Skip to content

Commit 395eab7

Browse files
committed
feat(RELEASE-2364): add e2e for Helm chart pipeline
- Adds end-to-end test suite for rh-push-helm-chart pipeline - Uses a custom build pipeline bundle since the pipeline is not yet in build-pipeline-config. Known issues - Build pipeline portion still not in build-definitions. Until it is, we bundle ourselves and push to swickers quay org. Jira filed to update when build-definitions is created. Assisted-by: Cursor AI Signed-off-by: Scott Wickersham <swickers@redhat.com>
1 parent a6d8776 commit 395eab7

21 files changed

Lines changed: 1165 additions & 4 deletions

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
**/secrets
22
.idea
33
.serena
4+
.vault_pass
45

56
# Local testing artifacts
67
venv/

integration-tests/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ The following integration test suites are available:
99
- **[collectors](collectors/)** - Tests for advisory data collection and processing
1010
- **[fbc-release](fbc-release/)** - Tests for File-Based Catalog (FBC) release pipeline
1111
- **[push-to-addons-registry](push-to-addons-registry/)** - Tests for pushing to addon registries
12+
- **[rh-push-helm-chart-to-registry-redhat-io](rh-push-helm-chart-to-registry-redhat-io/)** - Tests for Helm OCI chart release pipeline
1213
- **[rh-push-to-external-registry](rh-push-to-external-registry/)** - Tests for pushing to external registries
1314
- **[release-to-github](release-to-github/)** - Tests for GitHub release pipeline
1415
- **[rhtap-service-push](rhtap-service-push/)** - Tests for RHTAP service push pipeline

integration-tests/lib/test-functions.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -655,7 +655,7 @@ cleanup_old_resources() {
655655

656656
echo "🔍 Searching for resources with originating-tool=${originating_tool}"
657657

658-
local kinds="enterprisecontractpolicy rp rpa rolebinding sa clusterrole secret application component"
658+
local kinds="enterprisecontractpolicy rp rpa rolebinding sa clusterrole secret application component imagerepository"
659659
for kind in $kinds; do
660660
local namespaces="dev-release-team-tenant managed-release-team-tenant"
661661
for namespace in $namespaces; do
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
# rh-push-helm-chart-to-registry-redhat-io e2e test
2+
3+
End-to-end test for the [`rh-push-helm-chart-to-registry-redhat-io`](../../pipelines/managed/rh-push-helm-chart-to-registry-redhat-io/README.md) release pipeline.
4+
5+
## How it works
6+
7+
1. A Helm chart source repo is cloned from `hacbs-release-tests/e2e-base` branch `rh-push-helm-chart-to-registry-redhat-io-base`.
8+
2. Konflux builds the chart using a custom Helm OCI build pipeline (bundled separately).
9+
3. The release pipeline validates the Helm chart snapshot, pushes to the staging registry, creates Pyxis entries, and signs.
10+
4. `test.sh` verifies the release artifacts are accessible via skopeo.
11+
12+
## Build pipeline bundle (temporary)
13+
14+
Since `build-helm-chart-oci-ta` is not yet in the cluster `build-pipeline-config`, we use a custom
15+
pipeline bundle. **This is temporary** — once the build team publishes an official
16+
`build-helm-chart-oci-ta` pipeline, this bundle and the custom annotation in `component.yaml`
17+
should be removed in favour of the cluster-provided pipeline.
18+
19+
The pipeline YAML is at [`resources/build/helm-chart-build-pipeline.yaml`](resources/build/helm-chart-build-pipeline.yaml).
20+
21+
To push or update the bundle:
22+
23+
```bash
24+
tkn bundle push quay.io/swickers/pipeline-build-helm-chart-oci-ta:latest \
25+
-f integration-tests/rh-push-helm-chart-to-registry-redhat-io/resources/build/helm-chart-build-pipeline.yaml
26+
```
27+
28+
The component annotation in [`resources/tenant/component.yaml`](resources/tenant/component.yaml) references this bundle directly.
29+
30+
## Component naming and parallel runs
31+
32+
The Kubernetes Component name is UUID-suffixed (`caching-helm-test-rhel9-<uuid>`)
33+
like other e2e tests, allowing parallel runs. However, the OCI image **basename**
34+
must remain `caching-helm-test-rhel9` because:
35+
36+
- `validate-helm-chart-snapshot` checks that the OCI `org.opencontainers.image.title` matches the delivery repo basename
37+
- `publish-pyxis-repository` requires the delivery repo to already exist in Pyxis stage
38+
- The Pyxis repo (`dev-release-team-tenant/caching-helm-test-rhel9`) is defined in `pyxis-repo-configs/products/test-helm/caching-helm-test.yaml`
39+
40+
To decouple the K8s name from the image basename, the test uses two mechanisms:
41+
42+
1. **Explicit `spec.containerImage`** on the Component, with a path whose
43+
basename is always `caching-helm-test-rhel9`.
44+
2. **An `ImageRepository` CR** that tells the Konflux image controller to
45+
create the quay repo at the exact path we specify and generate push
46+
credentials for the build SA — without overriding `containerImage`.
47+
48+
Each parallel run creates its own quay repo (keyed by the UUID application
49+
name) with the same fixed basename. The build task derives the OCI title
50+
from this basename, not from the Component CR name.
51+
52+
53+
## Prerequisites
54+
55+
- `hacbs-release-tests/e2e-base` branch `rh-push-helm-chart-to-registry-redhat-io-base` must exist with Helm chart source
56+
- The build pipeline bundle must be pushed to `quay.io/swickers/pipeline-build-helm-chart-oci-ta:latest`
57+
- Pyxis repo `dev-release-team-tenant/caching-helm-test-rhel9` must exist in Pyxis stage
58+
- Standard e2e secrets: `GITHUB_TOKEN`, `VAULT_PASSWORD_FILE`, `RELEASE_CATALOG_GIT_URL`, `RELEASE_CATALOG_GIT_REVISION`
59+
- Cluster access to staging (`dev-release-team-tenant` / `managed-release-team-tenant`)
60+
61+
## Running
62+
63+
```bash
64+
cd integration-tests
65+
./run-test.sh rh-push-helm-chart-to-registry-redhat-io
66+
```
67+
68+
Use `--skip-cleanup` to keep resources for debugging.
Lines changed: 179 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,179 @@
1+
---
2+
# TEMPORARY: This pipeline is bundled and referenced from component.yaml until the
3+
# build team publishes an official build-helm-chart-oci-ta pipeline. Remove this
4+
# file once the cluster build-pipeline-config includes helm chart OCI support.
5+
apiVersion: tekton.dev/v1
6+
kind: Pipeline
7+
metadata:
8+
name: build-helm-chart-oci-ta
9+
labels:
10+
pipelines.openshift.io/used-by: build-cloud
11+
pipelines.openshift.io/runtime: generic
12+
pipelines.openshift.io/strategy: helm
13+
spec:
14+
description: |
15+
Minimal Helm OCI build pipeline for release-service e2e tests.
16+
Packages a Helm chart and pushes it as an OCI artifact using the
17+
build-helm-chart-oci-ta task from build-definitions.
18+
params:
19+
- name: git-url
20+
description: Source Repository URL
21+
type: string
22+
- name: revision
23+
description: Revision of the Source Repository
24+
type: string
25+
default: ""
26+
- name: output-image
27+
description: Fully Qualified Output Image
28+
type: string
29+
- name: image-expires-after
30+
description: Image tag expiration time
31+
type: string
32+
default: ""
33+
- name: skip-checks
34+
description: Skip checks against built image
35+
type: string
36+
default: "true"
37+
- name: prefetch-input
38+
description: Build dependencies to be prefetched
39+
type: string
40+
default: ""
41+
- name: build-source-image
42+
description: Build a source image
43+
type: string
44+
default: "false"
45+
- name: enable-cache-proxy
46+
description: Enable cache proxy configuration
47+
type: string
48+
default: "false"
49+
- name: chart-context
50+
description: Path relative to source where the chart is located
51+
type: string
52+
default: dist/chart/
53+
- name: chart-version
54+
description: Optional explicit chart version (skips git-based calculation)
55+
type: string
56+
default: "0.1.0+e2e001"
57+
results:
58+
- name: IMAGE_URL
59+
value: $(tasks.build-helm-chart.results.IMAGE_URL)
60+
- name: IMAGE_DIGEST
61+
value: $(tasks.build-helm-chart.results.IMAGE_DIGEST)
62+
- name: CHAINS-GIT_URL
63+
value: $(tasks.clone-repository.results.url)
64+
- name: CHAINS-GIT_COMMIT
65+
value: $(tasks.clone-repository.results.commit)
66+
workspaces:
67+
- name: git-auth
68+
optional: true
69+
- name: netrc
70+
optional: true
71+
tasks:
72+
- name: init
73+
taskRef:
74+
params:
75+
- name: name
76+
value: init
77+
- name: bundle
78+
value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:d7f119ec69bafe990eb320daa3df9f432427513c3289e113d584963854adf237
79+
- name: kind
80+
value: task
81+
resolver: bundles
82+
params:
83+
- name: enable-cache-proxy
84+
value: $(params.enable-cache-proxy)
85+
- name: clone-repository
86+
runAfter:
87+
- init
88+
taskRef:
89+
params:
90+
- name: name
91+
value: git-clone-oci-ta
92+
- name: bundle
93+
value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9
94+
- name: kind
95+
value: task
96+
resolver: bundles
97+
params:
98+
- name: url
99+
value: $(params.git-url)
100+
- name: revision
101+
value: $(params.revision)
102+
- name: ociStorage
103+
value: $(params.output-image).git
104+
- name: ociArtifactExpiresAfter
105+
value: $(params.image-expires-after)
106+
- name: fetchTags
107+
value: "true"
108+
- name: depth
109+
value: "0"
110+
workspaces:
111+
- name: basic-auth
112+
workspace: git-auth
113+
- name: prefetch-dependencies
114+
runAfter:
115+
- clone-repository
116+
taskRef:
117+
params:
118+
- name: name
119+
value: prefetch-dependencies-oci-ta
120+
- name: bundle
121+
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a56046235a9ce324d6c5a0682cdc9b822b5402f8b24d481f213035d9b0bcc3bb
122+
- name: kind
123+
value: task
124+
resolver: bundles
125+
params:
126+
- name: input
127+
value: $(params.prefetch-input)
128+
- name: SOURCE_ARTIFACT
129+
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
130+
- name: ociStorage
131+
value: $(params.output-image).prefetch
132+
- name: ociArtifactExpiresAfter
133+
value: $(params.image-expires-after)
134+
workspaces:
135+
- name: git-basic-auth
136+
workspace: git-auth
137+
- name: netrc
138+
workspace: netrc
139+
- name: build-helm-chart
140+
runAfter:
141+
- prefetch-dependencies
142+
taskRef:
143+
params:
144+
- name: name
145+
value: build-helm-chart-oci-ta
146+
- name: bundle
147+
value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:23de031fcad1479aa718ddfa764ca0532452a2d75dd2f1c23161bd6142c7251a
148+
- name: kind
149+
value: task
150+
resolver: bundles
151+
params:
152+
- name: IMAGE
153+
value: $(params.output-image)
154+
- name: COMMIT_SHA
155+
value: $(tasks.clone-repository.results.commit)
156+
- name: SOURCE_ARTIFACT
157+
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
158+
- name: CHART_CONTEXT
159+
value: $(params.chart-context)
160+
- name: CHART_VERSION
161+
value: $(params.chart-version)
162+
- name: apply-tags
163+
runAfter:
164+
- build-helm-chart
165+
taskRef:
166+
params:
167+
- name: name
168+
value: apply-tags
169+
- name: bundle
170+
value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e
171+
- name: kind
172+
value: task
173+
resolver: bundles
174+
params:
175+
- name: IMAGE_URL
176+
value: $(tasks.build-helm-chart.results.IMAGE_URL)
177+
- name: IMAGE_DIGEST
178+
value: $(tasks.build-helm-chart.results.IMAGE_DIGEST)
179+
finally: []
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
---
2+
apiVersion: appstudio.redhat.com/v1alpha1
3+
kind: EnterpriseContractPolicy
4+
metadata:
5+
name: standard-${component_name}
6+
labels:
7+
originating-tool: "${originating_tool}"
8+
spec:
9+
description: >-
10+
Includes rules for levels 1, 2 & 3 of SLSA v0.1.
11+
publicKey: "k8s://openshift-pipelines/public-key"
12+
sources:
13+
- name: Release Policies
14+
data:
15+
- github.com/release-engineering/rhtap-ec-policy//data
16+
- oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
17+
policy:
18+
- oci::quay.io/enterprise-contract/ec-release-policy:konflux
19+
volatileConfig:
20+
exclude:
21+
- value: cve.cve_blockers
22+
effectiveUntil: "2028-01-01T00:00:00Z"
23+
config:
24+
exclude: []
25+
include:
26+
- '@slsa3'
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
kind: Kustomization
3+
apiVersion: kustomize.config.k8s.io/v1beta1
4+
5+
namespace: ${managed_namespace}
6+
resources:
7+
- sa.yaml
8+
- sa-rolebinding.yaml
9+
- rpa.yaml
10+
- ec-policy.yaml
11+
- secrets/managed-secrets.yaml
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
---
2+
apiVersion: appstudio.redhat.com/v1alpha1
3+
kind: ReleasePlanAdmission
4+
metadata:
5+
name: ${release_plan_admission_name}
6+
labels:
7+
originating-tool: "${originating_tool}"
8+
spec:
9+
applications:
10+
- ${application_name}
11+
data:
12+
pyxis:
13+
server: stage
14+
secret: pyxis-${component_name}
15+
sign:
16+
configMapName: "hacbs-signing-pipeline-config-staging-e2e-pq"
17+
cosignSecretName: "konflux-cosign-signing-stage-${component_name}"
18+
mapping:
19+
defaults:
20+
tags:
21+
- "{{ oci_version }}"
22+
pushSourceContainer: false
23+
components:
24+
- name: ${component_name}
25+
repositories:
26+
- url: quay.io/redhat-pending/dev-release-team-tenant----caching-helm-test-rhel9
27+
fileUpdates:
28+
- paths:
29+
- path: data/teams/stonesoup/users/shebert.yml
30+
replacements:
31+
- key: .tag_on_cluster_updates
32+
replacement: >-
33+
|^tag_on_cluster_updates:.*|tag_on_cluster_updates: {{ .components[0].containerImage }}|
34+
repo: 'https://gitlab.cee.redhat.com/hacbs-release-tests/app-interface/'
35+
upstream_repo: 'https://gitlab.cee.redhat.com/hacbs-release-tests/app-interface/'
36+
ref: 'master'
37+
origin: ${tenant_namespace}
38+
pipeline:
39+
pipelineRef:
40+
params:
41+
- name: url
42+
value: "${RELEASE_CATALOG_GIT_URL}"
43+
- name: revision
44+
value: "${RELEASE_CATALOG_GIT_REVISION}"
45+
- name: pathInRepo
46+
value: pipelines/managed/rh-push-helm-chart-to-registry-redhat-io/rh-push-helm-chart-to-registry-redhat-io.yaml
47+
resolver: git
48+
serviceAccountName: ${managed_sa_name}
49+
timeouts:
50+
pipeline: 4h0m0s
51+
tasks: 4h0m0s
52+
policy: standard-${component_name}
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
../../../rh-push-to-registry-redhat-io/resources/managed/sa-rolebinding.yaml
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
../../../rh-push-to-registry-redhat-io/resources/managed/sa.yaml

0 commit comments

Comments
 (0)