From 88562ce3dfa1abac8d375f6a52a60b99411ce5b0 Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Tue, 5 Nov 2024 15:06:41 -0500 Subject: [PATCH 1/2] ci(rh-shield-operator): enhance operator release pipeline The old pipeline would simply build and push the operator and bundle images. This was a start, but left numerous manual steps to get the Operator itself certified. The changes in this PR add the following enhancements to the pipeline. 1. Generate the Bundle content in the pipeline a. Run the 'make bundle' command in the pipeline as opposed to requiring it be run beforehand. b. Since the pipeline guarantees the operator image itself will be built and pushed before the bundle is generated, we can set USE_IMAGE_DIGESTS=true when running 'make bundle' to include the image checksums in the bundle. This is a requirement for certification. c. The newly generated bundle content will be 'massaged' to include the annotations required for certification that are not created by the operator-sdk. 2. Trigger preflight certification 2. Decouple the various builds and certification steps that aren't related --- .../workflows/release-rh-shield-operator.yaml | 137 ++++++++++++++++-- 1 file changed, 123 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release-rh-shield-operator.yaml b/.github/workflows/release-rh-shield-operator.yaml index 1aaa393cc..a52a4f999 100644 --- a/.github/workflows/release-rh-shield-operator.yaml +++ b/.github/workflows/release-rh-shield-operator.yaml @@ -1,18 +1,34 @@ -name: Release the Shield Operator +name: Build and Push the Shield Operator on: workflow_dispatch: - inputs: - release_version: - description: 'The version of the operator to release' - required: true - type: string + +env: + IMAGE_TAG_BASE: quay.io/sysdig/rh-shield-operator + jobs: - build-and-push: - name: Build and Push the Operator Images + determine-operator-version: + name: Get the Operator Version from the Makefile runs-on: ubuntu-latest + outputs: + release_version: ${{ steps.get-operator-version.outputs.release_version }} steps: - - name: Checkout + - name: Checkout charts repo + uses: actions/checkout@v4 + with: + fetch-depth: '1' + + - name: Get Operator Version + id: get-operator-version + run: | + echo "::set-output name=release_version::$(awk "/^VERSION/ {print $3}" Makefile)" + working-directory: rh-shield-operator + + build-operator: + name: Build the Operator Image + runs-on: ubuntu-latest + steps: + - name: Checkout charts repo uses: actions/checkout@v4 with: fetch-depth: '1' @@ -24,10 +40,103 @@ jobs: username: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_USERNAME }} password: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_PASSWORD }} - - name: Build and Push Operator and Bundle Images - env: - IMAGE_TAG_BASE: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_IMAGE_TAG_BASE }} - VERSION: ${{ github.event.inputs.release_version }} + - name: Build and Push Operator Image + id: build-operator run: | - make docker-build docker-push bundle-build bundle-push + make docker-build docker-push working-directory: rh-shield-operator + + build-operator-bundle: + name: Build the Operator Bundle + runs-on: ubuntu-latest + needs: + - build-operator + - determine-operator-version + steps: + - name: Make Operator Bundle + # 'make bundle' uses the live image from the registry to generate the image digest + # so this step must be after the image is pushed to the registry + run: | + USE_IMAGE_DIGESTS=true make bundle + + - name: Set Labels and Annotations required for Certification on the Bundle + uses: mikefarah/yq@v4 + with: + cmd: | + yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' manifests/rh-shield-operator.clusterserviceversion.yaml + yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' metadata/annotations.yaml + yq e -i '.metadata.annotations.containerImage = (.spec.relatedImages[] | select(.name == "manager").image)' manifests/rh-shield-operator.clusterserviceversion.yaml + yq e -i '.metadata.annotations += { + "features.operators.openshift.io/cnf": "false", + "features.operators.openshift.io/cni": "false", + "features.operators.openshift.io/csi": "false", + "features.operators.openshift.io/disconnected": "false", + "features.operators.openshift.io/fips-compliant": "false", + "features.operators.openshift.io/proxy-aware": "false", + "features.operators.openshift.io/tls-profiles": "false", + "features.operators.openshift.io/token-auth-aws": "false", + "features.operators.openshift.io/token-auth-azure": "false", + "features.operators.openshift.io/token-auth-gcp": "false" + }' manifests/rh-shield-operator.clusterserviceversion.yaml + yq e -i '.annotations."com.redhat.openshift.versions" = "v4.8-v4.17"' metadata/annotations.yaml + + - name: Open Pull Request for Bundle update + uses: peter-evans/create-pull-request@v7.0.5 + id: open-pr + with: + token: ${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }} + commit-message: | + "chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}" + title: | + "chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}" + body: | + This is an automated pull request that is generated as a part of the rh-shield-operator release pipeline. + The changes here update the bundle metadata using the newly published Operator image to generate the + image checksum, as well as adjusting some metadata that is required for certification. + + - name: Wait for PR to be merged + shell: bash + run: | + echo "Waiting for PR ${{ steps.open-pr.outputs.pull-request-url }} to be merged..." + + PR_STATUS=$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state) + + timeout 2h bash -c 'until [[ "$PR_STATUS" == "MERGED" ]]; do + echo "PR not merged yet, waiting 10s..." + sleep 10 + PR_STATUS="$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state)" + done' + + if [[ "$PR_STATUS" != "MERGED" ]]; then + echo "PR was not merged in time. Check ${{ steps.open-pr.outputs.pull-request-url }} for more information." + exit 1 + else + echo "PR was merged!" + fi + + - name: Build and Push Bundle Image + run: | + make bundle-build bundle-push + working-directory: rh-shield-operator + + certify-operator-image: + name: Certify the Operator Image with Preflight + runs-on: ubuntu-latest + needs: + - build-operator + - determine-operator-version + steps: + - name: Install Preflight + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: "github" + preflight: "latest" + github_pat: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Preflight checks + run: | + preflight check container \ + --pyxis-api-token=${{ secrets.RH_SHIELD_OPERATOR_PYXIS_API_TOKEN }} \ + --certification-project-id=${{ secrets.RH_SHIELD_OPERATOR_CERTIFICATION_PROJECT_ID }} \ + --submit \ + ${{ env.IMAGE_TAG_BASE }}:${{ steps.determine-operator-version.outputs.release_version }} From f0847e07ab588dbd4844b801a896c36cbd7f743d Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Fri, 6 Dec 2024 15:15:50 -0500 Subject: [PATCH 2/2] chore(rh-shield-operator): address PR comments * migrate custom script to use Wandalen/wretry.action action * correct pathing in the yq step for the bundle * remove the requirement to specify the operator version --- .../workflows/release-rh-shield-operator.yaml | 72 +++++++++---------- 1 file changed, 35 insertions(+), 37 deletions(-) diff --git a/.github/workflows/release-rh-shield-operator.yaml b/.github/workflows/release-rh-shield-operator.yaml index a52a4f999..d3151fda3 100644 --- a/.github/workflows/release-rh-shield-operator.yaml +++ b/.github/workflows/release-rh-shield-operator.yaml @@ -3,12 +3,9 @@ name: Build and Push the Shield Operator on: workflow_dispatch: -env: - IMAGE_TAG_BASE: quay.io/sysdig/rh-shield-operator - jobs: determine-operator-version: - name: Get the Operator Version from the Makefile + name: Determine the Operator Version runs-on: ubuntu-latest outputs: release_version: ${{ steps.get-operator-version.outputs.release_version }} @@ -21,7 +18,9 @@ jobs: - name: Get Operator Version id: get-operator-version run: | - echo "::set-output name=release_version::$(awk "/^VERSION/ {print $3}" Makefile)" + VERSION=$(awk '/^VERSION/{print $3}' Makefile) + echo "Discovered release version is $VERSION" + echo "release_version=$VERSION" >> $GITHUB_OUTPUT working-directory: rh-shield-operator build-operator: @@ -53,19 +52,26 @@ jobs: - build-operator - determine-operator-version steps: - - name: Make Operator Bundle - # 'make bundle' uses the live image from the registry to generate the image digest - # so this step must be after the image is pushed to the registry + - name: Checkout charts repo + uses: actions/checkout@v4 + with: + fetch-depth: '1' + + - name: Generate Bundle Content + # When using 'USE_IMAGE_DIGEST' the 'make bundle' command inspects the live operator image from the registry + # in order to generate the image digest. As a result, this step must be after the operator image has been + # generated and pushed to the registry. run: | USE_IMAGE_DIGESTS=true make bundle + working-directory: rh-shield-operator - name: Set Labels and Annotations required for Certification on the Bundle uses: mikefarah/yq@v4 with: cmd: | - yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' manifests/rh-shield-operator.clusterserviceversion.yaml - yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' metadata/annotations.yaml - yq e -i '.metadata.annotations.containerImage = (.spec.relatedImages[] | select(.name == "manager").image)' manifests/rh-shield-operator.clusterserviceversion.yaml + yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml + yq e -i '.annotations."operators.operatorframework.io.bundle.package.v1" |= sub("rh-shield-operator", "sysdig-shield-operator")' rh-shield-operator/bundle/metadata/annotations.yaml + yq e -i '.metadata.annotations.containerImage = (.spec.relatedImages[] | select(.name == "manager").image)' rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml yq e -i '.metadata.annotations += { "features.operators.openshift.io/cnf": "false", "features.operators.openshift.io/cni": "false", @@ -77,11 +83,11 @@ jobs: "features.operators.openshift.io/token-auth-aws": "false", "features.operators.openshift.io/token-auth-azure": "false", "features.operators.openshift.io/token-auth-gcp": "false" - }' manifests/rh-shield-operator.clusterserviceversion.yaml - yq e -i '.annotations."com.redhat.openshift.versions" = "v4.8-v4.17"' metadata/annotations.yaml + }' rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml + yq e -i '.annotations."com.redhat.openshift.versions" = "v4.8-v4.17"' rh-shield-operator/bundle/metadata/annotations.yaml - name: Open Pull Request for Bundle update - uses: peter-evans/create-pull-request@v7.0.5 + uses: peter-evans/create-pull-request@v7 id: open-pr with: token: ${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }} @@ -94,25 +100,12 @@ jobs: The changes here update the bundle metadata using the newly published Operator image to generate the image checksum, as well as adjusting some metadata that is required for certification. - - name: Wait for PR to be merged - shell: bash - run: | - echo "Waiting for PR ${{ steps.open-pr.outputs.pull-request-url }} to be merged..." - - PR_STATUS=$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state) - - timeout 2h bash -c 'until [[ "$PR_STATUS" == "MERGED" ]]; do - echo "PR not merged yet, waiting 10s..." - sleep 10 - PR_STATUS="$(gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state)" - done' - - if [[ "$PR_STATUS" != "MERGED" ]]; then - echo "PR was not merged in time. Check ${{ steps.open-pr.outputs.pull-request-url }} for more information." - exit 1 - else - echo "PR was merged!" - fi + - name: Wait for Pull Request to be merged + uses: Wandalen/wretry.action@v3.7.3 + with: + command: gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state | grep MERGED + attempt_limit: 240 # Results in 2 hours of waiting + attempt_delay: 30000 # 30 seconds - name: Build and Push Bundle Image run: | @@ -126,6 +119,11 @@ jobs: - build-operator - determine-operator-version steps: + - name: Checkout charts repo + uses: actions/checkout@v4 + with: + fetch-depth: '1' + - name: Install Preflight uses: redhat-actions/openshift-tools-installer@v1 with: @@ -135,8 +133,8 @@ jobs: - name: Run Preflight checks run: | + IMAGE_TAG_BASE=$(awk '/^IMAGE_TAG_BASE/{print $3}' Makefile) + preflight check container \ - --pyxis-api-token=${{ secrets.RH_SHIELD_OPERATOR_PYXIS_API_TOKEN }} \ - --certification-project-id=${{ secrets.RH_SHIELD_OPERATOR_CERTIFICATION_PROJECT_ID }} \ - --submit \ - ${{ env.IMAGE_TAG_BASE }}:${{ steps.determine-operator-version.outputs.release_version }} + $IMAGE_TAG_BASE:v${{ needs.determine-operator-version.outputs.release_version }} + working-directory: rh-shield-operator