Skip to content

Add support for fips e2e #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
osmman merged 2 commits into from
Jan 12, 2026
Merged

Add support for fips e2e #324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fd2e746
ci: add fips e2e to operator and FBC's
JasonPowr Nov 6, 2025
934e83f
e2e: add-fips-enabled-e2e
JasonPowr Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions konflux-configs/base/project/base/ocp/v4.16/patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@
resolver: git
resourceKind: pipelinerun

# IntegrationTestScenario
- op: add
path: /spec/resources/-
value:
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
labels:
test.appstudio.openshift.io/optional: "true"
name: "{{.application}}{{.nameSuffix}}-v4-16-e2e-fips"
spec:
application: "{{.application}}{{.nameSuffix}}"
contexts:
- description: execute the integration test when component {{.application}}{{.nameSuffix}}-v4-16 updates
name: "component_{{.application}}{{.nameSuffix}}-v4-16"
params:
- name: OCP_VERSION
value: "4.16"
- name: FIPS_ENABLED
value: "true"
- name: KEYCLOAK_DISTRIBUTION
value: "rhbk"
resolverRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipeline

# IntegrationTestScenario Upgrade
- op: add
path: /spec/resources/-
Expand Down
33 changes: 33 additions & 0 deletions konflux-configs/base/project/base/ocp/v4.17/patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@
resolver: git
resourceKind: pipelinerun

# IntegrationTestScenario
- op: add
path: /spec/resources/-
value:
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
labels:
test.appstudio.openshift.io/optional: "true"
name: "{{.application}}{{.nameSuffix}}-v4-17-e2e-fips"
spec:
application: "{{.application}}{{.nameSuffix}}"
contexts:
- description: execute the integration test when component {{.application}}{{.nameSuffix}}-v4-17 updates
name: "component_{{.application}}{{.nameSuffix}}-v4-17"
params:
- name: OCP_VERSION
value: "4.17"
- name: FIPS_ENABLED
value: "true"
- name: KEYCLOAK_DISTRIBUTION
value: "rhbk"
resolverRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipeline

# IntegrationTestScenario Upgrade
- op: add
path: /spec/resources/-
Expand Down
33 changes: 33 additions & 0 deletions konflux-configs/base/project/base/ocp/v4.18/patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@
resolver: git
resourceKind: pipelinerun

# IntegrationTestScenario
- op: add
path: /spec/resources/-
value:
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
labels:
test.appstudio.openshift.io/optional: "true"
name: "{{.application}}{{.nameSuffix}}-v4-18-e2e-fips"
spec:
application: "{{.application}}{{.nameSuffix}}"
contexts:
- description: execute the integration test when component {{.application}}{{.nameSuffix}}-v4-18 updates
name: "component_{{.application}}{{.nameSuffix}}-v4-18"
params:
- name: OCP_VERSION
value: "4.18"
- name: FIPS_ENABLED
value: "true"
- name: KEYCLOAK_DISTRIBUTION
value: "rhbk"
resolverRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipeline

# IntegrationTestScenario Upgrade
- op: add
path: /spec/resources/-
Expand Down
33 changes: 33 additions & 0 deletions konflux-configs/base/project/base/ocp/v4.19/patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@
resolver: git
resourceKind: pipelinerun

# IntegrationTestScenario E2E
- op: add
path: /spec/resources/-
value:
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
labels:
test.appstudio.openshift.io/optional: "true"
name: "{{.application}}{{.nameSuffix}}-v4-19-e2e-fips"
spec:
application: "{{.application}}{{.nameSuffix}}"
contexts:
- description: execute the integration test when component {{.application}}{{.nameSuffix}}-v4-19 updates
name: "component_{{.application}}{{.nameSuffix}}-v4-19"
params:
- name: OCP_VERSION
value: "4.19"
- name: FIPS_ENABLED
value: "true"
- name: KEYCLOAK_DISTRIBUTION
value: "rhbk"
resolverRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipeline

# IntegrationTestScenario Upgrade
- op: add
path: /spec/resources/-
Expand Down
33 changes: 33 additions & 0 deletions konflux-configs/base/project/base/ocp/v4.20/patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@
resolver: git
resourceKind: pipelinerun

# IntegrationTestScenario
- op: add
path: /spec/resources/-
value:
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
labels:
test.appstudio.openshift.io/optional: "true"
name: "{{.application}}{{.nameSuffix}}-v4-20-e2e-fips"
spec:
application: "{{.application}}{{.nameSuffix}}"
contexts:
- description: execute the integration test when component {{.application}}{{.nameSuffix}}-v4-20 updates
name: "component_{{.application}}{{.nameSuffix}}-v4-20"
params:
- name: OCP_VERSION
value: "4.20"
- name: FIPS_ENABLED
value: "true"
- name: KEYCLOAK_DISTRIBUTION
value: "rhbk"
resolverRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipeline

# IntegrationTestScenario Upgrade
- op: add
path: /spec/resources/-
Expand Down
30 changes: 30 additions & 0 deletions konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,33 @@
value: pipelines/integration-test/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipelinerun

- op: add
path: /spec/resources/-
value:
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
labels:
test.appstudio.openshift.io/optional: "true"
name: "rhtas-operator-e2e-test{{.nameSuffix}}-fips"
spec:
application: "{{.application}}{{.nameSuffix}}"
contexts:
- description: runs the integration test for a group Snapshot
name: group
params:
- name: FIPS_ENABLED
value: "true"
- name: KEYCLOAK_DISTRIBUTION
value: "rhbk"
resolverRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/integration-test/rhtas-operator-e2e.yaml
resolver: git
resourceKind: pipelinerun
30 changes: 27 additions & 3 deletions pipelines/integration-test/rhtas-operator-e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ spec:
default: "main"
- name: OLMv1
default: "false"
- name: FIPS_ENABLED
default: "false"
- name: KEYCLOAK_DISTRIBUTION
description: "Which Keycloak build to install rhsso or rhbk"
default: "rhsso"
workspaces:
- name: work
description: Shared workspace for pipeline tasks
Expand Down Expand Up @@ -139,6 +144,8 @@ spec:
value: m5.large
- name: timeout
value: 60m
- name: fips
value: "$(params.FIPS_ENABLED)"
- name: imageContentSources
value: |
- source: registry.redhat.io/rhtas/rhtas-operator-bundle
Expand Down Expand Up @@ -348,6 +355,9 @@ spec:
- name: oidc-hostname
type: string
value: "$(steps.install-keycloak.results.oidc-hostname)"
- name: oidc-issuer-url
type: string
value: "$(steps.install-keycloak.results.oidc-issuer-url)"
- name: fulcio-url
type: string
value: "$(steps.install-tas.results.fulcio-url)"
Expand Down Expand Up @@ -400,6 +410,8 @@ spec:
value: "$(steps.get-kubeconfig.results.kubeconfig)"
- name: workdir
value: "$(workspaces.source-code.path)/operator"
- name: keycloak-distribution
value: "$(params.KEYCLOAK_DISTRIBUTION)"
- name: download-binaries
workspaces:
- name: work
Expand Down Expand Up @@ -458,10 +470,14 @@ spec:
env:
- name: OIDC_HOST
value: "$(tasks.prepare-tests.results.oidc-hostname)"
- name: OIDC_ISSUER_URL
value: "$(tasks.prepare-tests.results.oidc-issuer-url)"
- name: KUBECONFIG
value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)"
- name: CI
value: "true"
- name: FIPS_ENABLED
value: "$(params.FIPS_ENABLED)"
volumeMounts:
- name: credentials
mountPath: /credentials
Expand All @@ -473,12 +489,17 @@ spec:
mkdir -p $(workspaces.source-code.path)/dump/operator-e2e/

export PATH="$PATH:$(workspaces.source-code.path)/binaries"
export OIDC_ISSUER_URL=https://$OIDC_HOST/auth/realms/trusted-artifact-signer
openssl s_client -connect $OIDC_HOST:443 > /tmp/ssl.cert
export SSL_CERT_FILE=/tmp/ssl.cert
go mod vendor
make generate
go test -p 1 ./test/e2e/... -tags=integration -timeout 30m -json > $(workspaces.source-code.path)/dump/operator-e2e/test-result.json

TAGS="integration"
if [[ "$FIPS_ENABLED" == "true" ]]; then
TAGS="fips,integration"
fi

go test -p 1 ./test/e2e/... -tags="$TAGS" -timeout 60m -json > $(workspaces.source-code.path)/dump/operator-e2e/test-result.json

cp test/**/k8s-dump-*.tar.gz $(workspaces.source-code.path)/dump/operator-e2e/ || echo "no test dump files found"

Expand Down Expand Up @@ -552,6 +573,8 @@ spec:
value: "$(params.TAS_DEPLOY_NAMESPACE)"
- name: OIDC_HOST
value: "$(tasks.prepare-tests.results.oidc-hostname)"
- name: OIDC_ISSUER_URL
value: "$(tasks.prepare-tests.results.oidc-issuer-url)"
- name: push-test-image
image: quay.io/konflux-ci/buildah-task:latest@sha256:c711eeac025a5f829d5d7bb281d7e0df380969d1e37e5329d0cb7740ff0aa301
results:
Expand Down Expand Up @@ -584,13 +607,14 @@ spec:
value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)"
- name: TASNAMESPACE
value: "$(params.TAS_DEPLOY_NAMESPACE)"
- name: OIDC_ISSUER_URL
value: "$(tasks.prepare-tests.results.oidc-issuer-url)"
workingDir: $(workspaces.source-code.path)/sigstore-e2e
script: |
oc project $TASNAMESPACE
./tas-env-variables.sh > .env
- name: execute-tas-e2e
image: registry.redhat.io/ubi9/go-toolset:1.24@sha256:84286c7555df503df0bd3acb86fe2ad50af82a07f35707918bb0fad312fdc193

computeResources:
limits:
memory: 4Gi
Expand Down
23 changes: 21 additions & 2 deletions stepactions/integration-test/install-keycloak.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,15 @@ spec:
- name: KUBECONFIG
type: string
description: KUBECONFIG path.
- name: keycloak-distribution
type: string
default: "rhsso"
description: "Which Keycloak build to install rhsso or rhbk"
results:
- name: oidc-hostname
description: Hostname of the installed OIDC provider
- name: oidc-issuer-url
description: Trusted artifact signer issuer url
volumeMounts:
- name: "$(params.credentials)"
mountPath: /credentials
Expand All @@ -28,7 +34,20 @@ spec:
value: "/credentials/$(params.KUBECONFIG)"
- name: WORKDIR
value: "$(params.workdir)"
- name: KEYCLOAK_DISTRIBUTION
value: "$(params.keycloak-distribution)"
script: |
cd $WORKDIR
ci/openshift/tas-keycloak-install.sh
oc get route -n keycloak-system keycloak -o jsonpath='{.status.ingress[0].host}' > "$(step.results.oidc-hostname.path)"

if [[ "$KEYCLOAK_DISTRIBUTION" == "rhbk" ]]; then
ci/openshift/tas-keycloak-install.sh rhbk
OIDC_HOSTNAME=$(oc get route -n keycloak-system -l app=keycloak -o jsonpath='{.items[0].status.ingress[0].host}')
OIDC_ISSUER_URL="https://$OIDC_HOSTNAME/realms/trusted-artifact-signer"
else
ci/openshift/tas-keycloak-install.sh
OIDC_HOSTNAME=$(oc get route -n keycloak-system keycloak -o jsonpath='{.status.ingress[0].host}')
OIDC_ISSUER_URL="https://$OIDC_HOSTNAME/auth/realms/trusted-artifact-signer"
fi

printf %s "$OIDC_HOSTNAME" > "$(step.results.oidc-hostname.path)"
printf %s "$OIDC_ISSUER_URL" > "$(step.results.oidc-issuer-url.path)"
7 changes: 6 additions & 1 deletion stepactions/integration-test/install-tas.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ spec:
- name: OIDC_HOST
description: OIDC hostname (keycloak)
type: string
- name: OIDC_ISSUER_URL
description: Trusted artifact signer issuer url
type: string
results:
- name: fulcio-url
- name: tuf-url
Expand All @@ -41,9 +44,11 @@ spec:
value: "$(params.tas-namespace)"
- name: OIDC_HOST
value: "$(params.OIDC_HOST)"
- name: OIDC_ISSUER_URL
value: "$(params.OIDC_ISSUER_URL)"
script: |
cd $WORKDIR
sed -i "s#https://your-oidc-issuer-url#https://$OIDC_HOST/auth/realms/trusted-artifact-signer#" config/samples/rhtas_v1alpha1_securesign.yaml
sed -i "s#https://your-oidc-issuer-url#$OIDC_ISSUER_URL#" config/samples/rhtas_v1alpha1_securesign.yaml
sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml
oc create ns $TASNAMESPACE
oc create -f config/samples/rhtas_v1alpha1_securesign.yaml -n $TASNAMESPACE
Expand Down