[ISV-933] Merge the operator-pipeline-images code to operator-pipeline code (#157)

* Initial commit

* Add script for building bundle dockerfile

The simple CLI tool is added that is capable to generate a bundle
dockerfile from bundle metadata.

JIRA: ISV-777
Signed-off-by: Ales Raszka <[email protected]>

* Add github action to build and push an image

Github action is configured to build and push image to quay registry.

* Use black formatter in actions

Python black formatter is used in github actions to check a python code
format.

* Add operator-sdk cli tool

The operator-sdk tool is used to verify a new bundles in operator
pipeline.

JIRA: 848

* Add jq and yq tools

These tools are used in pipelines to parse yaml and json files.

* Add xargs dependency

xargs is used in operator CI pipeline.

* Add a script to get pertinent OCP version info

Refactored the python scripts into a library with lightweight
entrypoints to make it easier to test. The existing bundle_dockerfile.py
script has a new way to invoke it. It's excluded from code coverage
until components of it are moved into the library.

* Add a .gitignore

* Run tox in GitHub Actions

* Load requirements from dedicated files

* Cover a couple more failure conditions with unit tests

* Add more gitignore rules

* Keep utils.py minimal

* Add opm CLI

* Use a common annotations function in the bundle-dockerfile script

* added script that checks the changed directories

* added docstrings

* removed wrong default param

* moved functions to proper file, added unit tests

* better function name and docstring

* not allowing the ci.yaml to be in operator root directory

* using the git url to retrieve org and repo names

* removed colorful logs, applying comments

* black format

* deserializing response after checking http error

* changed last occurence of operator_version to bundle_version

* Add a test data for result preflight upload

This commit contains a test data that can be used to mock a preflight
output and upload to Pyxis.

* allowing changing the ci.yaml on the operator level

* removing repository prefix

* change in unit tests

* accepting only ssh links to repository

* workaround tekton bug, which adds the \n to results

* changed underscores to dashes in the script arguments

* applying comments

* using only strip instead of lstrip and rstrip

* Add script for uploading artifacts

The script uploads test artifacts using Pyxis API.

JIRA: ISV-883

* rebase from main

* script to validate operator submission

* can't run package as a script

* rebase from main

* storing regex as rawstring to avoid warning on invalid escape sequence

* applying comments

* applying comments- spell pull request, allow choice of github organisation

* Add manual release action

The action creates a new tag, release and container build. The build is
pushed to remote registry.

JIRA: ISV-920

* Upload pipeline logs

The script for uploading results and artifacts is extended to also
upload a pipeline logs.

JIRA: ISV-927

* Add script to reserve operator package name

* rebase from main

* script doesn't fail in case of PR with wrong regex

* added unit test

* black format

* fixing changes after rebase

* Enable cert auth in uploading script

Artifact upload script now support both API key and cert based auth.
The auth method is controlled by env variables.

JIRA: ISV-974

* added script to get the preflight results

* change script name from get_preflight_results to download_artifacts

* returning results and logs ids from the script

* black

* enhanced comments

* allowing empty results

* black format

* downloading only test results

* removing unnecessary result and gitignore entry

* using the new approach to connect to Pyxis

* applying comments

* applying comment- empty line at the end of the file

* Log association name when operator name is taken by another association

This was suggested during the community meeting to help with debugging.
Privacy was not a concern since there's not much one can do with
just the assocation name without the right API key.

* Add script to update github status

* Add script to update github status

* Add script for opening Github PR

The script opens a pull request in a github. The script will be used in
CI pipeline.

JIRA: ISV-860

* added script to get project related data

* added scripts to retrieve the vendor related data and cert project related data

* storing whole queried object as result

* Add publishing script

This commit adds new publishing cli tool that publishes vendor and
repository.

JIRA: ISV-991

* anything can be bundle version- not only semver

* changed one letter to uppercase, black format

* updated tests

* Accepting https and ssh schema in verify_changed_dirs step (#23)

* accepting https and ssh schema in verify_changed_dirs step

* black format

* Verifying the user submitting the bundle (#24)

* verifying the user who submitted the bundle

* using the list of contacts instead of file with contacts as an argument

* black format

* [ISV-749] Update the download_test_results function (#25)

* [ISV-914] Update the download_test_results function

* [ISV-914] Add github comment on PR script

* [ISV-914] Remove github comment on PR script

* Remove unused field

Co-authored-by: haripate <>

* Add script to examine statuses from hydra checklist API

* Add script for creation of ContainerImage (#26)

* added script to create ContainerImage

* black format

* applying comments

* black format

* applying comments- simplifying logic

* black format

* adding parsed_data to created image

* added unit test

* making the tag non- floating

* removing latest tag via PUT

* iterating over the tags a bit more nicely

* applying comments

* accepting podman results

* Modify hydra checklist script to use proxy for preprod

Preprod hydra cannot be accessed directly due to the Akamai preprod
lockdown, so a proxy needs to be set up.

* The ocp-version-info script can now retrieve marketplace indices

* installing yamllint in Dockerfile

* [ISV-871][ISV-873] Write a script to update the certProject related data (#29)

* Write a script to update the certProject related data

* Update the certification_time field value

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

Co-authored-by: haripate <>

* [ISV-871][ISV-873] Fix up the date time format (#34)

* Write a script to update the certProject related data

* Update the certification_time field value

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the date time format

Co-authored-by: haripate <>

* [ISV-871][ISV-873] Fix up the update cert project status function (#35)

* Write a script to update the certProject related data

* Update the certification_time field value

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the function name

* Fix up the date time format

* [ISV-871][ISV-873] Fix up the update cert project status function

Co-authored-by: haripate <>

* [ISV-993] Add index cli tool (#27)

* [ISV-1056] Upload artifacts with file size

* Remove unused operator-sdk

* [ISV-1219] Add target_url to the set_github_status function (#38)

Co-authored-by: haripate <>

* Install gnupg to container image

Gnugp is used to decrypt project secrets.

JIRA: ISV-1205

* Add script to call IBM webhook to trigger marketplace replication

* properly logging the results

* added the code documentation

* Update way to get relatedImages

* Code review comments: use organization as arg instead of git-repo-url

* splitting the validate submission script into the components of it

* black format

* Rename 'production' to 'prod'

To align recent changes in pipeline repo we have to rename prod
environment naming.

* Add origin-clients dep to run oc

* proper head and base (#43)

* Revert "proper head and base (#43)" (#44)

This reverts commit cb49a43.

* Fix up the pipeline errors

* Fix up the pipeline errors

* Fix up the pipeline errors

* Fix up the pipeline errors

* Fix up the pipeline errors

* Fix up the pipeline errors

* Update the merged repo format

* Update the merged repo format

* Update the merged repo format

* Update the merged repo format

* Update the merged repo format

* Update the merged repo format

* Test on pipeline

* Test on pipeline

* Test on pipeline

* Testing the merged repo

* Testing the merged repo

* Final test of the merged repo

* Final test of the merged repo

Co-authored-by: MarcinGinszt <[email protected]>
Co-authored-by: Ales Raszka <[email protected]>
Co-authored-by: Alex Misstear <[email protected]>
Co-authored-by: [email protected] <[email protected]>
Co-authored-by: Wai Cheang <[email protected]>
Co-authored-by: Jan Koscielniak <[email protected]>
Co-authored-by: haripate <>

Author: 6 people

.coveragerc

@@ -0,0 +1,6 @@
+[run]
+source = operator-pipeline-images/operatorcert
+omit = operator-pipeline-images/operatorcert/webhook/*
+
+[report]
+omit = operator-pipeline-images/operatorcert/entrypoints/*

.github/workflows/main-image.yml

@@ -0,0 +1,46 @@
+name: Build and Push Image
+on:  # yamllint disable-line rule:truthy
+  - push
+  - pull_request
+
+jobs:
+  test-lint:
+    name: Run unit tests and linters
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: fedora-python/[email protected]
+        with:
+          tox_env: black,test
+          dnf_install: krb5-devel krb5-workstation
+
+  build:
+    name: Build and push image
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build Image
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: operator-pipelines-images
+          tags: latest ${{ github.sha }}
+          dockerfiles: |
+            ./operator-pipeline-images/Dockerfile
+
+      - name: Push To quay.io
+        id: push-to-quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: quay.io/redhat-isv
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+        if: ${{ github.event_name == 'push' }}
+
+      - name: Print image url
+        run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"
+        if: ${{ github.event_name == 'push' }}

.github/workflows/release-image.yml

@@ -0,0 +1,48 @@
+name: Release image
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    name: Build and push image
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create a GitHub release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.tag_version.outputs.new_tag }}
+          release_name: Release ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}
+
+      - name: Build Image
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: operator-pipelines-images
+          tags: latest ${{ github.sha }} ${{ steps.tag_version.outputs.new_tag }}
+          dockerfiles: |
+            ./operator-pipeline-images/Dockerfile
+
+      - name: Push To quay.io
+        id: push-to-quay
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: quay.io/redhat-isv
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Print image url
+        run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"

.gitignore

@@ -2,6 +2,139 @@
 ssh-secret.yml
 registry-secret.yml
 kubeconfig
+# results 
+test_results.json 
+results_exists
+test_logs_id
+test_result_id
+bundle_name
+bundle_version
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+./*.log
+./*.log.*
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
 
 # VSCode project settings
 .vscode/

README.md

@@ -171,3 +171,22 @@ tkn pipeline start operator-release-pipeline \
   --workspace name=ocp-registry-kubeconfig,secret=ocp-registry-kubeconfig \
   --showlog
 ```
+
+# operator-pipelines-images
+Container images containing the set of tools for Partner Operator Bundle [certification pipelines](https://github.com/redhat-openshift-ecosystem/operator-pipelines).
+
+## Development
+
+To install the python package in a development environment, run:
+
+```bash
+pip install ".[dev]"
+```
+
+To test the scripts with the pipelines, see [local-dev.md](docs/local-dev.md).
+
+To run unit tests and code style checkers:
+
+```bash
+tox
+```

docs/local-dev.md

@@ -51,4 +51,32 @@ oc adm policy add-scc-to-user privileged -z pipeline
 
 ```bash
 --pod-template templates/crc-pod-template.yml
-```
+```
+# Local development of the operator-pipelines-images
+
+Development of the Python script doesn't demand any sophisticated strategy. However, before adding the script to release branch,
+in order to test them they must run within the pipeline.
+
+## Prerequisites
+
+1. Install [Buildah](https://github.com/containers/buildah/blob/main/install.md)
+2. Setup [operator-pipelines](https://github.com/redhat-openshift-ecosystem/operator-pipelines/blob/main/docs/local-dev.md)
+
+## Initial Setup
+1. If you are adding a new script- don't forget to add the entrypoint to setup.py
+2. Build the image containing the script via Buildah
+```bash
+buildah bud
+```
+3. Push the image to registry, eg. Quay.io.
+```bash
+buildah push <image signature- output of build step> <path in registry> 
+```   
+This step may require login, eg.
+```bash
+buildah login quay.io
+```
+4. In [operator-pipelines](https://github.com/redhat-openshift-ecosystem/operator-pipelines), change the base image of script that
+was changed, to the one pushed in the previous step.
+   
+5. Run the pipeline and test if the results are as expected.

operator-pipeline-images/.dockerignore

@@ -0,0 +1,12 @@
+# Ignoring git and cache folders
+.git
+.github
+.cache
+
+# Ignoring all the markdown and class files
+*.md
+docs
+
+#Ignoring tekton pipeine and ansible tasks
+templates
+ansible

operator-pipeline-images/Dockerfile

@@ -0,0 +1,56 @@
+FROM registry.fedoraproject.org/fedora:34
+
+LABEL description="Cli tools for operator certification pipeline"
+LABEL summary="This image contains tools required for operator bundle certification pipeline."
+
+ARG USER_UID=1000
+
+USER root
+
+# setup certificates
+COPY operator-pipeline-images/certs/* /etc/pki/ca-trust/source/anchors/
+RUN /usr/bin/update-ca-trust
+
+# This is just a temporary workaround until we figure out how to
+# override CA bundle in OCP
+RUN cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/custom-ca-bundle.crt
+
+ENV REQUESTS_CA_BUNDLE="/etc/pki/tls/certs/custom-ca-bundle.crt"
+
+RUN dnf update -y && \
+    dnf install -y \
+    findutils \
+    git \
+    gcc \
+    gnupg2 \
+    jq \
+    krb5-devel \
+    krb5-workstation \
+    yamllint \
+    openssl-devel \
+    origin-clients \
+    pinentry \
+    pip \
+    python3-devel && \
+    dnf clean all
+
+COPY operator-pipeline-images/config/krb5.conf /etc/krb5.conf
+
+# Install opm CLI
+RUN curl -LO https://github.com/operator-framework/operator-registry/releases/download/v1.17.5/linux-amd64-opm && \
+    chmod +x linux-amd64-opm && \
+    mv linux-amd64-opm /usr/local/bin/opm
+
+RUN useradd -ms /bin/bash -u "${USER_UID}" user
+
+WORKDIR /home/user
+
+COPY ./operator-pipeline-images ./
+
+RUN pip3 install .
+
+# set dir ownership
+RUN chgrp -R 0 /home/user /etc/passwd
+RUN chmod -R g=u /home/user /etc/passwd
+
+USER "${USER_UID}"

operator-pipeline-images/MANIFEST.in

@@ -0,0 +1,2 @@
+include requirements.txt
+include requirements-dev.txt