|
| 1 | +# rh-advisories-idempotent test |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +This test validates idempotent re-release behavior for the `rh-advisories` pipeline: |
| 6 | + |
| 7 | +1. **First release**: all tasks run, advisory created (`skip_release=false`) |
| 8 | +2. **Second release** (same snapshot): `filter-already-released-advisory-images` detects the |
| 9 | + existing advisory in Pyxis → `skip_release=true` |
| 10 | +3. All downstream tasks are skipped; release CR still reaches `Released=True` |
| 11 | +4. `advisory.url` is present in second release status (populated from filter result, |
| 12 | + not from `create-advisory`) |
| 13 | + |
| 14 | +## Setup |
| 15 | + |
| 16 | +### Dependencies |
| 17 | +* GitHub repo: https://github.com/hacbs-release-tests/e2e-base |
| 18 | +* GitHub personal access token (classic) for above repo with **admin:repo_hook**, |
| 19 | + **delete_repo**, **repo** scopes. |
| 20 | +* The password to the vault files. (Contact a member of the Release team should you |
| 21 | + want to run this test suite.) |
| 22 | +* Access to the target cluster and tenant and managed namespaces |
| 23 | + * **Cluster:** stg-rh01 (staging cluster) |
| 24 | + * **Tenant Namespace:** `dev-release-team-tenant` (local) or `rhtap-release-2-tenant` (PaC) |
| 25 | + * **Managed Namespace:** `managed-release-team-tenant` |
| 26 | + |
| 27 | +### Required Environment Variables |
| 28 | +- `GITHUB_TOKEN` - GitHub personal access token |
| 29 | +- `VAULT_PASSWORD_FILE` - Path to file containing ansible vault password |
| 30 | +- `RELEASE_CATALOG_GIT_URL` - Release service catalog URL for the RPA |
| 31 | +- `RELEASE_CATALOG_GIT_REVISION` - Release service catalog revision for the RPA |
| 32 | + |
| 33 | +### Optional Environment Variables |
| 34 | +- `KUBECONFIG` - Kubeconfig file for cluster access |
| 35 | +- `LARGE_SNAPSHOT_COMPONENT_COUNT` - Number of components in snapshot (default: 1) |
| 36 | +- `LARGE_SNAPSHOT_TIMEOUT` - Pipeline timeout (default: 2h0m0s) |
| 37 | + |
| 38 | +### Test Properties |
| 39 | +#### [test.env](test.env) |
| 40 | +- Contains resource names and configuration values for testing. |
| 41 | +- Uses a single-component pre-built snapshot to minimize first release duration. |
| 42 | + |
| 43 | +#### [test.sh](test.sh) |
| 44 | +- Overrides standard build functions to skip builds and use pre-built images. |
| 45 | +- Implements the two-phase idempotent test: first release then second release. |
| 46 | +- Verifies all acceptance criteria post second release. |
| 47 | + |
| 48 | +### Test Functions |
| 49 | +#### [lib/test-functions.sh](../lib/test-functions.sh) |
| 50 | +- Reusable functions for tests. |
| 51 | + |
| 52 | +### Secrets |
| 53 | +- Secrets are stored in ansible vault files (symlinked from `rh-advisories-large-snapshot`): |
| 54 | + - [vault/managed-secrets.yaml](vault/managed-secrets.yaml) |
| 55 | + - [vault/tenant-secrets.yaml](vault/tenant-secrets.yaml) |
| 56 | + |
| 57 | +## Acceptance Criteria |
| 58 | + |
| 59 | +- Second release: all major tasks (`create-advisory`, `push-snapshot`, `verify-conforma`, |
| 60 | + `rh-sign-image`, etc.) appear in `skippedTasks` |
| 61 | +- `advisory.url` present in second release `status.artifacts` (written by |
| 62 | + `update-cr-status-skipped` from filter result, not `create-advisory`) |
| 63 | + |
| 64 | +## Running the test |
| 65 | + |
| 66 | +For local testing: |
| 67 | + |
| 68 | +```shell |
| 69 | +../run-test.sh rh-advisories-idempotent |
| 70 | +``` |
| 71 | + |
| 72 | +**Note:** This test runs two full releases sequentially. The first release takes |
| 73 | +approximately 1-2 hours in staging; the second release completes quickly once the |
| 74 | +filter detects the existing advisory. |
| 75 | + |
| 76 | +### Debugging |
| 77 | + |
| 78 | +Use `--skip-cleanup` to preserve resources after the test: |
| 79 | + |
| 80 | +```shell |
| 81 | +../run-test.sh rh-advisories-idempotent --skip-cleanup |
| 82 | +``` |
| 83 | + |
| 84 | +### Maintenance |
| 85 | + |
| 86 | +To update secrets: |
| 87 | + |
| 88 | +```shell |
| 89 | +ansible-vault decrypt vault/tenant-secrets.yaml --output "/tmp/tenant-secrets.yaml" \ |
| 90 | + --vault-password-file <vault password file> |
| 91 | +vi /tmp/tenant-secrets.yaml |
| 92 | +ansible-vault encrypt /tmp/tenant-secrets.yaml --output "vault/tenant-secrets.yaml" \ |
| 93 | + --vault-password-file <vault password file> |
| 94 | +rm /tmp/tenant-secrets.yaml |
| 95 | +``` |
0 commit comments