:
- name: releasePlanAdmissionPath
value: "$(context.pipelineRun.uid)/test_release_plan_admission.json"
- name: snapshotPath
value: "$(context.pipelineRun.uid)/test_snapshot_spec.json"
- name: dataPath
value: "$(context.pipelineRun.uid)/data.json"
- name: environment
value: stage
- name: resultsDirPath
value: "$(context.pipelineRun.uid)/results"
- name: synchronously
value: "false"
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
- name: ociStorage
value: $(params.ociStorage)
- name: orasOptions
value: $(params.orasOptions)
- name: sourceDataArtifact
value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)/$(context.pipelineRun.uid)"
- name: dataDir
value: $(params.dataDir)
- name: trustedArtifactsDebug
value: $(params.trustedArtifactsDebug)
- name: taskGitUrl
value: "http://localhost"
- name: taskGitRevision
value: "main"
- name: checksum_map
value: "$(tasks.setup.results.checksum_map)"
runAfter:
- setup
- name: check-result
params:
- name: sourceDataArtifact
value: "$(tasks.run-task.results.sourceDataArtifact)=$(params.dataDir)"
- name: dataDir
value: "$(params.dataDir)"
runAfter:
- run-task
taskSpec:
params:
- name: sourceDataArtifact
type: string
- name: dataDir
type: string
volumes:
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /var/workdir
name: workdir
env:
- name: IMAGE_EXPIRES_AFTER
value: $(params.ociArtifactExpiresAfter)
- name: "ORAS_OPTIONS"
value: "$(params.orasOptions)"
- name: "DEBUG"
value: "$(params.trustedArtifactsDebug)"
securityContext:
runAsUser: 1001
steps:
- name: use-trusted-artifact
ref:
name: use-trusted-artifact
params:
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(params.sourceDataArtifact)
- name: check-result
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
script: |
#!/usr/bin/env bash
set -ex
# Count the number of InternalRequests
requestsCount=$(kubectl get InternalRequest -o json | jq -r '.items | length')
if [ "$requestsCount" -ne 1 ]; then
echo "Unexpected number of InternalRequests. Expected: 1, Found: $requestsCount"
exit 1
fi
internalRequest=$(kubectl get InternalRequest -o json | jq -r '.items[0]')
# For disk-image content types with intention=staging, expect standard staging secrets
advisory_secret_name=$(echo "$internalRequest" | jq -r '.spec.params.advisory_secret_name')
if [ "$advisory_secret_name" != "create-advisory-stage-secret" ]; then
echo "InternalRequest has the wrong advisory_secret_name parameter"
echo "$internalRequest" | jq
exit 1
fi
errata_secret_name=$(echo "$internalRequest" | jq -r '.spec.params.errata_secret_name')
if [ "$errata_secret_name" != "errata-stage-service-account" ]; then
echo "InternalRequest has the wrong errata_secret_name parameter"
echo "$internalRequest" | jq
exit 1
fi
finally:
- name: cleanup
taskSpec:
steps:
- name: delete-crs
image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3
script: |
#!/usr/bin/env bash
set -eux
kubectl delete internalrequests --all