Make openshift-ci green 😇

- Update Makefile
- Add required files (for openshift-ci to work)
- Update e2e to not do secrets management

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>

.github/dependabot.yaml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/test.yaml

@@ -7,7 +7,7 @@ on:
       - "*"
     branches:
       - main
-  pull_request:
+  pull_request_target:
     branches:
       - main
 
@@ -24,19 +24,35 @@ jobs:
         run: make test-integration
 
   test-e2e:
+    strategy:
+      fail-fast: false # Keep running if one leg fails.
+      matrix:
+        pipeline-version:
+        - v0.44.5
+        - v0.47.5
+        - v0.50.5
+        - v0.53.2
+        - latest
     runs-on: ubuntu-latest
     needs:
       - test-integration
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: registry.redhat.io
+          username: ${{ secrets.REGISTRY_REDHAT_USERNAME }}
+          password: ${{ secrets.REGISTRY_REDHAT_TOKEN }}
+
       - uses: azure/setup-helm@v3
 
       # instantiate a KinD (Kubernetes in Docker) cluster, installs `kubectl` and configures the
       # `kubeconfig` to reach the local cluster
-      - uses: helm/kind-action@v1.5.0
+      - uses: helm/kind-action@v1.8.0
         with:
           cluster_name: kind
           wait: 120s
@@ -45,9 +61,16 @@ jobs:
       # settings to reach it during testing
       - uses: openshift-pipelines/setup-tektoncd@v1
         with:
-          pipeline_version: v0.41.0
-          cli_version: v0.29.1
+          pipeline_version: ${{ matrix.pipeline-version }}
 
       # running end-to-end test target
       - name: test-e2e
-        run: make test-e2e
+        run: |
+          set -Eeuo pipefail
+          kubectl delete secret regcred || true
+          kubectl create secret generic regcred \
+            --from-file=.dockerconfigjson=$HOME/.docker/config.json \
+          --type=kubernetes.io/dockerconfigjson
+          kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
+          make test-e2e
+

Makefile

@@ -87,6 +87,17 @@ test-integration:
 test-e2e: task-git workspace-source-pvc install
 	$(BATS_CORE) $(BATS_FLAGS) $(ARGS) $(E2E_TESTS)
 
+# Run all the end-to-end tests against the current openshift context.
+# It is used mainly by the CI and ideally shouldn't differ that much from test-e2e
+.PHONY: prepare-e2e-openshift
+prepare-e2e-openshift:
+	./hack/install-osp.sh $(OSP_VERSION)
+.PHONY: test-e2e-openshift
+test-e2e-openshift: prepare-e2e-openshift
+test-e2e-openshift: REGISTRY_URL = image-registry.openshift-image-registry.svc.cluster.local:5000
+test-e2e-openshift: REGISTRY_NAMESPACE = $(shell oc project -q)
+test-e2e-openshift: test-e2e
+
 # act runs the github actions workflows, so by default only running the test workflow (integration
 # and end-to-end) to avoid running the release workflow accidently
 act: ARGS = --rm --workflows=./.github/workflows/test.yaml

OWNERS

@@ -0,0 +1,8 @@
+reviewers:
+  - vdemeester
+  - otaviof
+  - concaf
+approvers:
+  - vdemeester
+  - otaviof
+  - concaf

ci/bin/entrypoint

@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+# This is documented here:
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+
+if ! whoami &>/dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME}:x:$(id -u):$(id -g):${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec ${ENTRY_CMD} $@

ci/bin/user_setup

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -x
+
+# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
+mkdir -p ${HOME}
+chown -R ${USER_UID}:0 ${HOME}
+chmod ug+rwx ${HOME}
+chmod -R uga+rw ${HOME}
+
+# runtime user will need to be able to self-insert in /etc/passwd
+chmod uga+rw /etc/passwd
+
+# no need for this script to remain in the image after running
+rm $0

ci/ci.Dockerfile

@@ -0,0 +1,22 @@
+# This Docerfile is the environment where the test will be run in.
+FROM registry.ci.openshift.org/openshift/release:golang-1.20
+
+# Add kubernetes repository
+ADD ci/kubernetes.repo /etc/yum.repos.d/
+
+RUN yum install -y kubectl httpd-tools jq make git which
+RUN  rpm -Uvh https://github.com/tektoncd/cli/releases/download/v0.33.0/tektoncd-cli-0.33.0_Linux-64bit.rpm
+
+# Serverless-Operator `make generated-files` needs helm
+RUN curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+RUN GOFLAGS='' go install github.com/mikefarah/yq/v3@latest
+
+# go install creates $GOPATH/.cache with root permissions, we delete it here
+# to avoid permission issues with the runtime users
+RUN rm -rf $GOPATH/.cache
+
+# Allow runtime users to add entries to /etc/passwd
+RUN chmod g+rw /etc/passwd
+
+ADD . .

ci/kubernetes.repo

@@ -0,0 +1,7 @@
+[kubernetes]
+name=Kubernetes
+baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
+enabled=1
+gpgcheck=1
+repo_gpgcheck=0
+gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

hack/install-osp.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+# Install OpenShift Pipelines on the current cluster
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+readonly export DEPLOYMENT_TIMEOUT="${DEPLOYMENT_TIMEOUT:-5m}"
+
+function fail() {
+    echo "ERROR: ${*}" >&2
+    exit 1
+}
+
+function rollout_status() {
+    local namespace="${1}"
+    local deployment="${2}"
+
+    if ! kubectl --namespace="${namespace}" --timeout=${DEPLOYMENT_TIMEOUT} \
+         rollout status deployment "${deployment}"; then
+        fail "'${namespace}/${deployment}' is not deployed as expected!"
+    fi
+}
+
+function install_channel() {
+    local channel="${1}"
+    echo "Installing OpenShift Pipelines from channel ${channel}"
+    cat <<EOF | oc apply -f-
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-pipelines-operator-rh
+  namespace: openshift-operators
+spec:
+  channel: ${channel}
+  name: openshift-pipelines-operator-rh
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+EOF
+}
+
+function install_nightly() {
+    oc patch operatorhub.config.openshift.io/cluster -p='{"spec":{"disableAllDefaultSources":true}}' --type=merge
+    sleep 2
+    # Add a custom catalog-source
+    cat <<EOF | oc apply -f-
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:                      
+  name: custom-osp-nightly
+  namespace: openshift-marketplace         
+spec:                                                                                                                                                                                                                                                
+  sourceType: grpc                     
+  image: quay.io/openshift-pipeline/openshift-pipelines-operator-index:1.10
+  displayName: "Custom OSP Nightly"
+  updateStrategy:
+    registryPoll:
+      interval: 30m                                                                                                                                                                                                                                  
+EOF
+    sleep 10
+    # Create the "correct" subscription
+    oc delete subscription pipelines -n openshift-operators || true
+    cat <<EOF | oc apply -f-
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-pipelines-operator
+  namespace: openshift-operators
+spec:
+  channel: latest
+  name: openshift-pipelines-operator-rh
+  source: custom-osp-nightly
+  sourceNamespace: openshift-marketplace
+EOF
+}
+
+OSP_VERSION=${1:-latest}
+shift
+
+case "$OSP_VERSION" in
+    nightly)
+	install_nightly
+	;;
+    latest)
+	install_channel latest
+	;;
+    *)
+	install_channel "pipelines-$OSP_VERSION"
+	;;
+esac
+
+# wait until tekton pipelines operator is created
+echo "Waiting for OpenShift Pipelines Operator to be created..."
+timeout 2m bash <<- EOF
+  until oc get deployment openshift-pipelines-operator -n openshift-operators; do
+    sleep 5
+  done
+EOF
+oc rollout status -n openshift-operators deployment/openshift-pipelines-operator --timeout 10m
+
+# wait until clustertasks tekton CRD is properly deployed
+timeout 10m bash <<- EOF
+  until oc get crd tasks.tekton.dev; do
+    sleep 5
+  done
+EOF
+
+timeout 2m bash <<- EOF
+  until oc get deployment tekton-pipelines-controller -n openshift-pipelines; do
+    sleep 5
+  done
+EOF
+rollout_status "openshift-pipelines" "tekton-pipelines-controller"
+rollout_status "openshift-pipelines" "tekton-pipelines-webhook"
+
+oc get -n openshift-pipelines pods
+tkn version
+
+# Make sure we are on the default project
+oc new-project e2e-test
+oc project e2e-test