Add support for fips e2e

[JasonPowr]

Summary by Sourcery

Add optional FIPS-enabled end-to-end integration test scenarios across supported OCP versions and extend the operator e2e pipeline to parameterize FIPS mode and Keycloak distribution while wiring through issuer URL handling.

New Features:

• Introduce optional FIPS-enabled IntegrationTestScenario resources for rhtas-operator e2e tests on OCP 4.16–4.20.
• Add a dedicated FIPS-enabled group-based IntegrationTestScenario for the rhtas-operator overlay e2e configuration.

Enhancements:

• Parameterize the rhtas-operator e2e pipeline with FIPS and Keycloak distribution options and propagate them through test execution.
• Extend Keycloak installation and TAS installation stepactions to output and consume a dynamic OIDC issuer URL, supporting both rhsso and rhbk distributions.
• Adjust e2e tests to use dynamic OIDC issuer configuration and to enable FIPS-specific test tags and longer timeouts when FIPS mode is on.

[sourcery-ai]

Reviewer's Guide

Adds FIPS-enabled end-to-end integration test scenarios for multiple OCP versions and updates the operator e2e pipeline and supporting stepactions to handle FIPS mode and a configurable Keycloak distribution (rhsso vs rhbk) with correct OIDC issuer URLs.

Sequence diagram for FIPS-enabled operator e2e pipeline trigger and execution

sequenceDiagram
  actor Developer
  participant AppStudio
  participant IntegrationService
  participant IntegrationTestScenario_v4_19_e2e_fips
  participant GitResolver
  participant RhtasOperatorE2EPipeline
  participant StepActionInstallKeycloak
  participant StepActionInstallTAS
  participant OCPCluster
  participant Keycloak

  Developer->>AppStudio: Push change to component_rhtas_operator_v4_19
  AppStudio->>IntegrationService: Create Snapshot for component update
  IntegrationService->>IntegrationTestScenario_v4_19_e2e_fips: Match context component_rhtas_operator_v4_19
  IntegrationTestScenario_v4_19_e2e_fips-->>IntegrationService: Params OCP_VERSION=4.19 FIPS_ENABLED=true KEYCLOAK_DISTRIBUTION=rhbk

  IntegrationService->>GitResolver: Resolve pipelines rhtas-operator-e2e.yaml
  GitResolver-->>IntegrationService: Tekton Pipeline definition
  IntegrationService->>RhtasOperatorE2EPipeline: Create PipelineRun with params including FIPS_ENABLED and KEYCLOAK_DISTRIBUTION

  RhtasOperatorE2EPipeline->>StepActionInstallKeycloak: Execute install-keycloak with FIPS_ENABLED KEYCLOAK_DISTRIBUTION
  StepActionInstallKeycloak->>Keycloak: Deploy Keycloak in requested distribution
  StepActionInstallKeycloak->>Keycloak: Configure OIDC issuer URL based on distribution
  StepActionInstallKeycloak->>Keycloak: Apply FIPS mode settings when FIPS_ENABLED=true
  Keycloak-->>StepActionInstallKeycloak: Ready with correct issuer and FIPS configuration

  RhtasOperatorE2EPipeline->>StepActionInstallTAS: Execute install-tas with FIPS_ENABLED
  StepActionInstallTAS->>OCPCluster: Deploy TAS components with FIPS configuration
  OCPCluster-->>StepActionInstallTAS: TAS ready

  RhtasOperatorE2EPipeline->>OCPCluster: Run end_to_end_tests
  OCPCluster-->>RhtasOperatorE2EPipeline: Test results
  RhtasOperatorE2EPipeline-->>IntegrationService: Report PipelineRun status
  IntegrationService-->>AppStudio: Integration test result for Snapshot
  AppStudio-->>Developer: Surface FIPS e2e test outcome

Loading

Flow diagram for Keycloak distribution and FIPS configuration in e2e pipeline

flowchart TD
  Start[Start PipelineRun with params\nFIPS_ENABLED and KEYCLOAK_DISTRIBUTION]
  Start --> CheckDistribution

  CheckDistribution{KEYCLOAK_DISTRIBUTION value}
  CheckDistribution -->|rhbk| UseRHBK
  CheckDistribution -->|rhsso| UseRHSSO
  CheckDistribution -->|other| FailInvalidDistribution

  UseRHBK[Install rhbk Keycloak\nSet OIDC issuer URL for rhbk]
  UseRHSSO[Install rhsso Keycloak\nSet OIDC issuer URL for rhsso]
  FailInvalidDistribution[Fail pipeline\nUnsupported Keycloak distribution]

  UseRHBK --> CheckFIPS
  UseRHSSO --> CheckFIPS

  CheckFIPS{FIPS_ENABLED}
  CheckFIPS -->|true| EnableFIPS
  CheckFIPS -->|false| SkipFIPS

  EnableFIPS[Configure Keycloak and TAS components\nwith FIPS compatible settings]
  SkipFIPS[Proceed without FIPS specific configuration]

  EnableFIPS --> ContinueTests
  SkipFIPS --> ContinueTests

  ContinueTests[Run end to end tests against OCP cluster]
  ContinueTests --> End[Report e2e result back to IntegrationService]

Loading

File-Level Changes

Change	Details	Files
Introduce FIPS-specific IntegrationTestScenario resources for OCP 4.16–4.20 and rhtas-operator e2e overlay.	Add new IntegrationTestScenario entries per OCP version (4.16–4.20) that run rhtas-operator e2e with FIPS_ENABLED=true, KEYCLOAK_DISTRIBUTION=rhbk, and the appropriate OCP_VERSION. Extend the rhtas-operator overlay e2e patch with an additional FIPS-enabled IntegrationTestScenario for group snapshots using the integration-test pipeline.	konflux-configs/base/project/base/ocp/v4.16/patch.yaml konflux-configs/base/project/base/ocp/v4.17/patch.yaml konflux-configs/base/project/base/ocp/v4.18/patch.yaml konflux-configs/base/project/base/ocp/v4.19/patch.yaml konflux-configs/base/project/base/ocp/v4.20/patch.yaml konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml
Extend rhtas-operator e2e pipeline to support FIPS mode, configurable Keycloak distribution, and explicit OIDC issuer URL propagation.	Add FIPS_ENABLED and KEYCLOAK_DISTRIBUTION pipeline params with defaults, and wire FIPS_ENABLED into the cluster provisioning task and KEYCLOAK_DISTRIBUTION into the Keycloak installation stepaction. Propagate the oidc-issuer-url from the install-keycloak stepaction into prepare-tests and downstream tasks, and set OIDC_ISSUER_URL env vars for operator and sigstore/TAS e2e tasks. Update the operator e2e test execution to conditionally add a fips build tag and increase the test timeout from 30m to 60m when FIPS is enabled.	pipelines/integration-test/rhtas-operator-e2e.yaml
Update install-keycloak and install-tas stepactions to support rhsso vs rhbk and use the correct issuer URL instead of reconstructing it from the hostname.	Add a keycloak-distribution param to install-keycloak, and conditionally call tas-keycloak-install.sh with or without the rhbk argument while deriving the correct Route selector and issuer URL format for each distribution. Introduce a new oidc-issuer-url result in install-keycloak and plumb it through to install-tas as a new OIDC_ISSUER_URL param. Change install-tas to use the provided OIDC_ISSUER_URL directly when patching the Securesign CR sample instead of constructing the URL from OIDC_HOST.	stepactions/integration-test/install-keycloak.yaml stepactions/integration-test/install-tas.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[JasonPowr]

https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/rhtas-tenant/applications/operator/pipelineruns/operator-e2e-wlfnp

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The new FIPS IntegrationTestScenario resources for each OCP version (4.16–4.20 and overlay) are almost identical; consider refactoring them into a shared template/patch (e.g., using kustomize overlays or templating) to reduce duplication and ease future maintenance.
• You are modeling FIPS_ENABLED as a string parameter throughout and then comparing it textually in bash ([[ "$FIPS_ENABLED" == "true" ]]); if possible, switching this to a boolean Tekton param (and/or normalizing the accepted values in the script) would make the behavior less error-prone.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new FIPS `IntegrationTestScenario` resources for each OCP version (4.16–4.20 and overlay) are almost identical; consider refactoring them into a shared template/patch (e.g., using kustomize overlays or templating) to reduce duplication and ease future maintenance.
- You are modeling `FIPS_ENABLED` as a string parameter throughout and then comparing it textually in bash (`[[ "$FIPS_ENABLED" == "true" ]]`); if possible, switching this to a boolean Tekton param (and/or normalizing the accepted values in the script) would make the behavior less error-prone.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

Configuration Diff

2 document(s) impacted:

+ 0 added
- 0 removed
! 2 modified

Diff

@@ spec.resources @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/operator-template
! + one list entry added:
+   - apiVersion: appstudio.redhat.com/v1beta2
+     kind: IntegrationTestScenario
+     metadata:
+       name: rhtas-operator-e2e-test{{.nameSuffix}}-fips
+       labels:
+         test.appstudio.openshift.io/optional: "true"
+     spec:
+       application: {{.application}}{{.nameSuffix}}
+       contexts:
+       - name: group
+         description: "runs the integration test for a group Snapshot"
+       params:
+       - name: FIPS_ENABLED
+         value: "true"
+       - name: KEYCLOAK_DISTRIBUTION
+         value: rhbk
+       resolverRef:
+         params:
+         - name: url
+           value: "https://github.com/securesign/pipelines.git"
+         - name: revision
+           value: main
+         - name: pathInRepo
+           value: pipelines/integration-test/rhtas-operator-e2e.yaml
+         resolver: git
+         resourceKind: pipelinerun

@@ spec.resources @@
# projctl.konflux.dev/v1beta1/ProjectDevelopmentStreamTemplate/rhtas-tenant/rhtas-fbc-template
! + five list entries added:
+   - apiVersion: appstudio.redhat.com/v1beta2
+     kind: IntegrationTestScenario
+     metadata:
+       name: {{.application}}{{.nameSuffix}}-v4-16-e2e-fips
+       labels:
+         test.appstudio.openshift.io/optional: "true"
+     spec:
+       application: {{.application}}{{.nameSuffix}}
+       contexts:
+       - name: component_{{.application}}{{.nameSuffix}}-v4-16
+         description: "execute the integration test when component {{.application}}{{.nameSuffix}}-v4-16 updates"
+       params:
+       - name: OCP_VERSION
+         value: 4.16
+       - name: FIPS_ENABLED
+         value: "true"
+       - name: KEYCLOAK_DISTRIBUTION
+         value: rhbk
+       resolverRef:
+         params:
+         - name: url
+           value: "https://github.com/securesign/pipelines.git"
+         - name: revision
+           value: main
+         - name: pathInRepo
+           value: pipelines/rhtas-operator-e2e.yaml
+         resolver: git
+         resourceKind: pipeline
+   - apiVersion: appstudio.redhat.com/v1beta2
+     kind: IntegrationTestScenario
+     metadata:
+       name: {{.application}}{{.nameSuffix}}-v4-17-e2e-fips
+       labels:
+         test.appstudio.openshift.io/optional: "true"
+     spec:
+       application: {{.application}}{{.nameSuffix}}
+       contexts:
+       - name: component_{{.application}}{{.nameSuffix}}-v4-17
+         description: "execute the integration test when component {{.application}}{{.nameSuffix}}-v4-17 updates"
+       params:
+       - name: OCP_VERSION
+         value: 4.17
+       - name: FIPS_ENABLED
+         value: "true"
+       - name: KEYCLOAK_DISTRIBUTION
+         value: rhbk
+       resolverRef:
+         params:
+         - name: url
+           value: "https://github.com/securesign/pipelines.git"
+         - name: revision
+           value: main
+         - name: pathInRepo
+           value: pipelines/rhtas-operator-e2e.yaml
+         resolver: git
+         resourceKind: pipeline
+   - apiVersion: appstudio.redhat.com/v1beta2
+     kind: IntegrationTestScenario
+     metadata:
+       name: {{.application}}{{.nameSuffix}}-v4-18-e2e-fips
+       labels:
+         test.appstudio.openshift.io/optional: "true"
+     spec:
+       application: {{.application}}{{.nameSuffix}}
+       contexts:
+       - name: component_{{.application}}{{.nameSuffix}}-v4-18
+         description: "execute the integration test when component {{.application}}{{.nameSuffix}}-v4-18 updates"
+       params:
+       - name: OCP_VERSION
+         value: 4.18
+       - name: FIPS_ENABLED
+         value: "true"
+       - name: KEYCLOAK_DISTRIBUTION
+         value: rhbk
+       resolverRef:
+         params:
+         - name: url
+           value: "https://github.com/securesign/pipelines.git"
+         - name: revision
+           value: main
+         - name: pathInRepo
+           value: pipelines/rhtas-operator-e2e.yaml
+         resolver: git
+         resourceKind: pipeline
+   - apiVersion: appstudio.redhat.com/v1beta2
+     kind: IntegrationTestScenario
+     metadata:
+       name: {{.application}}{{.nameSuffix}}-v4-19-e2e-fips
+       labels:
+         test.appstudio.openshift.io/optional: "true"
+     spec:
+       application: {{.application}}{{.nameSuffix}}
+       contexts:
+       - name: component_{{.application}}{{.nameSuffix}}-v4-19
+         description: "execute the integration test when component {{.application}}{{.nameSuffix}}-v4-19 updates"
+       params:
+       - name: OCP_VERSION
+         value: 4.19
+       - name: FIPS_ENABLED
+         value: "true"
+       - name: KEYCLOAK_DISTRIBUTION
+         value: rhbk
+       resolverRef:
+         params:
+         - name: url
+           value: "https://github.com/securesign/pipelines.git"
+         - name: revision
+           value: main
+         - name: pathInRepo
+           value: pipelines/rhtas-operator-e2e.yaml
+         resolver: git
+         resourceKind: pipeline
+   - apiVersion: appstudio.redhat.com/v1beta2
+     kind: IntegrationTestScenario
+     metadata:
+       name: {{.application}}{{.nameSuffix}}-v4-20-e2e-fips
+       labels:
+         test.appstudio.openshift.io/optional: "true"
+     spec:
+       application: {{.application}}{{.nameSuffix}}
+       contexts:
+       - name: component_{{.application}}{{.nameSuffix}}-v4-20
+         description: "execute the integration test when component {{.application}}{{.nameSuffix}}-v4-20 updates"
+       params:
+       - name: OCP_VERSION
+         value: 4.20
+       - name: FIPS_ENABLED
+         value: "true"
+       - name: KEYCLOAK_DISTRIBUTION
+         value: rhbk
+       resolverRef:
+         params:
+         - name: url
+           value: "https://github.com/securesign/pipelines.git"
+         - name: revision
+           value: main
+         - name: pathInRepo
+           value: pipelines/rhtas-operator-e2e.yaml
+         resolver: git
+         resourceKind: pipeline

---

_{📦 Artifacts: base-output.yaml, head-output.yaml, dyff-output.txt}