Merge branch 'main' into rest

Author: dbasunag

.github/workflows/add-remove-labels.yml

@@ -19,7 +19,8 @@ jobs:
       contains(github.event.comment.body, '/verified') ||
       contains(github.event.comment.body, '/lgtm') ||
       contains(github.event.comment.body, '/hold') ||
-      contains(github.event.comment.body, '/cherry-pick')
+      contains(github.event.comment.body, '/cherry-pick') ||
+      contains(github.event.comment.body, '/build-push-pr-image')
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/delete-image-tag.yml

@@ -0,0 +1,32 @@
+name: Delete PR Image On PR Close Action
+
+on:
+  pull_request_target:
+    types: [closed]
+
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+    delete-quay-tag:
+      runs-on: ubuntu-latest
+      steps:
+        - name: Install regctl
+          run: |
+            curl -LO https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64
+            chmod +x regctl-linux-amd64
+            sudo mv regctl-linux-amd64 /usr/local/bin/regctl
+            regctl version
+
+        - name: Configure regctl authentication
+          run: |
+            regctl registry login quay.io -u ${{ secrets.QUAY_USERNAME }} -p ${{ secrets.QUAY_PASSWORD }}
+            echo "PR number: ${{ github.event.pull_request.number }}"
+            echo "TAG_TO_DELETE=$(regctl tag ls quay.io/opendatahub/opendatahub-tests --include pr-${{ github.event.pull_request.number }})" >> $GITHUB_ENV
+        - name: Delete Quay Tag
+          if: env.TAG_TO_DELETE != ''
+          run: |
+            echo "Deleting tag '$TAG_TO_DELETE' from repository..."
+            regctl tag rm quay.io/opendatahub/opendatahub-tests:pr-${{ github.event.pull_request.number }}

.github/workflows/push-container-on-comment.yml

@@ -0,0 +1,66 @@
+name: Push Container Image On PR Comment
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+  push-container-on-comment:
+    if: contains(github.event.comment.body, '/build-push-pr-image')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Check if the user is authorized
+        env:
+          GITHUB_TOKEN: ${{ secrets.RHODS_CI_BOT_PAT }}
+          GITHUB_PR_NUMBER: ${{ github.event.issue.number }}
+          GITHUB_EVENT_ACTION: ${{ github.event.action }}
+          GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+          COMMENT_BODY: ${{ github.event.comment.body }}
+          REVIEW_COMMENT_BODY: ${{ github.event.review.body }}
+          GITHUB_USER_LOGIN: ${{ github.event.sender.login }}
+          ACTION: "push-container-on-comment"
+        run: uv run python .github/workflows/scripts/pr_workflow.py
+      - name: Set env TAG for image
+        run: |
+          echo "TAG=pr-${{ github.event.issue.number }}" >> "$GITHUB_ENV"
+      - name: Build Image to push
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: opendatahub-tests
+          tags: ${{ env.TAG }}
+          containerfiles: |
+            ./Dockerfile
+      - name: Push To Image Registry
+        id: push-to-registry
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: quay.io/opendatahub
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Add comment to PR
+        if: always()
+        env:
+          URL: ${{ github.event.issue.comments_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          curl \
+            -X POST \
+            $URL \
+            -H "Content-Type: application/json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            --data '{ "body": "Status of building tag ${{ env.TAG }}: ${{ steps.build-image.outcome }}. \nStatus of pushing tag ${{ env.TAG }} to image registry: ${{ steps.push-to-registry.outcome }}." }'

.github/workflows/scripts/pr_workflow.py

@@ -34,10 +34,12 @@ class SupportedActions:
         add_remove_labels_action_name: str = "add-remove-labels"
         pr_size_action_name: str = "add-pr-size-label"
         welcome_comment_action_name: str = "add-welcome-comment-set-assignee"
+        build_push_pr_image_action_name: str = "push-container-on-comment"
         supported_actions: set[str] = {
             pr_size_action_name,
             add_remove_labels_action_name,
             welcome_comment_action_name,
+            build_push_pr_image_action_name,
         }
 
     def __init__(self) -> None:
@@ -58,7 +60,7 @@ def __init__(self) -> None:
     def verify_base_config(self) -> None:
         if not self.action or self.action not in self.SupportedActions.supported_actions:
             sys.exit(
-                "`ACTION` is not set in workflow or is not supported. "
+                f"{self.action} is not set in workflow or is not supported. "
                 f"Supported actions: {self.SupportedActions.supported_actions}"
             )
 
@@ -97,10 +99,9 @@ def __init__(self) -> None:
             self.comment_body = os.getenv("REVIEW_COMMENT_BODY", "")
         self.last_commit = list(self.pr.get_commits())[-1]
         self.last_commit_sha = self.last_commit.sha
-
         self.verify_labeler_config()
 
-    def verify_allowed_user(self) -> None:
+    def verify_allowed_user(self) -> bool:
         org: Organization = self.gh_client.get_organization("opendatahub-io")
         # slug is the team name with replaced special characters,
         # all words to lowercase and spaces replace with a -
@@ -109,9 +110,10 @@ def verify_allowed_user(self) -> None:
             # check if the user is a member of opendatahub-tests-contributors
             membership = team.get_team_membership(member=self.user_login)
             LOGGER.info(f"User {self.user_login} is a member of the test contributor team. {membership}")
+            return True
         except UnknownObjectException:
             LOGGER.error(f"User {self.user_login} is not allowed for this action. Exiting.")
-            sys.exit(0)
+            return False
 
     def verify_labeler_config(self) -> None:
         if self.action == self.SupportedActions.add_remove_labels_action_name and self.event_name in (
@@ -131,9 +133,13 @@ def run_pr_label_action(self) -> None:
         if self.action == self.SupportedActions.pr_size_action_name:
             self.set_pr_size()
 
+        if self.action == self.SupportedActions.build_push_pr_image_action_name:
+            if not self.verify_allowed_user():
+                sys.exit(1)
+
         if self.action == self.SupportedActions.add_remove_labels_action_name:
-            self.verify_allowed_user()
-            self.add_remove_pr_labels()
+            if self.verify_allowed_user():
+                self.add_remove_pr_labels()
 
         if self.action == self.SupportedActions.welcome_comment_action_name:
             self.add_welcome_comment_set_assignee()

docs/GITHUB_WORKFLOWS.md

@@ -10,9 +10,12 @@
 
 ### On user action
 - Add to or remove a label from PR; supported labels: `wip`, `lgtm`, `verified`, and `hold`.  
-  To add a new label, add `/<label name>` in a comment.  
-  To remove a label, add `/<label name> cancel` in a comment.  
+- To add a new label, add `/<label name>` in a comment.  
+- To remove a label, add `/<label name> cancel` in a comment.  
   `verified` and `lgtm` are removed on new commits.
+- To build and push image to quay, add `/build-push-pr-image` in a comment.
+  This would create an image with tag pr-<pr_number> to quay repository. This image tag,
+  however would be deleted on PR merge or close action.
 
 ## How to add a new workflow
 1. Create a new file in `.github/workflows` directory.
@@ -25,7 +28,6 @@
 ## To be added
 - Block merging if not all defined checks pass. For example: a `verified` label was added and at least 2 approvals.
 - When a PR is opened, add reviewers (requires updates to OWNERS file(s))
-- When a PR is reviewed/commented by a user who's not the PR owner, add `reviewed|commented|approved-by-<username>` label
 - When a PR is ready to be merged (all checks passed), add `ready-to-merge` label
 - If a label is missing from the repository (i.e was manually deleted), add it back (label colors should be defined as well)
 - Tests

tests/model_registry/conftest.py

@@ -12,7 +12,6 @@
 from ocp_resources.deployment import Deployment
 
 from ocp_resources.model_registry import ModelRegistry
-import schemathesis.schemas
 from schemathesis.specs.openapi.schemas import BaseOpenAPISchema
 from schemathesis.generation.stateful.state_machine import APIStateMachine
 from schemathesis.core.transport import Response

tests/model_registry/rbac/conftest.py

@@ -0,0 +1,172 @@
+import pytest
+import shlex
+import subprocess
+import os
+from typing import Generator, List, Dict, Any
+from ocp_resources.namespace import Namespace
+from ocp_resources.service_account import ServiceAccount
+from ocp_resources.role_binding import RoleBinding
+from ocp_resources.role import Role
+from kubernetes.dynamic import DynamicClient
+from pyhelper_utils.shell import run_command
+from tests.model_registry.utils import generate_random_name, generate_namespace_name
+from simple_logger.logger import get_logger
+from tests.model_registry.constants import MR_INSTANCE_NAME
+
+
+LOGGER = get_logger(name=__name__)
+DEFAULT_TOKEN_DURATION = "10m"
+
+
+@pytest.fixture(scope="function")
+def sa_namespace(request: pytest.FixtureRequest, admin_client: DynamicClient) -> Generator[Namespace, None, None]:
+    """
+    Creates a temporary namespace using a context manager for automatic cleanup.
+    Function scope ensures a fresh namespace for each test needing it.
+    """
+    test_file = os.path.relpath(request.fspath.strpath, start=os.path.dirname(__file__))
+    ns_name = generate_namespace_name(file_path=test_file)
+    LOGGER.info(f"Creating temporary namespace: {ns_name}")
+    with Namespace(client=admin_client, name=ns_name) as ns:
+        ns.wait_for_status(status=Namespace.Status.ACTIVE, timeout=120)
+        yield ns
+
+
+@pytest.fixture(scope="function")
+def service_account(admin_client: DynamicClient, sa_namespace: Namespace) -> Generator[ServiceAccount, None, None]:
+    """
+    Creates a ServiceAccount within the temporary namespace using a context manager.
+    Function scope ensures it's tied to the lifetime of sa_namespace for that test.
+    """
+    sa_name = generate_random_name(prefix="mr-test-user")
+    LOGGER.info(f"Creating ServiceAccount: {sa_name} in namespace {sa_namespace.name}")
+    with ServiceAccount(client=admin_client, name=sa_name, namespace=sa_namespace.name, wait_for_resource=True) as sa:
+        yield sa
+
+
+@pytest.fixture(scope="function")
+def sa_token(service_account: ServiceAccount) -> str:
+    """
+    Retrieves a short-lived token for the ServiceAccount using 'oc create token'.
+    Function scope because token is temporary and tied to the SA for that test.
+    """
+    sa_name = service_account.name
+    namespace = service_account.namespace
+    LOGGER.info(f"Retrieving token for ServiceAccount: {sa_name} in namespace {namespace}")
+    try:
+        cmd = f"oc create token {sa_name} -n {namespace} --duration={DEFAULT_TOKEN_DURATION}"
+        LOGGER.debug(f"Executing command: {cmd}")
+        res, out, err = run_command(command=shlex.split(cmd), verify_stderr=False, check=True, timeout=30)
+        token = out.strip()
+        if not token:
+            raise ValueError("Retrieved token is empty after successful command execution.")
+
+        LOGGER.info(f"Successfully retrieved token for SA '{sa_name}'")
+        return token
+
+    except Exception as e:  # Catch all exceptions from the try block
+        error_type = type(e).__name__
+        log_message = (
+            f"Failed during token retrieval for SA '{sa_name}' in namespace '{namespace}'. "
+            f"Error Type: {error_type}, Message: {str(e)}"
+        )
+        if isinstance(e, subprocess.CalledProcessError):
+            # Add specific details for CalledProcessError
+            # run_command already logs the error if log_errors=True and returncode !=0,
+            # but we can add context here.
+            stderr_from_exception = e.stderr.strip() if e.stderr else "N/A"
+            log_message += f". Exit Code: {e.returncode}. Stderr from exception: {stderr_from_exception}"
+        elif isinstance(e, subprocess.TimeoutExpired):
+            timeout_value = getattr(e, "timeout", "N/A")
+            log_message += f". Command timed out after {timeout_value} seconds."
+        elif isinstance(e, FileNotFoundError):
+            # This occurs if 'oc' is not found.
+            # e.filename usually holds the name of the file that was not found.
+            command_not_found = e.filename if hasattr(e, "filename") and e.filename else shlex.split(cmd)[0]
+            log_message += f". Command '{command_not_found}' not found. Is it installed and in PATH?"
+
+        LOGGER.error(log_message, exc_info=True)  # exc_info=True adds stack trace to the log
+        raise
+
+
+# --- RBAC Fixtures ---
+
+
+@pytest.fixture(scope="function")
+def mr_access_role(
+    admin_client: DynamicClient,
+    model_registry_namespace: str,
+    sa_namespace: Namespace,
+) -> Generator[Role, None, None]:
+    """
+    Creates the MR Access Role using direct constructor parameters and a context manager.
+    """
+    role_name = f"registry-user-{MR_INSTANCE_NAME}-{sa_namespace.name[:8]}"
+    LOGGER.info(f"Defining Role: {role_name} in namespace {model_registry_namespace}")
+
+    role_rules: List[Dict[str, Any]] = [
+        {
+            "apiGroups": [""],
+            "resources": ["services"],
+            "resourceNames": [MR_INSTANCE_NAME],  # Grant access only to the specific MR service object
+            "verbs": ["get"],
+        }
+    ]
+    role_labels = {
+        "app.kubernetes.io/component": "model-registry-test-rbac",
+        "test.opendatahub.io/namespace": sa_namespace.name,
+    }
+
+    LOGGER.info(f"Attempting to create Role: {role_name} with rules and labels.")
+    with Role(
+        client=admin_client,
+        name=role_name,
+        namespace=model_registry_namespace,
+        rules=role_rules,
+        label=role_labels,
+        wait_for_resource=True,
+    ) as role:
+        LOGGER.info(f"Role {role.name} created successfully.")
+        yield role
+        LOGGER.info(f"Role {role.name} deletion initiated by context manager.")
+
+
+@pytest.fixture(scope="function")
+def mr_access_role_binding(
+    admin_client: DynamicClient,
+    model_registry_namespace: str,
+    mr_access_role: Role,
+    sa_namespace: Namespace,
+) -> Generator[RoleBinding, None, None]:
+    """
+    Creates the MR Access RoleBinding using direct constructor parameters and a context manager.
+    """
+    binding_name = f"{mr_access_role.name}-binding"
+
+    LOGGER.info(
+        f"Defining RoleBinding: {binding_name} linking Group 'system:serviceaccounts:{sa_namespace.name}' "
+        f"to Role '{mr_access_role.name}' in namespace {model_registry_namespace}"
+    )
+    binding_labels = {
+        "app.kubernetes.io/component": "model-registry-test-rbac",
+        "test.opendatahub.io/namespace": sa_namespace.name,
+    }
+
+    LOGGER.info(f"Attempting to create RoleBinding: {binding_name} with labels.")
+    with RoleBinding(
+        client=admin_client,
+        name=binding_name,
+        namespace=model_registry_namespace,
+        # Subject parameters
+        subjects_kind="Group",
+        subjects_name=f"system:serviceaccounts:{sa_namespace.name}",
+        subjects_api_group="rbac.authorization.k8s.io",  # This is the default apiGroup for Group kind
+        # Role reference parameters
+        role_ref_kind="Role",
+        role_ref_name=mr_access_role.name,
+        label=binding_labels,
+        wait_for_resource=True,
+    ) as binding:
+        LOGGER.info(f"RoleBinding {binding.name} created successfully.")
+        yield binding
+        LOGGER.info(f"RoleBinding {binding.name} deletion initiated by context manager.")