diff --git a/.github/scripts/mock_http_json.py b/.github/scripts/mock_http_json.py index df4c3a6195..e5e94c34fd 100755 --- a/.github/scripts/mock_http_json.py +++ b/.github/scripts/mock_http_json.py @@ -41,26 +41,28 @@ def log_message(self, *_args: object) -> None: # Keep Tekton step logs readable; every GET would otherwise print a line. return - def do_GET(self) -> None: + def _route_body(self) -> bytes | None: parsed = urlparse(self.path) path = parsed.path.rstrip("/") or "/" - body = None # Order in mocks.yaml matters: first matching rule wins (not most specific). for rule in self.routes: suf = rule.get("path_suffix") if suf is not None: # Match both "/auth/token" and "/auth/token/" style paths. - if path.endswith(suf) or path.endswith(suf.rstrip("/")): + suf_stripped = suf.rstrip("/") + if path.endswith(suf) or (suf_stripped and path.endswith(suf_stripped)): # mocks.yaml body values are strings, not pre-serialized bytes. - body = rule["body"].encode("utf-8") - break + return rule["body"].encode("utf-8") # path_suffix and path_contains are mutually exclusive per rule. continue sub = rule.get("path_contains") if sub is not None and sub in parsed.path: # Query string is ignored; only the path is checked. - body = rule["body"].encode("utf-8") - break + return rule["body"].encode("utf-8") + return None + + def _send_routed_json(self) -> None: + body = self._route_body() if body is None: # Unmatched paths look like "service down" to callers, not empty JSON. self.send_response(404) @@ -72,6 +74,8 @@ def do_GET(self) -> None: self.end_headers() self.wfile.write(body) + do_GET = do_POST = _send_routed_json + class _ReuseHTTPServer(HTTPServer): # Lets the test step restart the mock without "Address already in use". diff --git a/tasks/internal/create-advisory-task/create-advisory-task.yaml b/tasks/internal/create-advisory-task/create-advisory-task.yaml index 69a748bca2..15e035e593 100644 --- a/tasks/internal/create-advisory-task/create-advisory-task.yaml +++ b/tasks/internal/create-advisory-task/create-advisory-task.yaml @@ -86,12 +86,12 @@ spec: runAsUser: 1001 steps: - name: create-advisory - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 + image: quay.io/konflux-ci/release-service-utils@sha256:71a99d12d920fcc157e08e5dc9894fbc4bce42328e9c2f58dc53411278858d91 computeResources: limits: - memory: 256Mi + memory: 512Mi requests: - memory: 256Mi + memory: 512Mi cpu: '1' # 1 is the max allowed by at least the staging cluster volumeMounts: - name: advisory-secret @@ -99,264 +99,28 @@ spec: - name: errata-secret mountPath: /mnt/errata_secret env: - - name: "ADVISORY_JSON" - value: "$(params.advisory_json)" - script: | - #!/usr/bin/env bash - set -eo pipefail - - GITLAB_HOST="$(cat /mnt/advisory_secret/gitlab_host)" - - # This is a GitLab Project access token. Go to the settings/access_tokens page - # of your repository to create one. It should have the Developer role with read - # and write repository rights. - ACCESS_TOKEN="$(cat /mnt/advisory_secret/gitlab_access_token)" - - GIT_AUTHOR_NAME="$(cat /mnt/advisory_secret/git_author_name)" - GIT_AUTHOR_EMAIL="$(cat /mnt/advisory_secret/git_author_email)" - GIT_REPO="$(cat /mnt/advisory_secret/git_repo)" - ERRATA_API="$(cat /mnt/errata_secret/errata_api)" - SERVICE_ACCOUNT_NAME="$(cat /mnt/errata_secret/name)" - SERVICE_ACCOUNT_KEYTAB="$(cat /mnt/errata_secret/base64_keytab)" - - # export variables required by the called script "gitlab-functions" in release-service-utils - export GITLAB_HOST ACCESS_TOKEN GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL - - STDERR_FILE=/tmp/stderr.txt - echo -n "$(params.internalRequestPipelineRunName)" > "$(results.internalRequestPipelineRunName.path)" - echo -n "$(context.taskRun.name)" > "$(results.internalRequestTaskRunName.path)" - - exitfunc() { - local err=$1 - local line=$2 - local command="$3" - if [ "$err" -eq 0 ] ; then - echo -n "Success" > "$(results.result.path)" - else - echo -n \ - "$0: ERROR '$command' failed at line $line - exited with status $err" > "$(results.result.path)" - if [ -f "$STDERR_FILE" ] ; then - tail -n 20 "$STDERR_FILE" >> "$(results.result.path)" - fi - fi - echo -n "${ADVISORY_URL}" > "$(results.advisory_url.path)" - echo -n "${ADVISORY_INTERNAL_URL}" > "$(results.advisory_internal_url.path)" - exit 0 # exit the script cleanly as there is no point in proceeding past an error or exit call - } - # due to set -e, this catches all EXIT and ERR calls and the task should never fail with nonzero exit code - trap 'exitfunc $? $LINENO "$BASH_COMMAND"' EXIT - - REPO_BRANCH=main - ADVISORY_URL="" - ADVISORY_INTERNAL_URL="" - ADVISORY_BASE_DIR="data/advisories/$(params.origin)" - if [[ "${GIT_REPO}" == *"/rhtap-release/"* ]]; then - ADVISORY_URL_PREFIX="https://access.stage.redhat.com/errata" - else - ADVISORY_URL_PREFIX="https://access.redhat.com/errata" - fi - - # Switch to /tmp to avoid filesystem permission issues - cd /tmp - - # loading git and gitlab functions - # shellcheck source=/dev/null - . /home/utils/gitlab-functions - # shellcheck source=/dev/null - . /home/utils/git-functions - gitlab_init - git_functions_init - - # This also cds into the git repo - git_clone_and_checkout --repository "$GIT_REPO" --revision "$REPO_BRANCH" \ - --sparse-dir "$ADVISORY_BASE_DIR" --sparse-dir schema - - if [ "$(params.contentType)" = "image" ]; then - echo "Content type is image." - spec_content_type=".content.images" - elif [ "$(params.contentType)" == "binary" ] || [ "$(params.contentType)" == "generic" ] \ - || [ "$(params.contentType)" == "rpm" ]; then - echo "Content type is generic or rpm artifact." - spec_content_type=".content.artifacts" - else - echo "Unsupported contentType: $(params.contentType)"| tee -a "$STDERR_FILE" - echo "Exiting." | tee -a "$STDERR_FILE" - exit 1 - fi - CONTENT_FILE=/tmp/content.json - # Write the advisory JSON parameter to a file to avoid argument length limits - printf '%s' "$ADVISORY_JSON" | base64 --decode | gunzip > /tmp/advisory_decoded.json - jq -c "${spec_content_type} // []" /tmp/advisory_decoded.json > "$CONTENT_FILE" - - # Use ISO 8601 format in UTC/Zulu time, e.g. 2024-03-06T17:27:38Z - SHIP_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - YEAR=${SHIP_DATE%%-*} # derive the year from the ship date - # Define advisory directory - echo "Checking advisories in directory: ${ADVISORY_BASE_DIR}" - - # Check existing advisories across ALL years - EXISTING_ADVISORIES="" - if [ -d "${ADVISORY_BASE_DIR}" ]; then - EXISTING_ADVISORIES=$( - # year/advisory dir with modified time - find "${ADVISORY_BASE_DIR}" -mindepth 2 -type d -printf "%T@ %p\n" | - sort -nr | # sort by latest modified first - cut -d' ' -f2- | # remove the timestamp, keep only path - sed "s|^${ADVISORY_BASE_DIR}/||" # keeping year/advisory format - ) - fi - - if [[ -z "$EXISTING_ADVISORIES" ]]; then - echo "No existing advisories found." - fi - - # Track the latest advisory that contains matching content - # EXISTING_ADVISORIES is sorted by modification time (newest first) - LATEST_ADVISORY_FILE="" - - EXISTING_CONTENT=/tmp/existing_content.json - for ADVISORY_SUBDIR in $EXISTING_ADVISORIES; do - ADVISORY_FILE="${ADVISORY_BASE_DIR}/${ADVISORY_SUBDIR}/advisory.yaml" - yq -o=json ".spec${spec_content_type} // []" "${ADVISORY_FILE}" > "$EXISTING_CONTENT" - echo "Processing advisory: ${ADVISORY_FILE}" - echo "Existing content in advisory: " - cat "$EXISTING_CONTENT" - - # Check if this advisory contains any matching content before filtering - CONTENT_BEFORE_FILTER=$(cat "$CONTENT_FILE") - - # Update CONTENT by removing entries that already exist in the advisory - if [ "$(params.contentType)" == "generic" ] || [ "$(params.contentType)" == "binary" ]; then - # Use purl as unique key, but strip checksum= for comparison - # This allows re-releases (with new checksums from re-signing) to update existing advisories - # The filename= param (if present) ensures we match the correct file - jq --slurpfile existing "$EXISTING_CONTENT" ' - # Function to strip checksum param from purl for comparison - def strip_checksum: - gsub("&checksum=[^&]*"; "") | gsub("\\?checksum=[^&]*&"; "?") | gsub("\\?checksum=[^&]*$"; ""); - map(select( - (.purl | strip_checksum) as $p | - ($existing[0] | map(select((.purl | strip_checksum) == $p)) | length == 0) - ))' "$CONTENT_FILE" > /tmp/content_filtered.json - elif [ "$(params.contentType)" == "rpm" ] || [ "$(params.contentType)" == "disk-image" ]; then - # Use exact purl matching for RPM and disk-image (checksums are stable, no re-signing) - jq --slurpfile existing "$EXISTING_CONTENT" ' - map(select( - .purl as $p | - ($existing[0] | map(select(.purl == $p)) | length == 0) - ))' "$CONTENT_FILE" > /tmp/content_filtered.json - else - jq --slurpfile existing "$EXISTING_CONTENT" ' - map(select( - .containerImage as $ci | - .tags as $tags | - .repository as $repo | - ($existing[0] | map(select( - .containerImage == $ci and .tags == $tags and .repository == $repo - )) | length == 0) - ))' "$CONTENT_FILE" > /tmp/content_filtered.json - fi - - mv /tmp/content_filtered.json "$CONTENT_FILE" - - echo "Remaining entries after filtering:" - cat "$CONTENT_FILE" - - CONTENT_BEFORE_COUNT=$(jq 'length' <<< "$CONTENT_BEFORE_FILTER") - CONTENT_AFTER_COUNT=$(jq 'length' "$CONTENT_FILE") - if [[ $CONTENT_BEFORE_COUNT -gt $CONTENT_AFTER_COUNT ]]; then - if [[ -z "$LATEST_ADVISORY_FILE" ]]; then - LATEST_ADVISORY_FILE="$ADVISORY_FILE" - FILTERED_COUNT=$((CONTENT_BEFORE_COUNT - CONTENT_AFTER_COUNT)) - echo "Tracked latest advisory: $LATEST_ADVISORY_FILE (filtered $FILTERED_COUNT items)" - fi - fi - - # If after filtering, no entries are left, then we can exit early - if jq -e 'length == 0' "$CONTENT_FILE" >/dev/null; then - echo "All content found in existing advisories. Skipping creation." - echo "Returning advisory: $LATEST_ADVISORY_FILE" - - ADVISORY_INTERNAL_URL="${GIT_REPO//\.git/}/-/raw/main/${LATEST_ADVISORY_FILE}" - ADVISORY_TYPE=$(yq -r '.spec.type' "${LATEST_ADVISORY_FILE}") - ADVISORY_NAME=$(yq -r '.metadata.name' "${LATEST_ADVISORY_FILE}") - ADVISORY_URL="${ADVISORY_URL_PREFIX}/${ADVISORY_TYPE}-${ADVISORY_NAME}" - echo -n "Success" > "$(results.result.path)" - echo -n "${ADVISORY_URL}" > "$(results.advisory_url.path)" - echo -n "$ADVISORY_INTERNAL_URL" > "$(results.advisory_internal_url.path)" - exit 0 - fi - done - - NEW_ADVISORY_JSON=$(jq --slurpfile new_content "$CONTENT_FILE" \ - "${spec_content_type} = \$new_content[0]" /tmp/advisory_decoded.json) - - signingKey=$(kubectl get configmap "$(params.config_map_name)" -o jsonpath="{.data.SIG_KEY_NAME}") - # Write to temp file to avoid argument length limits - echo "$NEW_ADVISORY_JSON" > /tmp/new_advisory.json - # Add signingKey only if not already present in the artifact (supports pre-populated values from - # populate-release-notes for RPM releases) - jq -c --arg key "$signingKey" \ - "${spec_content_type} |= map(if .signingKey then . else . + {\"signingKey\": \$key} end)" \ - /tmp/new_advisory.json > /tmp/advisory_with_key.json - - LIVE_ID=$(jq -r '.live_id' /tmp/advisory_decoded.json) - if [[ "$LIVE_ID" == null ]]; then - # write keytab to file - echo -n "${SERVICE_ACCOUNT_KEYTAB}" | base64 --decode > /tmp/keytab - # workaround kinit: Invalid UID in persistent keyring name while getting default ccache - KRB5CCNAME=$(mktemp) - export KRB5CCNAME - # see https://stackoverflow.com/a/12308187 - KRB5_CONFIG=$(mktemp) - export KRB5_CONFIG - export KRB5_TRACE=/dev/stderr - sed '/\[libdefaults\]/a\ dns_canonicalize_hostname = false' /etc/krb5.conf > "${KRB5_CONFIG}" - retry 5 kinit "${SERVICE_ACCOUNT_NAME}" -k -t /tmp/keytab - REQUEST_URL="${ERRATA_API}/advisory/reserve_live_id" - LIVE_ID=$(curl --retry 3 --negotiate -u : "${REQUEST_URL}" -XPOST | jq -r '.live_id') - fi - ADVISORY_NUM=$(printf "%04d" "$LIVE_ID") - - # Check if the advisory number is already used - GIT_RESULT_FILE=$(mktemp) - git ls-tree -r --name-only origin/main > "$GIT_RESULT_FILE" - GREP_RESULT=$(grep "data/advisories/.*/${YEAR}/${ADVISORY_NUM}/" "$GIT_RESULT_FILE" || true) - if [[ -n "${GREP_RESULT}" ]]; then - echo "An advisory with number ${ADVISORY_NUM} already exists:" | tee -a "$STDERR_FILE" - echo "${GREP_RESULT}" | tee -a "$STDERR_FILE" - echo "Exiting." | tee -a "$STDERR_FILE" - exit 1 - fi - - # group advisories by /year - ADVISORY_DIR="data/advisories/$(params.origin)/${YEAR}/${ADVISORY_NUM}" - mkdir -p "${ADVISORY_DIR}" - JSON_ADVISORY_FILEPATH="${ADVISORY_DIR}/advisory.json" - YAML_ADVISORY_FILEPATH="${ADVISORY_DIR}/advisory.yaml" - ADVISORY_NAME="${YEAR}:${ADVISORY_NUM}" - - # Prepare variables for the advisory template - # Write to file to avoid argument length limits - jq -c '{"advisory":{"spec":.}}' /tmp/advisory_with_key.json > /tmp/template_data.json - jq -c --arg advisory_name "$ADVISORY_NAME" --arg advisory_ship_date "$SHIP_DATE" \ - '$ARGS.named + .' /tmp/template_data.json > /tmp/template_data_final.json - - # Create advisory file using the apply_template.py script - /home/utils/apply_template.py -o "$JSON_ADVISORY_FILEPATH" --data-file /tmp/template_data_final.json \ - --template /home/templates/advisory.yaml.jinja -v 2> "$STDERR_FILE" - - # Convert to yaml for readability - yq eval -o yaml "$JSON_ADVISORY_FILEPATH" | tee "$YAML_ADVISORY_FILEPATH" - - # Ensure the created advisory file passes the advisory schema - check-jsonschema --schemafile schema/advisory.json "$YAML_ADVISORY_FILEPATH" 2>&1 | tee "$STDERR_FILE" - - git add "${YAML_ADVISORY_FILEPATH}" - git commit -m "[Konflux Release] new advisory for $(params.componentGroup)" - echo "Pushing to ${REPO_BRANCH}..." - git_push_with_retries --branch $REPO_BRANCH --retries 5 --url origin 2> "$STDERR_FILE" - # Construct the advisory url on customer portal to report back to the user as a result - ADVISORY_TYPE=$(jq -r '.type' /tmp/advisory_decoded.json) - ADVISORY_URL="${ADVISORY_URL_PREFIX}/${ADVISORY_TYPE}-${ADVISORY_NAME}" - ADVISORY_INTERNAL_URL="${GIT_REPO//\.git/}/-/raw/${REPO_BRANCH}/${YAML_ADVISORY_FILEPATH}" + - name: ADVISORY_JSON + value: $(params.advisory_json) + - name: PARAM_COMPONENT_GROUP + value: $(params.componentGroup) + - name: PARAM_ORIGIN + value: $(params.origin) + - name: PARAM_CONFIG_MAP_NAME + value: $(params.config_map_name) + - name: PARAM_CONTENT_TYPE + value: $(params.contentType) + - name: PARAM_INTERNAL_REQUEST_PIPELINE_RUN_NAME + value: $(params.internalRequestPipelineRunName) + - name: PARAM_TASK_RUN_NAME + value: $(context.taskRun.name) + - name: RESULT_RESULT + value: $(results.result.path) + - name: RESULT_ADVISORY_URL + value: $(results.advisory_url.path) + - name: RESULT_ADVISORY_INTERNAL_URL + value: $(results.advisory_internal_url.path) + - name: RESULT_INTERNAL_REQUEST_PIPELINE_RUN_NAME + value: $(results.internalRequestPipelineRunName.path) + - name: RESULT_INTERNAL_REQUEST_TASK_RUN_NAME + value: $(results.internalRequestTaskRunName.path) + command: ["/home/scripts/python/tasks/internal/create_advisory.py"] diff --git a/tasks/internal/create-advisory-task/tests/mocks.sh b/tasks/internal/create-advisory-task/tests/mocks.sh deleted file mode 100644 index adf03c5be3..0000000000 --- a/tasks/internal/create-advisory-task/tests/mocks.sh +++ /dev/null @@ -1,184 +0,0 @@ -#!/usr/bin/env bash -set -eux - -# mocks to be injected into task step scripts -function git() { - echo "Mock git called with: $*" - - if [[ "$1" == "clone" ]]; then - gitRepo=$(echo "$*" | cut -f5 -d/ | cut -f1 -d.) - mkdir -p "$gitRepo"/schema - cat > "$gitRepo/schema/advisory.json" <<-'EOF' - { - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "required": ["spec"], - "properties": { - "spec": { - "type": "object", - "required": ["type"], - "properties": { - "type": { - "type": "string", - "enum": ["RHEA", "RHBA", "RHSA"] - }, - "severity": { - "type": "string", - "enum": ["Critical", "Important", "Moderate", "Low"] - } - } - } - } - } - EOF - - mkdir -p "$gitRepo"/data/advisories/dev-tenant/2025/1602 - mkdir -p "$gitRepo"/data/advisories/dev-tenant/2025/1601 - mkdir -p "$gitRepo"/data/advisories/dev-tenant/2024/1452 - mkdir -p "$gitRepo"/data/advisories/dev-tenant/2024/1442 - - touch -d "@1712012345" "$gitRepo"/data/advisories/dev-tenant/2025/1602 - touch -d "@1712012344" "$gitRepo"/data/advisories/dev-tenant/2025/1601 - touch -d "@1708012343" "$gitRepo"/data/advisories/dev-tenant/2024/1452 - touch -d "@1704012342" "$gitRepo"/data/advisories/dev-tenant/2024/1442 - elif [[ "$1" == "sparse-checkout" ]]; then - : # no-op - elif [[ "$1" == "ls-tree" ]]; then - echo data/advisories/dev-tenant/2025/1602/advisory.yaml - echo data/advisories/dev-tenant/2025/1601/advisory.yaml - echo data/advisories/dev-tenant/2024/1452/advisory.yaml - echo data/advisories/dev-tenant/2024/1442/advisory.yaml - elif [[ "$*" == *"failing-tenant"* ]]; then - echo "Mocking failing git command" && false - else - # Mock the other git functions to pass - : # no-op - do nothing - fi -} - -function yq() { - echo "Mock yq called with: $*" >&2 - - if [[ "$1" == "eval" ]]; then - json_file="$4" - yaml_tmpfile=$(mktemp) - - command yq "$@" | tee "$yaml_tmpfile" - - # Check that tags are preserved correctly in json/yaml conversion. - product_name=$(jq -r '.spec.product_name' "$json_file") - if [[ "$product_name" == "preserves data" ]]; then - json_tags=$(jq -r '.spec.content.images[].tags[]' "$json_file") - yaml_tags=$(command yq '.spec.content.images[].tags[]' "$yaml_tmpfile") - while IFS= read -r tag; do - if ! grep -qFx "$tag" <<< "$yaml_tags"; then - echo "Error: tag '$tag' not preserved in YAML output" >&2 - exit 1 - fi - done <<< "$json_tags" - echo "Tags are preserved correctly" >&2 - - # Check that version is not truncated e.g. 1.20 not 1.2 - yaml_version=$(command yq '.spec.product_version' "$yaml_tmpfile") - if [ "$yaml_version" != "1.20" ]; then - echo "Error: product_version truncated from '1.20' to '$yaml_version'" >&2 - exit 1 - fi - - yaml_stream=$(command yq '.spec.product_stream' "$yaml_tmpfile") - if [ "$yaml_stream" != "preserver-data-1.20" ]; then - echo "Error: product_stream expected 'preserver-data-1.20' got '$yaml_stream'" >&2 - exit 1 - fi - echo "Quoted fields are preserved correctly" >&2 - fi - return - fi - - if [[ -z "$3" ]]; then - echo "Error: Empty file path in yq command" >&2 - exit 1 - fi - - advisory_path="$3" - advisory_year=$(echo "$advisory_path" | awk -F'/' '{print $(NF-2)}') # Extract Year - advisory_num=$(echo "$advisory_path" | awk -F'/' '{print $(NF-1)}') # Extract Advisory Number - - if [[ "$2" == ".spec.type" ]]; then - echo RHSA - elif [[ "$2" == ".metadata.name" ]]; then - echo "${advisory_year}:${advisory_num}" - else - echo "Returning advisory content for ${advisory_year}/${advisory_num}" >&2 - - case "$advisory_num" in - 1601) - echo '[{"architecture":"amd64","component":"release-manager-alpha","containerImage":"quay.io/example/release@sha256:alpha123","repository":"example-stream/release","signingKey":"example-sign-key","tags":["v1.0","latest"]}]' - ;; - 1602) - echo '[{"architecture":"amd64","component":"release-manager-beta","containerImage":"quay.io/example/release@sha256:beta123","repository":"example-stream/release","signingKey":"example-sign-key","tags":["v2.0","stable"]}]' - ;; - 1442) - echo '[{"architecture":"amd64","component":"foo-foo-manager-1-15","containerImage":"quay.io/example/openstack@sha256:abde","repository":"quay.io/example/openstack","signingKey":"example-sign-key","tags":["v1.0","latest"]}]' - ;; - 1452) - echo '[{"architecture":"amd64","component":"foo-foo-manager-1-15","containerImage":"quay.io/example/openstack@sha256:lmnop","repository":"quay.io/example/openstack","signingKey":"example-sign-key","tags":["latest"]}]' - ;; - *) - echo "Error: Unexpected advisory number $advisory_num" >&2 - exit 1 - ;; - esac - fi -} - -function glab() { - echo "Mock glab called with: $*" - - if [[ "$*" != "auth login"* ]]; then - echo Error: Unexpected call - exit 1 - fi -} - -function kinit() { - echo "kinit $*" -} - -function curl() { - echo Mock curl called with: $* >&2 - - if [[ "$*" == "--retry 3 --negotiate -u : https://errata/api/v1/advisory/reserve_live_id -XPOST" ]] ; then - echo '{"live_id": 1234}' - else - echo Error: Unexpected call - exit 1 - fi -} - -function date() { - echo Mock date called with: $* >&2 - - case "$*" in - *"+%Y-%m-%dT%H:%M:%SZ") - echo "2024-12-12T00:00:00Z" - ;; - "*") - echo Error: Unexpected call - exit 1 - ;; - esac -} - -function kubectl() { - # The default SA doesn't have perms to get configmaps, so mock the `kubectl get configmap` call - if [[ "$*" == "get configmap create-advisory-test-cm -o jsonpath={.data.SIG_KEY_NAME}" ]] - then - echo key1 - else - /usr/bin/kubectl $* - fi -} - -# The retry script won't see the kinit function unless we export it -export -f kinit diff --git a/tasks/internal/create-advisory-task/tests/mocks.yaml b/tasks/internal/create-advisory-task/tests/mocks.yaml new file mode 100644 index 0000000000..652c8a5c45 --- /dev/null +++ b/tasks/internal/create-advisory-task/tests/mocks.yaml @@ -0,0 +1,15 @@ +--- +# Declarative mocks for Tekton tests of this task (Python entrypoint). Rendered +# by .github/scripts/render_python_task_mocks_from_yaml.py when +# test_tekton_tasks.sh runs. +version: 1 +services: + - type: http_json + bind: 127.0.0.1 + routes: + - path_contains: /advisory/reserve_live_id + body: '{"live_id": 1234}' + rewrite_secret_mount: + source: /mnt/errata_secret + env_var: ERRATA_SECRET_MOUNT + url_file: errata_api diff --git a/tasks/internal/create-advisory-task/tests/mocks/git b/tasks/internal/create-advisory-task/tests/mocks/git new file mode 100755 index 0000000000..7c5f8dde78 --- /dev/null +++ b/tasks/internal/create-advisory-task/tests/mocks/git @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +# Tekton test mock for create-advisory (GitPython via helpers/vcs/git.py). +# push/pull are no-ops (no network). clone seeds a local repo; other git calls +# delegate to REAL_GIT for local index/commit plumbing. +set -eux + +REAL_GIT=/usr/bin/git + +if [[ "$1" == "clone" ]]; then + dest="${@: -1}" + mkdir -p "${dest}" + "${REAL_GIT}" init -q "${dest}" + "${REAL_GIT}" -C "${dest}" config user.email "tester@tester" + "${REAL_GIT}" -C "${dest}" config user.name "tester" + "${REAL_GIT}" -C "${dest}" remote add origin "https://example.com/org/repo.git" + mkdir -p "${dest}/schema" "${dest}/data/advisories/not-existing-origin" + cat >"${dest}/schema/advisory.json" <<'EOF' +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "type": "object", + "required": ["spec"], + "properties": { + "spec": { + "type": "object", + "required": ["type"], + "properties": { + "type": { + "type": "string", + "enum": ["RHEA", "RHBA", "RHSA"] + }, + "severity": { + "type": "string", + "enum": ["Critical", "Important", "Moderate", "Low"] + } + } + } + } +} +EOF + "${REAL_GIT}" -C "${dest}" add -A + "${REAL_GIT}" -C "${dest}" commit -q -m "mock advisory repo seed" --allow-empty + exit 0 +fi + +# clone_sparse_shallow: repo.git.sparse_checkout("set", ...) +if [[ "$1" == "sparse-checkout" ]]; then + exit 0 +fi + +# clone_sparse_shallow: repo.git.checkout(revision) +if [[ "$1" == "checkout" ]]; then + exit 0 +fi + +# origin_ls_tree_name_only: repo.git.ls_tree("-r", "--name-only", ref) +if [[ "$1" == "ls-tree" && "$2" == "-r" && "$3" == "--name-only" ]]; then + exit 0 +fi + +# push_origin_with_rebase_retries: remotes.origin.push(branch) +if [[ "$1" == "push" ]]; then + exit 0 +fi + +# push_origin_with_rebase_retries: repo.git.pull("--rebase", "origin", branch) +if [[ "$1" == "pull" ]]; then + exit 0 +fi + +exec "${REAL_GIT}" "$@" diff --git a/tasks/internal/create-advisory-task/tests/mocks/kinit b/tasks/internal/create-advisory-task/tests/mocks/kinit new file mode 100755 index 0000000000..a2049d1548 --- /dev/null +++ b/tasks/internal/create-advisory-task/tests/mocks/kinit @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Tekton test mock: subprocess kinit in the task image succeeds without Kerberos. +exit 0 diff --git a/tasks/internal/create-advisory-task/tests/mocks/kubectl b/tasks/internal/create-advisory-task/tests/mocks/kubectl new file mode 100755 index 0000000000..0391fb3ee8 --- /dev/null +++ b/tasks/internal/create-advisory-task/tests/mocks/kubectl @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +# Tekton test mock: default SA cannot read configmaps in unit tests. +set -eux +if [[ "$*" == "get configmap create-advisory-test-cm -o jsonpath={.data.SIG_KEY_NAME}" ]]; then + echo key1 +else + exec /usr/bin/kubectl "$@" +fi diff --git a/tasks/internal/create-advisory-task/tests/pre-apply-task-hook.sh b/tasks/internal/create-advisory-task/tests/pre-apply-task-hook.sh index 6d6eb466c1..8983c82940 100755 --- a/tasks/internal/create-advisory-task/tests/pre-apply-task-hook.sh +++ b/tasks/internal/create-advisory-task/tests/pre-apply-task-hook.sh @@ -1,16 +1,45 @@ #!/usr/bin/env bash -TASK_PATH="$1" -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +# Add RBAC so that the SA executing the tests can retrieve CRs +kubectl apply -f .github/resources/crd_rbac.yaml -# Add mocks to the beginning of task step script -yq -i '.spec.steps[0].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH" +cat > "/tmp/cm.json" << EOF +{ + "apiVersion": "v1", + "data": { + "PYXIS_URL": "https://pyxis.stage.engineering.redhat.com", + "SIG_KEY_NAMES": "redhate2etesting redhate2etesting2", + "PYXIS_SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem", + "PYXIS_SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs", + "PYXIS_SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key", + "UMB_CLIENT_NAME": "hacbs-signing-pipeline-nonprod", + "UMB_LISTEN_TOPIC": "VirtualTopic.eng.robosignatory.hacbs.sign", + "UMB_PUBLISH_TOPIC": "VirtualTopic.eng.hacbs-signing-pipeline.hacbs.sign", + "UMB_URL": "umb.stage.api.redhat.com", + "UMB_SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem", + "UMB_SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs", + "UMB_SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key", + "SIGNER_TYPE": "batch" + }, + "kind": "ConfigMap", + "metadata": { + "name": "create-advisory-test-cm" + } +} +EOF +kubectl delete -f /tmp/cm.json --ignore-not-found +kubectl create -f /tmp/cm.json kubectl delete secret create-advisory-secret --ignore-not-found -kubectl create secret generic create-advisory-secret --from-literal=git_author_email=tester@tester --from-literal=git_author_name=tester --from-literal=gitlab_access_token=abc --from-literal=gitlab_host=myurl --from-literal=git_repo=https://gitlab.com/org/repo.git - -kubectl delete secret create-stage-advisory-secret --ignore-not-found -kubectl create secret generic create-stage-advisory-secret --from-literal=git_author_email=tester@tester --from-literal=git_author_name=tester --from-literal=gitlab_access_token=abc --from-literal=gitlab_host=myurl --from-literal=git_repo=https://gitlab.com/rhtap-release/repo.git +kubectl create secret generic create-advisory-secret \ + --from-literal=git_author_email=tester@tester \ + --from-literal=git_author_name=tester \ + --from-literal=gitlab_access_token=abc \ + --from-literal=gitlab_host=myurl \ + --from-literal=git_repo=https://gitlab.com/org/repo.git kubectl delete secret create-advisory-errata-secret --ignore-not-found -kubectl create secret generic create-advisory-errata-secret --from-literal=errata_api=https://errata/api/v1 --from-literal=name=errata-tester --from-literal=base64_keytab=Zm9vCg== +kubectl create secret generic create-advisory-errata-secret \ + --from-literal=errata_api=https://errata/api/v1 \ + --from-literal=name=errata-tester \ + --from-literal=base64_keytab=Zm9vCg== diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-all-images-found-latest.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-all-images-found-latest.yaml deleted file mode 100644 index 569633ba56..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-all-images-found-latest.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-all-images-found-latest -spec: - description: | - Verifies that when all images are found in existing advisories, - the task returns the latest advisory URL (not just any matching advisory). - - Test scenario: - - Input contains 2 images: alpha123 and beta123 - - Mock creates 4 advisories with timestamps (1602=newest, 1442=oldest) - - Advisory 1601 contains alpha123 - - Advisory 1602 contains beta123 (newest with matching content) - - Since all images are found in existing advisories, no new advisory is created - - Task should return advisory 1602 (the latest one with matching content) - - This ensures retry scenarios return consistent, predictable results - (always the latest advisory, not the last one checked in the loop). - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIACi17mgAA91RUWvbMBB+768Iek6s2u1CEYxljEH3NjroSynlIl9tUVnSpHNICPvvO8lOGtjT9jhjZN9339199+koQvTtqOnFtELVzc3yDDgYUCjxgO3iHmjxfYLFO2GHMRnvmFNXTXVzkUkUEQZOUKgZ1iE34lNJULiHIVhUM1ehvWMKHQrn4f7HZ47SwfmQTModMNHiHDPRB6NP+BQsRYtJRxNoUlNSlxA39Ha8zJ7jpYj4ihGdRp72JHqikJSUrdepmqVW2g/SeS4Uz7yMd4SOhDoKM0BXyo4FBeMwfssYj/k5wqEyXs49ZESLkHCTemg+rBXY0APbXQQEnwz5eOCymb6aHDxV5b2hKwJ3dXXNoYW8R9YDUfeGUNMY81wY2vVtvooxWg7DW3dyXPqALhHot01RsNUtfnof/sIFH/9Q3fsU6vUq9tM16V3e9yhezR7b/PPl8euquW6aFe9ym4HA/WdXyvDOW3CdnD6Vj53cS4cks9HNpq5qfsXzL36Wf+/iFunfTGyKiWzG1uJ/ZSIfV78BdpMq4dQDAAA= - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/release@sha256:alpha123", - # "repository":"example-stream/release","tags":["v1.0", "latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}},{"containerImage":"quay.io/example/release@sha256:beta123", - # "repository":"example-stream/release","tags":["v2.0", "stable"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: origin - value: dev-tenant - - name: componentGroup - value: "test-app" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - params: - - name: advisory-url - value: $(tasks.run-task.results.advisory_url) - - name: result-status - value: $(tasks.run-task.results.result) - runAfter: - - run-task - taskSpec: - params: - - name: advisory-url - type: string - - name: result-status - type: string - steps: - - name: verify-latest-advisory-returned - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - EXPECTED_URL="https://access.redhat.com/errata/RHSA-2025:1602" - - if [[ "$(params.result-status)" != "Success" ]]; then - echo "Task did not succeed. Status: $(params.result-status)" - exit 1 - fi - - if [[ "$(params.advisory-url)" != "$EXPECTED_URL" ]]; then - echo "Expected advisory URL: $EXPECTED_URL" - echo "Got advisory URL: $(params.advisory-url)" - exit 1 - fi - - echo "SUCCESS: Correctly returned latest advisory URL: $(params.advisory-url)" diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-custom-live-id.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-custom-live-id.yaml deleted file mode 100644 index e69902f5db..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-custom-live-id.yaml +++ /dev/null @@ -1,65 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-custom-live-id -spec: - description: | - Run the create-advisory task and check that an advisory url is emitted as a task result. - This test uses a custom advisory live id. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA2VS32vCMBB+318hedZmrU5mYMwxBPcyhoPtYYhk6dkG2yRLUlGK//surfNHF0rLffflu++uVxNjdVoJv5IpYXEy7J8AxUsgjCwg7c257721MDkTtmCd1Ao5cZREw4uM8xZ4iQlvYtK/6V0cIkxQxTejnMGOl6YAdrzIoLhHGb9vOIv5+xNGbq+0cdIFOXC+d4qRqI0Uf3gbdKql4ISVxrc+G94lhOq6qC6zp7hPLKzBghKApb9I7r1xjNJUCxcdfUdCl1RpvEiW3Ta18qA8YTWRJc8ajbpBuVRgXwKGNX8qvo+kpkdBqg0o57nYTF3Ok7sx498pvM4+u31ZMNpJr+0eRWyunYnHA5vj/M4SYUA8a8wXPDSHJgm3IpcehK9sqM/LdDzqipvKFpgzm4z999WaEik8nj2s8MJDt5UrV+hFbMMQarKWO8Bdq69rPn/MBsltkgxwB0eBZrDYcW6Nk0wXXGW0/UTaZnRHFXga/ksyjaMYH7I84FkeOv0UcgvNfk8mk8PNL2XtKx/zAgAA - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abdeNEW", - # "repository":"rhosp16-rhel8/openstack","tags":["latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}, - # "live_id":999} - - name: componentGroup - value: "test-app" - - name: origin - value: "not-existing-origin" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - echo Test that result is Success - test "$(params.result)" == Success - - echo Test that advisory_url was properly set - test "$(params.advisory_url)" == \ - https://access.redhat.com/errata/RHSA-2024:0999 diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-fail-check-schema.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-fail-check-schema.yaml deleted file mode 100644 index 1052661fb8..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-fail-check-schema.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-fail-check-schema -spec: - description: | - Run the create-advisory task and have it fail on JSON schema validation. The - failure is due to invalid values in the advisory data since type and severity - values are not present in the enum. This task should fail. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sICAUHemkAA2Fkdmlzb3J5Lmpzb24AbVNba9swFH7PrzB+XqzZ7cIwjBXGYHsb29jLCOVUOrFFbUmTjruEkP8+XVxXTgcGWd/N35Ht86YoSmO1mDjdS1G2Rd3cvMlBBSN6uPyOovgCVHxLeLkSPaF1Uqugq6umulmzjizCGEgydaK4iaF+aRm0eITRDNjOhhaH90lGp6T7a7XqfoZNhN1JaeOki5HoqFiA5NJG8oVLu0gIdNxKQ3PVSOdYCtfDtFIsQKLRDyvptNT68QxE2uIBLSqOodxvj3isJzKuZUxo7qp51orrkSntH1B60T4dilaEirzxnIxyhC4LKmY8ckEMUqH9GkShzZ8JTpXUbH4C0waVI+CPd66H5t2uhQeBB5BDbDrHWDTaSdI2DmR77Uy929rev4KXgNxA0OWNIjZAOKhygfaZHizvJSGnycaWMIrdbR5oJjsEwjx27evqqTcX+PGl6b13fLiedlU9z+dP8QjPeeGDPKK4Aj386dfnbfO2abb+J7h9RYeuvtLVK8lZP0GnB1AdS0ulbceOTCGx8A00d3VV+6u8su5X+8vmf/fPd2kNjsvmsvkHJ4X8/L8DAAA= - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123, "product_name":"Red Hat Product", "product_version":"1.2.3", "product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8", "type":"wrongType", "synopsis":"test synopsis", "topic":"test - # topic", "description":"test description", "solution":"test solution", "severity":"wrongSeverity", - # "references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abdefail", - # "repository":"rhosp16-rhel8/openstack", "tags":["latest"], "architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8", - # "cves":{"fixed":{"CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: componentGroup - value: "test-app" - - name: origin - value: "schema-tenant" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -ex # if set -u is here, there will be STDERR_FILE unbound variable errors - - echo Test that result contains the schema errors - grep "wrongType" <<< "$(params.result)" - grep "wrongSeverity" <<< "$(params.result)" - - echo Test that advisory_url was not set - test -z "$(params.advisory_url)" diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-fail-existing-id.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-fail-existing-id.yaml deleted file mode 100644 index 45ed22ee3d..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-fail-existing-id.yaml +++ /dev/null @@ -1,64 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-fail-existing-id -spec: - description: | - Run the create-advisory task and have it fail. In this scenario it fails because an advisory with year 2024 - and the live id 1452 already exists (returned in the git ls-tree mock) - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA2VS30vDMBB+318x8rw1tm5DAuJEBH0TBV9kyJne2mCbxCQdG2X/u5d27kcNpeW++/Ldd9drmXUmb2T4VDkTaXY9OQIaamSCvWI+foIwfulhdiJs0HllNHHSJEuuzzI+OISaEsGmbDIanx0mbVSlt+AgcAu1rVAcLgqsbkgm7DrO69PbPUV+p431ykc59GF8jIlorJJ/eB8MquXopVM29D473jlE6qZqzrPHeMIcrtGhlkilP1gZgvWC89xInxx8J9LUXBu6yFbDNo0OqAMTLVM1FJ1G26GgNLrniFHNnwZ2iTL8IMiNRe0DyO+lLyGbLwR85bgGVQ0bc2iNV8G4Ham40nibLqaupAGeNOKEoOjcVxC7I5cMnCxVQBkaFw1AnS9mQ3HbuIpy9rsQ/431rmSOdycPn3ThdtjLhSvyIjdxCi1bqy3SsrWXNR/eH6fZVZZNaQlnkWap2GFwnZPCVKAL3n8S4wq+5RoDjz8mW6ZJSg9b7ems9oN+KrXBfsFn82w/+gUTdN/T9QIAAA== - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abdefail", - # "repository":"rhosp16-rhel8/openstack","tags":["latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}, - # "live_id":1452} - - name: componentGroup - value: "test-app" - - name: origin - value: "failing-tenant" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - echo Test that result is contains the failed command - grep "already exists" <<< "$(params.result)" - - echo Test that advisory_url was not set - test -z "$(params.advisory_url)" diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-fail.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-fail.yaml deleted file mode 100644 index c85ad96b1c..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-fail.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-fail -spec: - description: | - Run the create-advisory task and have it fail. Because that task doesn't use a workspace and the task always - succeeds (due to how the internal tasks work), the only real way to check this is to examine the result and - advisory_url task results. So, any failure will show itself in the same way, so this is the only failing - unit test. - - The failure here is due to the `origin` param being `failing-tenant`, which is accounted for in mocks.sh - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA2VS30vDMBB+319R8rw1tuqQgDgRQd9kgi8y5ExvbbBNYpKOjeL/7qWd+1FDSbjvvnz33TUds84UrQwfqmAiyy+nB0BDg0ywJRbJE4TkZYDZkbBB55XRxMnSPL08yfjgEBpKBJux6SQ5WUzaqEq74CBwC42tUewvCqxvSCbses7y6fWeIr/Txnrloxz6kBxiIhqr5B8+BKNqBXrplA2Dz553CpG6qdvT7CGeModrdKglUul3VoVgveC8MNKne9+pNA3Xhi6y1bhNowPqwETHVANlr9H1KCiN7jliVPO7hV2qDN8LcmNR+wDya+EryK/nAj4LXIOqx405tMarYNyOVFxlvM3mM1fRAI8acUJQ9u5riN2RSwZOViqgDK2LBqAp5ldjcdu6mnL2qxT/jQ2uZIF3Rw8fdOF23MuZK/IiN3EKHVurLdJj685rPrw9zvKLPJ/RI7yKNEvF9oPrnZSmBl3y4UiNK/mWaww8/ph8kaUZfWz1Q4u2yS+hdGYS2QIAAA== - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abdefail", - # "repository":"rhosp16-rhel8/openstack","tags":["latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: componentGroup - value: "test-app" - - name: origin - value: "failing-tenant" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - echo Test that result is contains the failed command - grep "false" <<< "$(params.result)" - - echo Test that advisory_url was not set - test -z "$(params.advisory_url)" diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-generic-content.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-generic-content.yaml deleted file mode 100644 index bd0c9572b3..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-generic-content.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-generic-content -spec: - description: | - Run the create-advisory task with the contentType param set as generic - and check that an advisory url is emitted as a task result - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA2VSXUvDMBR9368Yed4a280hAXEig/kiMkEfZIyY3rVhbRKTdGwU/7s3bd1HDSXh3ntyzrm3qYmxOq2E38iUsDiZjE4JxUsgjKwgHS65H762aXIG7ME6qRVi4iiJJhcV5y3wEgvexGQ0GF4sIkxgxZ1RzuDAS1MA6y4yKO6Qxh8bzGr59oiROyptnHSBDpwfnmIEaiPFX74NemopOGGl8a3PBneZQnZdVJfVUzwiFrZgQQlA6U+Se28cozTVwkWd70jokiqNF8m636ZWHpQnrCay5FnDUTdZLhXY55BDze+KHyOpaUdItQHlPBe7uct5cjtj/CuFl8VHvy8LRjvptT0iic21M/FsbHOc35kiDIhnjfmCh+bQJOFW5NKD8JUN+rxMZ9M+ualsgTWzy9h/X60pkcLD2cMGL9z3W7lyhV7EPgyhJlt5AHxr9bXm0/tinNwkyRjf4DTADIp1c2ucZLrgKqPtEWmb0QNV4Gn4L8k8jmL8yPoHF26DX8WdCn7YAgAA - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/helm@sha256:abdeNEW", - # "repository":"rhosp16-rhel8/openstack","tags":["latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: componentGroup - value: "test-app" - - name: origin - value: "not-existing-origin" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: contentType - value: "generic" - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - echo Test that result is Success - test "$(params.result)" == Success - - echo Test that advisory_url was properly set - test "$(params.advisory_url)" == \ - https://access.redhat.com/errata/RHSA-2024:1234 diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-idempotency-multiple-image.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-idempotency-multiple-image.yaml deleted file mode 100644 index 46461f36da..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-idempotency-multiple-image.yaml +++ /dev/null @@ -1,79 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-idempotency-multiple-image -spec: - description: | - Verifies the idempotency behavior of the advisory creation process when multiple container images are provided - in the advisory_json. This test supplies three images (alpha123, beta123, gamma123), of which - alpha123 and beta123 are already present in existing advisories(Mock scenraio). - The task is expected to recognize these and only create a new advisory for the remaining image (gamma123). - The test passes if only the unmatched image is included in the resulting advisory and the advisory URL matches the - expected value. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA+1STWvcMBC951cYnb1W7E2XIgjZUgrJLaTQSwlhVp7YIrKkSvKyi+l/7/hjd50tJRR6a4SRma83b96oY87bspXxSZVM5MUyPToMNMgEe8AyuYWY3I9udkrYog/KGsrJsyJbziIheoSGAtHlLL1IZodJ16PSLTgI3EHjNIqpUKD+SDBxP+Q83H79RFbYG+uCCj0chpgcbUq0TsmDfzTOupUYpFcujjyHvLmL0K1u59GjnTKPz+jRSKTW31kdowuC89LKkE28M2kbbiwVssfzMa2JaCITHVMNVANGN3hBGfR3vY96/mhhnynLJ0DuUSMEXIcaig8rAdrVQFs5H8ujs0FF6/eEMdUuRtUPEL08UA3Ut3l2ydKEaehHJKoMvKxVRBlb37OAplxdnfdwrdcUcy/VYU3cOjQhgnxZD+Q2ssSbE5UnKrj+baDaBpevFr4edyu3vRQde1Y7pBfXve75+duXRXFZFAua+apPc9RsUm9gUlkNpuLjL7O+4jtuMPJ+O8U6z3L62ONPOunfq73B+A/ELkaxSaeNxnex/yR2BU3zptqvBjopMpd7+R/KTdfFL6myBhm6BQAA - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/release@sha256:alpha123", - # "repository":"example-stream/release","tags":["v1.0", "latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}},{"containerImage":"quay.io/example/release@sha256:beta123", - # "repository":"example-stream/release","tags":["v2.0", "stable"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}},{"containerImage":"quay.io/example/release@sha256:gamma123", - # "repository":"rhosp16-rhel8/openstack","tags":["v3.0", "stable"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: origin - value: dev-tenant - - name: componentGroup - value: "test-app" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - params: - - name: advisory-url - value: $(tasks.run-task.results.advisory_url) - - name: result-status - value: $(tasks.run-task.results.result) - runAfter: - - run-task - taskSpec: - params: - - name: advisory-url - type: string - - name: result-status - type: string - steps: - - name: verify-idempotency - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - EXPECTED_URL="https://access.redhat.com/errata/RHSA-2024:1234" - - if [[ "$(params.result-status)" != "Success" ]]; then - echo "Task did not succeed. Status: $(params.result-status)" - exit 1 - fi - - if [[ "$(params.advisory-url)" != "$EXPECTED_URL" ]]; then - echo "Unexpected advisory URL: $(params.advisory-url)" - exit 1 - fi diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-idempotency-single-image.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-idempotency-single-image.yaml deleted file mode 100644 index 7522315e40..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-idempotency-single-image.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-idempotency-single-image -spec: - description: | - Verifies the idempotency behavior of the advisory creation process when a single container image is - provided in the advisory_json. The input image (abde) is already included in an existing advisory. - The task is expected to detect this and reuse the same advisory without duplicating or creating a new one. - The test passes if the resulting advisory URL matches the one for the existing advisory. - Note: This test does not validate the actual contents of the advisory file. It assumes that if the task - succeeded and the advisory was created at the expected URL, then the logic to skip already released images worked. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA31SUUvDMBB+368o97w1tuqQgKiIMN9kgi8yRkzPNqxNYpKOjeJ/99LOOSsYSsrdffd93yXpwDpTtDKsVQE8y8+nx4QWDQKHJRbJQoTkaUjDD2CLziujCZOleXp+UvHBoWioEGwG00lyskDayEo7Z4LjTjS2Rn5o5FhfEU3Y95jl4vmOIr/XxnrlIx36kBxjAhqr5Hd+CEZqBXrplA2Dzx53miJ2U7en1WM8BYfv6FBLJOlXqEKwnjNWGOnTg+9UmoZpQ42wGo9pdEAdgHegGlH2HF2fFUqje4w50vxoxT5Vhh0ImbGofRByc+srkV/OuXgrcDyUQ2u8Csbt/2OI5yPK3vs2S89gmkAt4ozkFYSTlQooQ+uiDdEU84uxjG1dTTW7Kflfe4M3WeDNj5s1NVyP/bjKeJvNZ64aLldu41l08K52SE+u+615//Iwy8/yfEZP8SLCLIkdjq93Uppa6JINv9S4ku2YxsDi9eS3WZrRB6tPWrRNvgAY72l13wIAAA== - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abde", - # "repository":"quay.io/example/openstack","tags":["v1.0", "latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: origin - value: dev-tenant - - name: componentGroup - value: "test-app" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - params: - - name: advisory-url - value: $(tasks.run-task.results.advisory_url) - - name: result-status - value: $(tasks.run-task.results.result) - runAfter: - - run-task - taskSpec: - params: - - name: advisory-url - type: string - - name: result-status - type: string - steps: - - name: verify-idempotency - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - EXPECTED_URL="https://access.redhat.com/errata/RHSA-2024:1442" - - if [[ "$(params.result-status)" != "Success" ]]; then - echo "Task did not succeed. Status: $(params.result-status)" - exit 1 - fi - - if [[ "$(params.advisory-url)" != "$EXPECTED_URL" ]]; then - echo "Unexpected advisory URL: $(params.advisory-url)" - exit 1 - fi diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-jinja-cross-field-references.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-jinja-cross-field-references.yaml deleted file mode 100644 index be7240953d..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-jinja-cross-field-references.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-jinja-cross-field-references -spec: - description: | - Verifies Jinja with cross field references rendering in the create-advisory task - ensuring advisory spec references resolve correctly in generated fields. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sICGeEfGkAA2RhdGEuanNvbgCFk2GLGjEQhr/7K4Ig3kFvV+1V2gXplXJgoYXi0X455IjJuKa3m6RJVlzs/vdONllclVIQojPPvPPOJB4HhAy1Ubxi7kXwYUams7dv+kFJS8DwcAWcLKkj30N8eAbtwVihpOc+JJNkep61zgAtfdLpmGK6FcUjS2kGB1rqArJYkEHxPmCuDtxq+fQpRGwtlbbC+uhxRCw4Epv7NmRBKN8Lq0ydWA0suTBI/hCkhMxvbsmoifUl/aV8ZU8HiwvhbsbJ+PZ5sg6o2F5oe3NksSBj727soeMFYQE1hatJ02RktXz8ShAJ7ZoGe7OqzVaaUwfYAgoLqHNFbqqcbMWhB0qOdkZN3JLSgvmF/GjznFwZ6V+mF/wn0O0JGbqnoqCbAkITDpYZoV285qdz82SLTv/b1kMd0ac7IF6xKqquTZiI1KoyhCnpqJDoMHJxu577pjgYJEPGwBYMSAb+mTwPd85pm6UpV8wm8a0lTJWpVA6RdXiRqA7SYcERf2JAlDQPAiEQmdbBF5/zfX9XtE6ESqNqqjRI6yh7fbA7Ons3z+iG4T+qtdVKGNDKCodD+3KzU1ZP53dmh0/+VHzCHc3DDAUOZ13w2maoYTvhgLnKtE5oyef3p0JdmcKH9WueXZuLzjh8PPl5wYrF5TxnBk/qbN9uplsMRvB5Aj8LYfDzz8e72WQ2u8MV3F8kvUe00u24NZqrgso8DUeiTJ4eUgku9Rc4e5gmU/wM1z2RZnD5LZyNh5pBM/gLIYRO8eAEAAA= - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123, "product_name":"Red Hat Product", "product_version":"9.0.1", "product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8", "type":"RHSA", "synopsis":"{% set version_str = - # advisory.spec.product_version | string() %}{% set major = version_str.split('.')[0] %}{% if - # advisory.spec.type == 'RHSA' %}{{ advisory.spec.severity }}: RHEL {{ major }} security update{% else - # %}RHEL {{ major }} bug fix update{% endif %}", "topic":"Updated {{ advisory.spec.product_name }} {{ - # advisory.spec.product_version }} available", "description":"Security update for {{ - # advisory.spec.product_name }} for advisory {{ advisory_name }}", "solution":"Update your containers", - # "severity":"Moderate", "references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abc123", - # "repository":"rhosp16-rhel8/openstack", "tags":["latest"], "architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8", - # "cves":{"fixed":{"CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: componentGroup - value: "test-app" - - name: origin - value: "jinja-tenant" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -ex - - echo Test that result is success - printf "%s\n" "$(params.result)" | grep -i 'success' - - echo Test that advisory_url was set - test -n "$(params.advisory_url)" diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-preserves-data.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-preserves-data.yaml deleted file mode 100644 index 923e852649..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-preserves-data.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-preserves-data -spec: - description: | - Test that data is preserved correctly during JSON to YAML conversion. - Verifies tags like 33158e1 are not converted to integers and that - version like 1.20 is not truncated to 1.2. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAMS36GkAA31RO0/DMBDe+yuizG1epRXyBAMSrIgNVehwjtYisc35UhFV/e/4EUq6MPnue93ZPi2yLLdk2kHym2pzkdXNejkHNfToYd+jQzqiy1pgyK80RySnjA6yumiqa9IxIfTzCFqFiNWfVNo4wh+iBMHoWEzuxPOYBM+PD/cJcaM21ikX0Bevzy5AMhir5IVLXSRadJKU5WnbSM+xFG664UpxASJN+IGEWmKY/pofmK0TZYnf0NsOC2n6fJeuZTSjZq86+dYDqod9csU+m/DIBTEojfQURGH01wBjocxvcBndd+4AzWYr4F36n4oLTQGE1jjFhsZg/jUFdK5i2Ke11+t6c4t1vgx/VhVVKDoIbx+qY1NUWFfpIpMVSB4Uo+SB4n7Qt9ubebYdqIv//LkX/y09Oc7x3C1CdV78AH1x4diKAgAA - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123, "product_name":"preserves data", "product_version":"1.20", - # "product_stream":"preserver-data-1.20", "cpe":"cpe:/a:test:product", "type":"RHEA", - # "synopsis":"Test synopsis", "topic":"Test topic", "description":"Test description", - # "solution":"Test solution", "references":["https://example.com"], - # "content":{"images":[{"containerImage":"quay.io/example/image@sha256:abc123", - # "repository":"example/repo", "tags":["33158e1", "1.0.0", "latest", "v2.0e10"], "architecture":"amd64", - # "purl":"pkg:example/image@sha256:abc123"}]}} - - name: componentGroup - value: "test-app" - - name: origin - value: "tag-test-tenant" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - - name: advisory_internal_url - value: $(tasks.run-task.results.advisory_internal_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - - name: advisory_internal_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -ex - - echo Test that task succeeded - test "$(params.result)" == Success - - echo Test that advisory_url was set - test -n "$(params.advisory_url)" diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory-stage.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory-stage.yaml deleted file mode 100644 index 8ab5553b90..0000000000 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory-stage.yaml +++ /dev/null @@ -1,64 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-create-advisory-stage -spec: - description: | - Run the create-advisory task and check that the advisory URL is pointing to the staging Errata - when the Git org is 'rhtap-release'. The result should be emitted as a task result. - tasks: - - name: run-task - taskRef: - name: create-advisory-task - params: - - name: advisory_json - value: >- - H4sIAAAAAAAAA2VSXUvDMBR9368Yed4a280hAXEig/kiMkEfZIyY3rVhbRKTdGwU/7s3bd1HDSXh3ntyzrm3qYmxOq2E38iUsDiZjE4JxUsgjKwgHS65H762aXIG7ME6qRVi4iiJJhcV5y3wEgvexGQ0GF4sIkxgxZ1RzuDAS1MA6y4yKO6Qxh8bzGr59oiROyptnHSBDpwfnmIEaiPFX74NemopOGGl8a3PBneZQnZdVJfVUzwiFrZgQQlA6U+Se28cozTVwkWd70jokiqNF8m636ZWHpQnrCay5FnDUTdZLhXY55BDze+KHyOpaUdItQHlPBe7uct5cjtj/CuFl8VHvy8LRjvptT0iic21M/FsbHOc35kiDIhnjfmCh+bQJOFW5NKD8JUN+rxMZ9M+ualsgTWzy9h/X60pkcLD2cMGL9z3W7lyhV7EPgyhJlt5AHxr9bXm0/tinNwkyRjf4DTADIp1c2ucZLrgKqPtEWmb0QNV4Gn4L8k8jmL8yPoHF26DX8WdCn7YAgAA - # advisory_json string before `gzip -c|base64 -w 0` encoding: - # {"product_id":123,"product_name":"Red Hat Product","product_version":"1.2.3","product_stream":"tp1", - # "cpe":"cpe:/a:example:product:el8","type":"RHSA","synopsis":"test synopsis","topic":"test topic", - # "description":"test description","solution":"test solution","references":["https://docs.example.com/notes"], - # "content":{"images":[{"containerImage":"quay.io/example/openstack@sha256:abdeNEW", - # "repository":"rhosp16-rhel8/openstack","tags":["latest"],"architecture":"amd64", - # "purl":"pkg:example/openstack@256:abcde?repository_url=quay.io/example/rhosp16-rhel8","cves":{"fixed":{ - # "CVE-2022-1234":{"packages":["pkg:golang/golang.org/x/net/http2@1.11.1"]}}}}]}} - - name: componentGroup - value: "test-app" - - name: origin - value: "not-existing-origin" - - name: config_map_name - value: "create-advisory-test-cm" - - name: advisory_secret_name - value: "create-stage-advisory-secret" - - name: errata_secret_name - value: "create-advisory-errata-secret" - - name: internalRequestPipelineRunName - value: $(context.pipelineRun.name) - - name: check-result - runAfter: - - run-task - params: - - name: result - value: $(tasks.run-task.results.result) - - name: advisory_url - value: $(tasks.run-task.results.advisory_url) - taskSpec: - params: - - name: result - type: string - - name: advisory_url - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 - script: | - #!/usr/bin/env bash - set -eux - - echo Test that result is Success - test "$(params.result)" == Success - - echo Test that advisory_url was properly set - test "$(params.advisory_url)" == \ - https://access.stage.redhat.com/errata/RHSA-2024:1234 diff --git a/tasks/internal/create-advisory-task/tests/test-create-advisory.yaml b/tasks/internal/create-advisory-task/tests/test-create-advisory.yaml index 5b9c99ea0b..cf12e85d7b 100644 --- a/tasks/internal/create-advisory-task/tests/test-create-advisory.yaml +++ b/tasks/internal/create-advisory-task/tests/test-create-advisory.yaml @@ -50,7 +50,7 @@ spec: type: string steps: - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:9460d206ab78a096679cf0d96bf812b3f9a5227dd2f7061e06e8e58c49cdad16 + image: quay.io/konflux-ci/release-service-utils@sha256:71a99d12d920fcc157e08e5dc9894fbc4bce42328e9c2f58dc53411278858d91 script: | #!/usr/bin/env bash set -eux @@ -59,5 +59,8 @@ spec: test "$(params.result)" == Success echo Test that advisory_url was properly set - test "$(params.advisory_url)" == \ - https://access.redhat.com/errata/RHSA-2024:1234 + url="$(params.advisory_url)" + if [[ "${url}" != https://access.redhat.com/errata/RHSA-*:1234 ]]; then + echo "Unexpected advisory URL: ${url}" + exit 1 + fi