Skip to content

Commit 4f00b1a

Browse files
committed
fix: allow additional tags in validate-helm-chart-snapshot
Require at least one tag to match oci_version but permit extra tags (e.g. release_timestamp, static versions). Add e2e coverage with mixed tags in the RPA and a new unit test case. Assisted-by: Cursor AI Signed-off-by: Scott Wickersham <swickers@redhat.com>
1 parent 395eab7 commit 4f00b1a

5 files changed

Lines changed: 123 additions & 22 deletions

File tree

integration-tests/rh-push-helm-chart-to-registry-redhat-io/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ must remain `caching-helm-test-rhel9` because:
3535

3636
- `validate-helm-chart-snapshot` checks that the OCI `org.opencontainers.image.title` matches the delivery repo basename
3737
- `publish-pyxis-repository` requires the delivery repo to already exist in Pyxis stage
38-
- The Pyxis repo (`dev-release-team-tenant/caching-helm-test-rhel9`) is defined in `pyxis-repo-configs/products/test-helm/caching-helm-test.yaml`
38+
- The Pyxis repo (`dev-release-team-tenant/caching-helm-test-rhel9`) is defined in [pyxis-repo-configs](https://gitlab.cee.redhat.com/releng/pyxis-repo-configs/-/blob/main/products/test-helm/caching-helm-test.yaml)
3939

4040
To decouple the K8s name from the image basename, the test uses two mechanisms:
4141

integration-tests/rh-push-helm-chart-to-registry-redhat-io/resources/managed/rpa.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,13 @@ spec:
1919
defaults:
2020
tags:
2121
- "{{ oci_version }}"
22+
- "{{ release_timestamp }}"
23+
- "v3.3"
2224
pushSourceContainer: false
2325
components:
2426
- name: ${component_name}
2527
repositories:
26-
- url: quay.io/redhat-pending/dev-release-team-tenant----caching-helm-test-rhel9
28+
- url: registry.stage.redhat.io/dev-release-team-tenant/caching-helm-test-rhel9
2729
fileUpdates:
2830
- paths:
2931
- path: data/teams/stonesoup/users/shebert.yml

tasks/managed/validate-helm-chart-snapshot/tests/test-validate-helm-chart-snapshot-fail-tag-mismatch.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ metadata:
77
test/assert-task-failure: "run-task"
88
spec:
99
description: |
10-
Run validate-helm-chart-snapshot with a tag that does not match the chart version
10+
Run validate-helm-chart-snapshot where no tag matches the chart version
1111
(tag "0.2.0" vs chart version "1.0.0+buildmeta"). The task should fail.
1212
params:
1313
- name: ociStorage
Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
---
2+
apiVersion: tekton.dev/v1
3+
kind: Pipeline
4+
metadata:
5+
name: test-validate-helm-chart-snapshot-success-extra-tags
6+
spec:
7+
description: |
8+
Run validate-helm-chart-snapshot with multiple tags where one matches the chart version
9+
and others do not. The task should succeed because at least one tag matches.
10+
params:
11+
- name: ociStorage
12+
description: The OCI repository where the Trusted Artifacts are stored.
13+
type: string
14+
default: ""
15+
- name: ociArtifactExpiresAfter
16+
description: Expiration date for the trusted artifacts created in the
17+
OCI repository. An empty string means the artifacts do not expire.
18+
type: string
19+
default: "1d"
20+
- name: orasOptions
21+
description: oras options to pass to Trusted Artifacts calls
22+
type: string
23+
default: "--insecure"
24+
- name: trustedArtifactsDebug
25+
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
26+
type: string
27+
default: ""
28+
- name: dataDir
29+
description: The location where data will be stored
30+
type: string
31+
default: "/var/workdir/release"
32+
tasks:
33+
- name: setup
34+
taskSpec:
35+
results:
36+
- name: sourceDataArtifact
37+
type: string
38+
volumes:
39+
- name: workdir
40+
emptyDir: {}
41+
stepTemplate:
42+
volumeMounts:
43+
- mountPath: /var/workdir
44+
name: workdir
45+
env:
46+
- name: IMAGE_EXPIRES_AFTER
47+
value: $(params.ociArtifactExpiresAfter)
48+
- name: "ORAS_OPTIONS"
49+
value: "$(params.orasOptions)"
50+
- name: "DEBUG"
51+
value: "$(params.trustedArtifactsDebug)"
52+
steps:
53+
- name: add-snapshot
54+
image: quay.io/konflux-ci/release-service-utils@sha256:3cb03b14ac9d90ff27070036ce2b50712e65aa285daeb28852254a745bb25dfc
55+
script: |
56+
#!/usr/bin/env bash
57+
set -eux
58+
59+
mkdir -p "$(params.dataDir)/$(context.pipelineRun.uid)"
60+
cat > "$(params.dataDir)/$(context.pipelineRun.uid)/mapped.json" << 'EOF'
61+
{
62+
"application": "helm-app",
63+
"components": [
64+
{
65+
"name": "mychart",
66+
"containerImage": "quay.io/tenant/mychart@sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
67+
"repositories": [
68+
{
69+
"url": "quay.io/redhat-prod/acme----mychart",
70+
"tags": ["1.0.0_buildmeta", "v1.0", "latest"]
71+
}
72+
]
73+
}
74+
]
75+
}
76+
EOF
77+
- name: create-trusted-artifact
78+
ref:
79+
name: create-trusted-artifact
80+
params:
81+
- name: ociStorage
82+
value: $(params.ociStorage)
83+
- name: workDir
84+
value: $(params.dataDir)
85+
- name: sourceDataArtifact
86+
value: $(results.sourceDataArtifact.path)
87+
- name: run-task
88+
taskRef:
89+
name: validate-helm-chart-snapshot
90+
params:
91+
- name: snapshotPath
92+
value: $(context.pipelineRun.uid)/mapped.json
93+
- name: ociStorage
94+
value: $(params.ociStorage)
95+
- name: orasOptions
96+
value: $(params.orasOptions)
97+
- name: sourceDataArtifact
98+
value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)"
99+
- name: dataDir
100+
value: $(params.dataDir)
101+
- name: taskGitUrl
102+
value: "http://localhost"
103+
- name: taskGitRevision
104+
value: "main"
105+
runAfter:
106+
- setup

tasks/managed/validate-helm-chart-snapshot/validate-helm-chart-snapshot.yaml

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -124,16 +124,6 @@ spec:
124124
exit 1
125125
fi
126126
127-
# Map OCI tag to SemVer: registry tags cannot contain '+'; Helm uses first '_' as build-metadata separator.
128-
oci_tag_to_version() {
129-
local t="$1"
130-
if [[ "$t" == *_* ]]; then
131-
echo "${t/_/+}"
132-
else
133-
echo "$t"
134-
fi
135-
}
136-
137127
# Basename of delivery repo path (after ---- to /), last segment.
138128
delivery_repo_basename() {
139129
local url="$1"
@@ -186,15 +176,18 @@ spec:
186176
echo "Error: component (${name}) repository (${url}) has no tags" >&2
187177
exit 1
188178
fi
189-
for ((k = 0; k < num_tags; k++)); do
190-
tag=$(jq -r --argjson k "$k" '.tags[$k]' <<< "$repo")
191-
mapped=$(oci_tag_to_version "$tag")
192-
if [[ "$mapped" != "$version" ]]; then
193-
echo "Error: component (${name}) tag (${tag}) normalized to (${mapped}) does not match" \
194-
"chart version (${version})" >&2
195-
exit 1
196-
fi
197-
done
179+
{
180+
read -r version_found
181+
read -r all_tags
182+
} < <(jq -r --arg ver "$version" '
183+
([.tags[] | sub("_"; "+") == $ver] | any),
184+
(.tags | join(", "))
185+
' <<< "$repo")
186+
if [[ "$version_found" != "true" ]]; then
187+
echo "Error: component (${name}) repository (${url}) — none of the tags" \
188+
"[${all_tags}] match chart version (${version})" >&2
189+
exit 1
190+
fi
198191
done
199192
echo "Validated Helm OCI artifact for component (${name}) chart (${title}) version (${version})"
200193
done

0 commit comments

Comments
 (0)