-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(rh-shield-operator): enhance operator release pipeline
The old pipeline would simply build and push the operator and bundle images. This was a start, but left numerous manual steps to get the Operator itself certified. The changes in this PR add the following enhancements to the pipeline. 1. Generate the Bundle content in the pipeline a. Run the 'make bundle' command in the pipeline as opposed to requiring it be run beforehand. b. Since the pipeline guarantees the operator image itself will be built and pushed before the bundle is generated, we can set USE_IMAGE_DIGESTS=true when running 'make bundle' to include the image checksums in the bundle. This is a requirement for certification. c. The newly generated bundle content will be 'massaged' to include the annotations required for certification that are not created by the operator-sdk. 2. Trigger preflight certification 2. Decouple the various builds and certification steps that aren't related
- Loading branch information
1 parent
f84c13a
commit 88562ce
Showing
1 changed file
with
123 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,34 @@ | ||
name: Release the Shield Operator | ||
name: Build and Push the Shield Operator | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
release_version: | ||
description: 'The version of the operator to release' | ||
required: true | ||
type: string | ||
|
||
env: | ||
IMAGE_TAG_BASE: quay.io/sysdig/rh-shield-operator | ||
|
||
jobs: | ||
build-and-push: | ||
name: Build and Push the Operator Images | ||
determine-operator-version: | ||
name: Get the Operator Version from the Makefile | ||
runs-on: ubuntu-latest | ||
outputs: | ||
release_version: ${{ steps.get-operator-version.outputs.release_version }} | ||
steps: | ||
- name: Checkout | ||
- name: Checkout charts repo | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: '1' | ||
|
||
- name: Get Operator Version | ||
id: get-operator-version | ||
run: | | ||
echo "::set-output name=release_version::$(awk "/^VERSION/ {print $3}" Makefile)" | ||
working-directory: rh-shield-operator | ||
|
||
build-operator: | ||
name: Build the Operator Image | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout charts repo | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: '1' | ||
|
@@ -24,10 +40,103 @@ jobs: | |
username: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_USERNAME }} | ||
password: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_PASSWORD }} | ||
|
||
- name: Build and Push Operator and Bundle Images | ||
env: | ||
IMAGE_TAG_BASE: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_IMAGE_TAG_BASE }} | ||
VERSION: ${{ github.event.inputs.release_version }} | ||
- name: Build and Push Operator Image | ||
id: build-operator | ||
run: | | ||
make docker-build docker-push bundle-build bundle-push | ||
make docker-build docker-push | ||
working-directory: rh-shield-operator | ||
|
||
build-operator-bundle: | ||
name: Build the Operator Bundle | ||
runs-on: ubuntu-latest | ||
needs: | ||
- build-operator | ||
- determine-operator-version | ||
steps: | ||
- name: Make Operator Bundle | ||
# 'make bundle' uses the live image from the registry to generate the image digest | ||
# so this step must be after the image is pushed to the registry | ||
run: | | ||
USE_IMAGE_DIGESTS=true make bundle | ||
- name: Set Labels and Annotations required for Certification on the Bundle | ||
uses: mikefarah/yq@v4 | ||
with: | ||
cmd: | | ||
yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' manifests/rh-shield-operator.clusterserviceversion.yaml | ||
yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' metadata/annotations.yaml | ||
yq e -i '.metadata.annotations.containerImage = (.spec.relatedImages[] | select(.name == "manager").image)' manifests/rh-shield-operator.clusterserviceversion.yaml | ||
yq e -i '.metadata.annotations += { | ||
"features.operators.openshift.io/cnf": "false", | ||
"features.operators.openshift.io/cni": "false", | ||
"features.operators.openshift.io/csi": "false", | ||
"features.operators.openshift.io/disconnected": "false", | ||
"features.operators.openshift.io/fips-compliant": "false", | ||
"features.operators.openshift.io/proxy-aware": "false", | ||
"features.operators.openshift.io/tls-profiles": "false", | ||
"features.operators.openshift.io/token-auth-aws": "false", | ||
"features.operators.openshift.io/token-auth-azure": "false", | ||
"features.operators.openshift.io/token-auth-gcp": "false" | ||
}' manifests/rh-shield-operator.clusterserviceversion.yaml | ||
yq e -i '.annotations."com.redhat.openshift.versions" = "v4.8-v4.17"' metadata/annotations.yaml | ||
- name: Open Pull Request for Bundle update | ||
uses: peter-evans/[email protected] | ||
id: open-pr | ||
with: | ||
token: ${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }} | ||
commit-message: | | ||
"chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}" | ||
title: | | ||
"chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}" | ||
body: | | ||
This is an automated pull request that is generated as a part of the rh-shield-operator release pipeline. | ||
The changes here update the bundle metadata using the newly published Operator image to generate the | ||
image checksum, as well as adjusting some metadata that is required for certification. | ||
- name: Wait for PR to be merged | ||
shell: bash | ||
run: | | ||
echo "Waiting for PR ${{ steps.open-pr.outputs.pull-request-url }} to be merged..." | ||
PR_STATUS=$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state) | ||
timeout 2h bash -c 'until [[ "$PR_STATUS" == "MERGED" ]]; do | ||
echo "PR not merged yet, waiting 10s..." | ||
sleep 10 | ||
PR_STATUS="$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state)" | ||
done' | ||
if [[ "$PR_STATUS" != "MERGED" ]]; then | ||
echo "PR was not merged in time. Check ${{ steps.open-pr.outputs.pull-request-url }} for more information." | ||
exit 1 | ||
else | ||
echo "PR was merged!" | ||
fi | ||
- name: Build and Push Bundle Image | ||
run: | | ||
make bundle-build bundle-push | ||
working-directory: rh-shield-operator | ||
|
||
certify-operator-image: | ||
name: Certify the Operator Image with Preflight | ||
runs-on: ubuntu-latest | ||
needs: | ||
- build-operator | ||
- determine-operator-version | ||
steps: | ||
- name: Install Preflight | ||
uses: redhat-actions/openshift-tools-installer@v1 | ||
with: | ||
source: "github" | ||
preflight: "latest" | ||
github_pat: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Run Preflight checks | ||
run: | | ||
preflight check container \ | ||
--pyxis-api-token=${{ secrets.RH_SHIELD_OPERATOR_PYXIS_API_TOKEN }} \ | ||
--certification-project-id=${{ secrets.RH_SHIELD_OPERATOR_CERTIFICATION_PROJECT_ID }} \ | ||
--submit \ | ||
${{ env.IMAGE_TAG_BASE }}:${{ steps.determine-operator-version.outputs.release_version }} |