sync: stage to production

.github/workflows/ci.yaml

@@ -5,6 +5,7 @@ on:
   push:
     branches:
       - main
+      - stage
     paths-ignore:
       - '*.md'
       - '*.sh'
@@ -105,6 +106,15 @@ jobs:
           export PATH=${PATH}:$GOPATH/bin
           make verify binary test test/integration
         timeout-minutes: 14
+      - name: Build and publish fleet-manager-tools image to quay.io
+        if: github.event_name == 'push'
+        env:
+          QUAY_USER: ${{ secrets.QUAY_RHACS_ENG_FM_RW_USERNAME }}
+          QUAY_TOKEN: ${{ secrets.QUAY_RHACS_ENG_FM_RW_PASSWORD }}
+          QUAY_IMAGE_REPOSITORY: rhacs-eng/fleet-manager-tools
+        run: |
+          chmod +x ./build_push_fleet_manager_tools.sh
+          ./build_push_fleet_manager_tools.sh
       - name: Build and publish fleet* image to quay.io
         if: github.event_name == 'push'
         env:

.github/workflows/create-prod-pr.yaml

@@ -0,0 +1,18 @@
+name: Create PR to merge stage into production
+on:
+  push:
+    branches:
+      - stage
+
+jobs:
+  prepare-prod-pr:
+    runs-on: ubuntu-latest
+    name: Prepare production PR
+    steps:
+
+    - name: Open a pull request
+      uses: tretuna/[email protected]
+      with:
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        FROM_BRANCH: 'stage'
+        TO_BRANCH: 'production'

.github/workflows/deploy-stage.yaml

@@ -3,7 +3,7 @@ name: Deploy Stage Env
 on:
   push:
     branches:
-      - main
+      - stage
 
 jobs:
   call-deploy-workflow:

.github/workflows/probe.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
     - main
+    - stage
     - production
 
 jobs:
@@ -30,9 +31,9 @@ jobs:
             ${{ runner.os }}-go-
       - name: Build and publish probe image to quay.io
         env:
-          QUAY_PROBE_USER: ${{ secrets.QUAY_RHACS_ENG_PROBE_RW_USERNAME }}
-          QUAY_PROBE_TOKEN: ${{ secrets.QUAY_RHACS_ENG_PROBE_RW_PASSWORD }}
-          QUAY_PROBE_IMAGE_REPOSITORY: rhacs-eng/blackbox-monitoring-probe-service
+          QUAY_USER: ${{ secrets.QUAY_RHACS_ENG_PROBE_RW_USERNAME }}
+          QUAY_TOKEN: ${{ secrets.QUAY_RHACS_ENG_PROBE_RW_PASSWORD }}
+          QUAY_IMAGE_REPOSITORY: rhacs-eng/blackbox-monitoring-probe-service
         run: |
           chmod +x ./build_push_probe.sh
           ./build_push_probe.sh

.github/workflows/start-release.yaml

@@ -0,0 +1,45 @@
+name: Start release
+on:
+  workflow_dispatch:
+    inputs:
+      commit:
+        description: 'Commit to merge into the stage branch (branch name, tag name or SHA)'
+        required: true
+        default: 'main'
+        type: string
+      release_version:
+        description: 'Release version in the format YYYY-MM-DD.N'
+        required: true
+        default: 'YYYY-MM-DD.1'
+        type: string
+
+jobs:
+  prepare-stage-pr:
+    runs-on: ubuntu-latest
+    name: Prepare stage PR
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    # action-create-branch does not accept symbolic refs, so we need to parse it here.
+    - name: Canonicalize the commit ID
+      run: |
+        echo "commit_hash=$(git rev-parse --verify --quiet 'remotes/origin/${{ inputs.commit }}' || git rev-parse --verify --quiet '${{ inputs.commit }}')" >> "$GITHUB_ENV"
+
+    - name: Create Release Candidate branch
+      uses: peterjgrainger/[email protected]
+      env:
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      with:
+        branch: 'rc-${{ inputs.release_version }}'
+        sha: '${{ env.commit_hash }}'
+
+    - name: Open a pull request
+      uses: tretuna/[email protected]
+      with:
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        FROM_BRANCH: 'rc-${{ inputs.release_version }}'
+        TO_BRANCH: 'stage'

.openshift-ci/e2e-runtime/Dockerfile

@@ -5,7 +5,7 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
 
 RUN dnf update -y --disablerepo=\* --enablerepo=baseos,appstream && dnf -y install make which git gettext jq gcc && dnf clean all && rm -rf /var/cache/dnf
 
-COPY --from=registry.ci.openshift.org/stolostron/builder:go1.20-linux /usr/local/go /usr/local/go
+COPY --from=registry.ci.openshift.org/openshift/release:golang-1.20 /usr/local/go /usr/local/go
 COPY --from=quay.io/openshift/origin-cli:4.13 /usr/bin/oc /usr/bin
 COPY --from=quay.io/operator-framework/operator-sdk:v1.25 /usr/local/bin/operator-sdk /usr/local/bin
 

.openshift-ci/image-push/entrypoint.sh

@@ -41,7 +41,7 @@ if [[ -z "$QUAY_RHACS_ENG_RW_PASSWORD" ]]; then
 fi
 
 log
-log "** Entrypoint for ACS MS Image Push **"
+log "** Entrypoint for ACSCS Image Push **"
 log
 
 registry_host=$(echo "$IMAGE_PUSH_REGISTRY" | cut -d / -f 1)

.openshift-ci/tests/e2e-test.sh

@@ -18,7 +18,7 @@ up.sh
 log "Environment up and running"
 log "Waiting for fleet-manager to complete leader election..."
 # Don't have a better way yet to wait until fleet-manager has completed the leader election.
-$KUBECTL -n "$ACSMS_NAMESPACE" logs -l application=fleet-manager -c fleet-manager -f --tail=-1 |
+$KUBECTL -n "$ACSCS_NAMESPACE" logs -l application=fleet-manager -c fleet-manager -f --tail=-1 |
     grep -q --line-buffered --max-count=1 'Running as the leader and starting' || true
 sleep 1
 

.openshift-ci/tests/e2e.sh

@@ -10,6 +10,7 @@ export GITROOT
 source "${GITROOT}/dev/env/scripts/lib.sh"
 
 RUN_AUTH_E2E_DEFAULT="false"
+RUN_CENTRAL_E2E_DEFAULT="true"
 
 if [[ "${OPENSHIFT_CI:-}" == "true" ]]; then
     # We are running in an OpenShift CI context, configure accordingly.
@@ -39,9 +40,10 @@ if [[ "$SPAWN_LOGGER" == "true" && "$LOG_DIR" == "" ]]; then
 fi
 export LOG_DIR
 export RUN_AUTH_E2E=${RUN_AUTH_E2E:-$RUN_AUTH_E2E_DEFAULT}
+export RUN_CENTRAL_E2E=${RUN_CENTRAL_E2E:-$RUN_CENTRAL_E2E_DEFAULT}
 
 log
-log "** Entrypoint for ACS MS E2E Tests **"
+log "** Entrypoint for ACSCS E2E Tests **"
 log
 
 log "Cluster type: ${CLUSTER_TYPE}"
@@ -95,7 +97,7 @@ if [[ "$SPAWN_LOGGER" == "true" ]]; then
     apply "${MANIFESTS_DIR}/rhacs-operator/00-namespace.yaml"
     sleep 2
     log "Spawning logger, log directory is ${LOG_DIR}"
-    stern -n "$ACSMS_NAMESPACE" '.*' --color=never --template '[{{.ContainerName}}] {{.Message}}{{"\n"}}' >"${LOG_DIR}/namespace-${ACSMS_NAMESPACE}.txt" 2>&1 &
+    stern -n "$ACSCS_NAMESPACE" '.*' --color=never --template '[{{.ContainerName}}] {{.Message}}{{"\n"}}' >"${LOG_DIR}/namespace-${ACSCS_NAMESPACE}.txt" 2>&1 &
     stern -n "$STACKROX_OPERATOR_NAMESPACE" '.*' --color=never --template '[{{.ContainerName}}] {{.Message}}{{"\n"}}' >"${LOG_DIR}/namespace-${STACKROX_OPERATOR_NAMESPACE}.txt" 2>&1 &
 fi
 
@@ -135,10 +137,10 @@ if [[ "$DUMP_LOGS" == "true" ]]; then
         log
     fi
 
-    log "** BEGIN ACSMS PODS **"
-    $KUBECTL -n "$ACSMS_NAMESPACE" get pods || true
-    $KUBECTL -n "$ACSMS_NAMESPACE" describe pods || true
-    log "** END ACSMS PODS **"
+    log "** BEGIN ACSCS PODS **"
+    $KUBECTL -n "$ACSCS_NAMESPACE" get pods || true
+    $KUBECTL -n "$ACSCS_NAMESPACE" describe pods || true
+    log "** END ACSCS PODS **"
     log
 
     log "** BEGIN OPERATOR STATE **"

.secrets.baseline

@@ -462,78 +462,78 @@
         "filename": "templates/service-template.yml",
         "hashed_secret": "13032f402fed753c2248419ea4f69f99931f6dbc",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "30025f80f6e22cdafb85db387d50f90ea884576a",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "355f24fd038bcaf85617abdcaa64af51ed19bbcf",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "3d8a1dcd2c3c765ce35c9a9552d23273cc4ddace",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "4ac7b0522761eba972467942cd5cd7499dd2c361",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "7639ab2a6bcf2ea30a055a99468c9cd844d4c22a",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "b56360daf4793d2a74991a972b34d95bc00fb2da",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "c9a73ef9ee8ce9f38437227801c70bcc6740d1a1",
         "is_verified": false,
-        "line_number": 557
+        "line_number": 564
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "templates/service-template.yml",
         "hashed_secret": "14736999d9940728c5294277831a702f7882dece",
         "is_verified": false,
-        "line_number": 594
+        "line_number": 601
       },
       {
         "type": "Secret Keyword",
         "filename": "templates/service-template.yml",
         "hashed_secret": "4e199b4a1c40b497a95fcd1cd896351733849949",
         "is_verified": false,
-        "line_number": 681,
+        "line_number": 688,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "templates/service-template.yml",
         "hashed_secret": "9d51dabe59aa776bef2909d3689374ebb93ab2be",
         "is_verified": false,
-        "line_number": 725
+        "line_number": 732
       }
     ],
     "test/support/certs.json": [
@@ -564,5 +564,5 @@
       }
     ]
   },
-  "generated_at": "2023-09-06T14:19:26Z"
+  "generated_at": "2023-09-15T13:53:14Z"
 }

Dockerfile

@@ -1,31 +1,14 @@
-FROM registry.ci.openshift.org/stolostron/builder:go1.20-linux AS build
-
-ENV GOFLAGS="-mod=mod"
+FROM registry.ci.openshift.org/openshift/release:golang-1.20 AS build
 
 RUN mkdir /rds_ca
 ADD https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /rds_ca/aws-rds-ca-global-bundle.pem
 
 RUN mkdir /src
 WORKDIR /src
-RUN CGO_ENABLED=0 go install -ldflags "-s -w -extldflags '-static'" github.com/go-delve/delve/cmd/dlv@latest
-COPY go.*  ./
-RUN go mod download
 COPY . ./
 
-FROM build as build-debug
-RUN GOARGS="-gcflags 'all=-N -l'" make binary
-
-FROM build as build-standard
 RUN make binary
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as debug
-COPY --from=build-debug /go/bin/dlv /src/fleet-manager /src/fleetshard-sync /usr/local/bin/
-COPY --from=build-debug /src /src
-COPY --from=build /rds_ca /usr/local/share/ca-certificates
-EXPOSE 8000
-WORKDIR /
-ENTRYPOINT [ "/usr/local/bin/dlv" , "--listen=:40000", "--headless=true", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/fleet-manager", "serve"]
-
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as standard
 
 RUN microdnf install shadow-utils
@@ -34,8 +17,9 @@ RUN useradd -u 1001 unprivilegeduser
 # Switch to non-root user
 USER unprivilegeduser
 
-COPY --chown=unprivilegeduser --from=build-standard /src/fleet-manager /src/fleetshard-sync /usr/local/bin/
+COPY --chown=unprivilegeduser --from=build /src/fleet-manager /src/fleetshard-sync /usr/local/bin/
 COPY --chown=unprivilegeduser --from=build /rds_ca /usr/local/share/ca-certificates
+
 EXPOSE 8000
 WORKDIR /
 ENTRYPOINT ["/usr/local/bin/fleet-manager", "serve"]

Dockerfile.hybrid → Dockerfile.local

@@ -1,12 +1,26 @@
+# This dockerfile is used for local builds to support architectures like arm64.
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8
 
+RUN microdnf install shadow-utils
+
+RUN useradd -u 1001 unprivilegeduser
+# Switch to non-root user
+
+RUN mkdir /rds_ca
 ADD https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /usr/local/share/ca-certificates/aws-rds-ca-global-bundle.pem
 
 COPY \
     fleet-manager \
     fleetshard-sync \
     /usr/local/bin/
 
+RUN chown unprivilegeduser /usr/local/bin/fleet-manager
+RUN chown unprivilegeduser /usr/local/bin/fleetshard-sync
+RUN chown unprivilegeduser /rds_ca
+RUN chown unprivilegeduser /usr/local/share/ca-certificates
+
+USER unprivilegeduser
+
 EXPOSE 8000
 
 ENTRYPOINT ["/usr/local/bin/fleet-manager", "serve"]

Dockerfile.tools

@@ -0,0 +1,33 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8
+
+ENV KUBECTL_VERSION=v1.28.1
+
+COPY \
+    fleet-manager \
+    fleetshard-sync \
+    acsfleetctl \
+    /usr/local/bin/
+
+RUN microdnf install tar gzip
+
+# Install kubeval
+RUN curl -LO https://github.com/instrumenta/kubeval/releases/download/v0.16.1/kubeval-linux-amd64.tar.gz
+RUN curl -LO "https://github.com/instrumenta/kubeval/releases/download/v0.16.1/checksums.txt"
+RUN cat checksums.txt | grep linux-amd64 | sha256sum --check
+RUN tar -xf kubeval-linux-amd64.tar.gz
+
+RUN mv kubeval /usr/bin/kubeval
+RUN chmod +x /usr/bin/kubeval
+RUN rm kubeval-linux-amd64.tar.gz
+
+# Install kubeclt
+RUN curl -o /usr/bin/kubectl -LO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl"
+RUN chmod +x /usr/bin/kubectl
+RUN curl -LO "https://dl.k8s.io/$KUBECTL_VERSION/bin/linux/amd64/kubectl.sha256"
+RUN echo "$(cat kubectl.sha256)  /usr/bin/kubectl" | sha256sum --check
+
+LABEL name="fleet-manager-tools" \
+      vendor="Red Hat" \
+      version="0.0.1" \
+      summary="FleetManagerTools" \
+      description="RHACS fleet-manager tools used for CI pipelines"