feat: use secure-push-oci for archiving artifacts

konflux-ci · Dec 14, 2024 · 7dc76ee · 7dc76ee
1 parent fd26460
commit 7dc76ee
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 58 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -52,6 +52,8 @@ RUN curl -LO "https://github.com/oras-project/oras/releases/download/v${ORAS_VER
 
 FROM registry.access.redhat.com/ubi9/go-toolset:1.21.11-7
 
+USER root
+
 WORKDIR /konflux-e2e
 
 ENV GOBIN=$GOPATH/bin

diff --git a/integration-tests/pipelines/konflux-e2e-tests-pipeline.yaml b/integration-tests/pipelines/konflux-e2e-tests-pipeline.yaml
@@ -73,39 +73,23 @@ spec:
           value: $(params.SNAPSHOT)
         - name: test-name
           value: $(context.pipelineRun.name)
-    - name: create-oci-container
-      taskRef:
-        resolver: git
-        params:
-          - name: url
-            value: https://github.com/konflux-ci/konflux-qe-definitions.git
-          - name: revision
-            value: main
-          - name: pathInRepo
-            value: common/tasks/create-oci-artifact/0.1/create-oci-artifact.yaml
-      params:
-        - name: oci-container-repo
-          value: $(params.oci-container-repo)
-        - name: oci-container-tag
-          value: $(context.pipelineRun.name)
     - name: provision-rosa
       when:
         - input: "$(tasks.test-metadata.results.test-event-type)"
           operator: in
           values: ["pull_request"]
       runAfter:
         - rosa-hcp-metadata
-        - create-oci-container
         - test-metadata
       taskRef:
         resolver: git
         params:
           - name: url
-            value: https://github.com/konflux-ci/konflux-qe-definitions.git
+            value: https://github.com/konflux-ci/tekton-integration-catalog.git
           - name: revision
             value: main
           - name: pathInRepo
-            value: common/tasks/rosa/hosted-cp/rosa-hcp-provision/rosa-hcp-provision.yaml
+            value: tasks/rosa/hosted-cp/rosa-hcp-provision/0.2/rosa-hcp-provision.yaml
       params:
         - name: cluster-name
           value: "$(tasks.rosa-hcp-metadata.results.cluster-name)"
@@ -119,6 +103,8 @@ spec:
           value: "$(params.konflux-test-infra-secret)"
         - name: cloud-credential-key
           value: "$(params.cloud-credential-key)"
+        - name: oci-container
+          value: "$(params.oci-container-repo):$(context.pipelineRun.name)"
     - name: konflux-e2e-tests
       timeout: 3h
       when:
@@ -131,9 +117,9 @@ spec:
         resolver: git
         params:
           - name: url
-            value: https://github.com/konflux-ci/e2e-tests.git
+            value: https://github.com/psturc/e2e-tests.git
           - name: revision
-            value: main
+            value: KFLUXDP-6
           - name: pathInRepo
             value: integration-tests/tasks/konflux-e2e-tests-task.yaml
       params:
@@ -146,7 +132,7 @@ spec:
         - name: git-revision
           value: "$(tasks.test-metadata.results.git-revision)"
         - name: oras-container
-          value: "$(tasks.create-oci-container.results.oci-container)"
+          value: "$(params.oci-container-repo):$(context.pipelineRun.name)"
         - name: job-spec
           value: "$(tasks.test-metadata.results.job-spec)"
         - name: ocp-login-command
@@ -165,18 +151,18 @@ spec:
         resolver: git
         params:
           - name: url
-            value: https://github.com/konflux-ci/konflux-qe-definitions.git
+            value: https://github.com/konflux-ci/tekton-integration-catalog.git
           - name: revision
             value: main
           - name: pathInRepo
-            value: common/tasks/rosa/hosted-cp/rosa-hcp-deprovision/rosa-hcp-deprovision.yaml
+            value: tasks/rosa/hosted-cp/rosa-hcp-deprovision/0.2/rosa-hcp-deprovision.yaml
       params:
         - name: test-name
           value: "$(context.pipelineRun.name)"
         - name: ocp-login-command
           value: "$(tasks.provision-rosa.results.ocp-login-command)"
         - name: oci-container
-          value: "$(tasks.create-oci-container.results.oci-container)"
+          value: "$(params.oci-container-repo):$(context.pipelineRun.name)"
         - name: pull-request-author
           value: "$(tasks.test-metadata.results.pull-request-author)"
         - name: git-revision
@@ -213,7 +199,7 @@ spec:
         - name: test-name
           value: "$(context.pipelineRun.name)"
         - name: oci-container
-          value: "$(tasks.create-oci-container.results.oci-container)"
+          value: "$(params.oci-container-repo):$(context.pipelineRun.name)"
         - name: quality-dashboard-api
           value: $(params.quality-dashboard-api)
         - name: pipeline-aggregate-status
@@ -238,7 +224,7 @@ spec:
         - name: test-name
           value: "$(context.pipelineRun.name)"
         - name: oci-container
-          value: "$(tasks.create-oci-container.results.oci-container)"
+          value: "$(params.oci-container-repo):$(context.pipelineRun.name)"
         - name: pipeline-aggregate-status
           value: "$(tasks.status)"
         - name: pull-request-author

diff --git a/integration-tests/scripts/konflux-e2e-runner.sh b/integration-tests/scripts/konflux-e2e-runner.sh
@@ -63,37 +63,11 @@ load_envs() {
 
 post_actions() {
     local exit_code=$?
-    local temp_annotation_file
-
-    temp_annotation_file="$(mktemp)"
 
     if [[ "${UNREGISTER_PAC}" == "true" ]]; then
-        make ci/sprayproxy/unregister
+        make ci/sprayproxy/unregister | tee "${ARTIFACT_DIR}"/sprayproxy-unregister.log
     fi
 
-    cd "$ARTIFACT_DIR"
-
-    # Fetch the manifest annotations for the container
-    if ! MANIFESTS=$(oras manifest fetch "${ORAS_CONTAINER}" | jq .annotations); then
-        log "ERROR" "Failed to fetch manifest from ${ORAS_CONTAINER}"
-        exit 1
-    fi
-
-    jq -n --argjson manifest "$MANIFESTS" '{ "$manifest": $manifest }' > "${temp_annotation_file}"
-
-    oras pull "${ORAS_CONTAINER}"
-
-    local attempt=1
-    while ! oras push "$ORAS_CONTAINER" --username="${OCI_STORAGE_USERNAME}" --password="${OCI_STORAGE_TOKEN}" --annotation-file "${temp_annotation_file}" ./:application/vnd.acme.rocket.docs.layer.v1+tar; do
-        if [[ $attempt -ge 5 ]]; then
-            log "ERROR" "oras push failed after $attempt attempts."
-            exit 1
-        fi
-        log "WARNING" "oras push failed (attempt $attempt). Retrying in 5 seconds..."
-        sleep 5
-        ((attempt++))
-    done
-
     exit "$exit_code"
 }
 

diff --git a/integration-tests/tasks/konflux-e2e-tests-task.yaml b/integration-tests/tasks/konflux-e2e-tests-task.yaml
@@ -68,7 +68,7 @@ spec:
           mountPath: /usr/local/konflux-ci-secrets
         - name:  konflux-test-infra-volume
           mountPath: /usr/local/konflux-test-infra
-      workingDir: /workspace
+      workingDir: /workspace/e2e-tests
       env:
         - name: JOB_NAME
           value: $(params.test-name)
@@ -88,6 +88,9 @@ spec:
           value: $(params.ginkgo-procs)
         - name: ORAS_CONTAINER
           value: $(params.oras-container)
+        - name: ARTIFACT_DIR
+          value: /workspace/artifact-dir
+      onError: continue
       script: |
         #!/bin/bash
 
@@ -130,9 +133,6 @@ spec:
 
         log "INFO" "running tests with github user: ${GITHUB_USER}"
 
-        export ARTIFACT_DIR
-        ARTIFACT_DIR="$(mktemp -d)"
-
         # Prepare git, pair branch if necessary, Install Konflux and run e2e tests
         cd "$(mktemp -d)"
 
@@ -148,4 +148,30 @@ spec:
         make ci/prepare/e2e-branch 2>&1 | tee "${ARTIFACT_DIR}"/e2e-branch.log
 
         /bin/bash -c "integration-tests/scripts/konflux-e2e-runner.sh"
-
+    - name: secure-push-oci
+      ref:
+        resolver: git
+        params:
+          - name: url
+            value: https://github.com/konflux-ci/tekton-integration-catalog.git
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: stepactions/secure-push-oci/0.1/secure-push-oci.yaml
+      params:
+        - name: workdir-path
+          value: /workspace/artifact-dir
+        - name: oci-ref
+          value: $(params.oras-container)
+        - name: credentials-volume-name
+          value: konflux-test-infra-volume
+    - name: fail-if-any-step-failed
+      ref:
+        resolver: git
+        params:
+          - name: url
+            value: https://github.com/konflux-ci/tekton-integration-catalog.git
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: stepactions/fail-if-any-step-failed/0.1/fail-if-any-step-failed.yaml