Release-1.6.1

openshift-helm-charts · Nov 8, 2023 · fdbcac9 · fdbcac9
1 parent 322cde1
commit fdbcac9
Show file tree

Hide file tree

Showing 5 changed files with 474 additions and 129 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -106,6 +106,7 @@ jobs:
       report_content: ${{ steps.check_report.outputs.report_content }}
       redhat_to_community: ${{ steps.check_report.outputs.redhat_to_community }}
       message_file: ${{ steps.pr_comment.outputs.message-file }}
+      message_text_base64: ${{ steps.encode_pr_comment.outputs.message-text-base64 }}
       web_catalog_only: ${{ steps.check_pr_content.outputs.web_catalog_only }}
       chart_entry_name: ${{ steps.check_pr_content.outputs.chart-entry-name }}
       release_tag: ${{ steps.check_pr_content.outputs.release_tag }}
@@ -213,6 +214,7 @@ jobs:
           ../ve1/bin/get-verify-params --directory=pr --api-url=${{ github.event.pull_request._links.self.href }}
 
       - name: Install oc
+        id: install-oc
         if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
         uses: redhat-actions/openshift-tools-installer@v1
         with:
@@ -334,11 +336,20 @@ jobs:
           PR_CONTENT_ERROR_MESSAGE: ${{ steps.check_pr_content.outputs.pr-content-error-message }}
           OWNERS_ERROR_MESSAGE: ${{ steps.check_pr_content.outputs.owners-error-message }}
           COMMUNITY_MANUAL_REVIEW: ${{ steps.check_report.outputs.community_manual_review_required }}
-          OC_INSTALL_RESULT: ${{ steps.install-oc.conclusion }}
+          OC_INSTALL_RESULT: ${{ steps.install-oc.outcome }}
           VERIFIER_ERROR_MESSAGE: ${{ steps.check-verifier-result.outputs.verifier_error_message }}
         run: |
           ve1/bin/pr-comment ${{ steps.check_pr_content.outcome }} ${{ steps.run-verifier.outcome }} ${{ steps.check_report.conclusion }}
 
+      # Note(komish): This step is a temporary fix for the metrics step in the next job
+      # which expects the PR comment to exist at the specified filesystem location.
+      - name: Encode PR Comment for Metrics
+        id: encode_pr_comment
+        if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
+        run: |
+          commentBase64=$(base64 --wrap=0 ${{ steps.pr_comment.outputs.message-file }})
+          echo "message-text-base64=${commentBase64}" | tee -a $GITHUB_OUTPUT
+        
       - name: Comment on PR
         if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
         uses: actions/github-script@v6
@@ -488,6 +499,16 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      # Note(komish): This step is a temporary workaround. Metrics requires the PR comment
+      # to be available, but it is written to the filesystem in the previous job.
+      # This can be removed once the metrics execution is restructured to have access to the PR
+      # comment, or pulled out of the release job entirely.
+      - name: Retrieve PR comment for metrics
+        if: ${{ always() && needs.setup.outputs.run_build == 'true' && env.GITHUB_REPOSITORY != 'openshift-helm-charts/sandbox' }}
+        run: |
+          mkdir -p $(dirname ${{ needs.chart-verifier.outputs.message_file }})
+          echo ${{ needs.chart-verifier.outputs.message_text_base64 }} | base64 -d | tee ${{ needs.chart-verifier.outputs.message_file }}
+
       - name: Add metrics
         if: ${{ always() && needs.setup.outputs.run_build == 'true' && env.GITHUB_REPOSITORY != 'openshift-helm-charts/sandbox' }}
         env:

diff --git a/docs/README.md b/docs/README.md
@@ -23,32 +23,36 @@ submit a chart and the report together.
 **Table of Contents:**
 
 <!--ts-->
-* [OpenShift Helm Charts Repository](#openshift-helm-charts-repository)
-   * [Submitting Chart Related Changes](#submitting-chart-related-changes)
-      * [Preparation](#preparation)
-      * [Submitting a Chart without Chart Verification Report](#submitting-a-chart-without-chart-verification-report)
-      * [Submitting a Chart Verification Report without the Chart](#submitting-a-chart-verification-report-without-the-chart)
-      * [Submitting a Chart Verification Report with the Chart](#submitting-a-chart-verification-report-with-the-chart)
-   * [Post Submission Manual Review](#post-submission-manual-review)
-   * [Troubleshooting Pull Request Failures](#troubleshooting-pull-request-failures)
-      * [Error when submitting files not part of any chart](#error-when-submitting-files-not-part-of-any-chart)
-      * [Missing OWNERS file in the chart directory](#missing-owners-file-in-the-chart-directory)
-      * [Pull request author is not part of OWNERS file](#pull-request-author-is-not-part-of-owners-file)
-      * [Vendor label mismatch with the directory structure](#vendor-label-mismatch-with-the-directory-structure)
-      * [Chart name mismatch with the directory structure](#chart-name-mismatch-with-the-directory-structure)
-      * [Error when submitting both chart source and tarball](#error-when-submitting-both-chart-source-and-tarball)
-      * [Error when submitting files not related to any chart](#error-when-submitting-files-not-related-to-any-chart)
-      * [Error when digest in the report is not matching with the chart digest](#error-when-digest-in-the-report-is-not-matching-with-the-chart-digest)
-      * [Error with the chart URL when submitting report](#error-with-the-chart-url-when-submitting-report)
-      * [Chart name and version mismatch errors](#chart-name-and-version-mismatch-errors)
-      * [Report failures](#report-failures)
-      * [Signed chart failures](#signed-chart-failures)
-      * [Web catalog only delivery](#web-catalog-only-delivery)
-   * [Frequently Asked Questions](#frequently-asked-questions)
-      * [Can I test the pull request in my fork before submitting?](#can-i-test-the-pull-request-in-my-fork-before-submitting)
-      * [Can I use any command-line interface to create pull request?](#can-i-use-any-command-line-interface-to-create-pull-request)
-      * [How to update OWNERS file?](#how-to-update-owners-file)
-   * [Support](#support)
+- [OpenShift Helm Charts Repository](#openshift-helm-charts-repository)
+  - [Submitting Chart Related Changes](#submitting-chart-related-changes)
+    - [Preparation](#preparation)
+    - [Submitting a Chart without Chart Verification Report](#submitting-a-chart-without-chart-verification-report)
+    - [Submitting a Chart Verification Report without the Chart](#submitting-a-chart-verification-report-without-the-chart)
+      - [Signed Report](#signed-report)
+      - [Report for a Signed chart](#report-for-a-signed-chart)
+    - [Submitting a Chart Verification Report with the Chart](#submitting-a-chart-verification-report-with-the-chart)
+      - [Signed Report](#signed-report-1)
+      - [Signed Chart](#signed-chart)
+  - [Post Submission Manual Review](#post-submission-manual-review)
+  - [Troubleshooting Pull Request Failures](#troubleshooting-pull-request-failures)
+    - [Error when submitting files not part of any chart](#error-when-submitting-files-not-part-of-any-chart)
+    - [Missing OWNERS file in the chart directory](#missing-owners-file-in-the-chart-directory)
+    - [Pull request author is not part of OWNERS file](#pull-request-author-is-not-part-of-owners-file)
+    - [Vendor label mismatch with the directory structure](#vendor-label-mismatch-with-the-directory-structure)
+    - [Chart name mismatch with the directory structure](#chart-name-mismatch-with-the-directory-structure)
+    - [Error when submitting both chart source and tarball](#error-when-submitting-both-chart-source-and-tarball)
+    - [Error when submitting files not related to any chart](#error-when-submitting-files-not-related-to-any-chart)
+    - [Error when digest in the report is not matching with the chart digest](#error-when-digest-in-the-report-is-not-matching-with-the-chart-digest)
+    - [Error with the chart URL when submitting report](#error-with-the-chart-url-when-submitting-report)
+    - [Chart name and version mismatch errors](#chart-name-and-version-mismatch-errors)
+    - [Report failures](#report-failures)
+  - [Signed chart failures](#signed-chart-failures)
+    - [Web catalog only delivery](#web-catalog-only-delivery)
+  - [Frequently Asked Questions](#frequently-asked-questions)
+    - [Can I test the pull request in my fork before submitting?](#can-i-test-the-pull-request-in-my-fork-before-submitting)
+    - [Can I use any command-line interface to create pull request?](#can-i-use-any-command-line-interface-to-create-pull-request)
+    - [How to update OWNERS file?](#how-to-update-owners-file)
+  - [Support](#support)
 <!--te-->
 
 ---
@@ -357,7 +361,7 @@ If the vendor label in the `OWNERS` file is wrong, you can follow the [partner
 connect documentation][partners] to update the `OWNERS` file.
 
 If the directory structure (organization name) is wrong, please reach out to
-[Technology Partner Success Desk][partner-success-desk].
+[Partner Acceleration Desk][partner-acceleration-desk].
 
 ### Chart name mismatch with the directory structure
 
@@ -372,7 +376,7 @@ If the chart name in the `OWNERS` file is wrong, you can follow the [partner
 connect documentation][partners] to update the `OWNERS` file.
 
 If the directory structure (chart name) is wrong, please reach out to
-[Technology Partner Success Desk][partner-success-desk].
+[Partner Acceleration Desk][partner-acceleration-desk].
 
 ### Error when submitting both chart source and tarball
 
@@ -458,7 +462,7 @@ of [chart-verifier][chart-verifier] tool.
 ```
 
 If the error is still persisting after upgrading to latest chart-verifier,
-please contact [Technology Partner Success Desk][partner-success-desk].
+please contact [Partner Acceleration Desk][partner-acceleration-desk].
 
 If the report has some failure, it will be displayed like this:
 
@@ -515,46 +519,41 @@ There are three methods of distribution for certified helm charts.
 - Web catalog only
   - This submission should be report only using a private chart URL.
 
-For more information on the different Helm Chart Distribution methods, see: [Creating a Helm Chart Certification Project](https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/helm-chart-certification/creating-a-helm-chart-certification-project)
+For more information on the different Helm Chart Distribution methods, see: [Creating a Helm Chart Certification Project](https://access.redhat.com/documentation/en-us/red_hat_software_certification/8.67/html/red_hat_software_certification_workflow_guide/proc_creating-a-helm-chart-project_openshift-sw-cert-workflow-validating-helm-charts-for-certification)
 
 ## Frequently Asked Questions
 
 ### Can I test the pull request in my fork before submitting?
 
-Yes, you can do it.
-
-1. Ensure the `main` branch in your fork is updated with the latest changes.
-2. Create a GitHub [personal access token][pat] (PAT) and add it as an
-   [encyrpted secret][encyrpted-secret] with name as `BOT_TOKEN`.
-3. Create a branch and make your required changes and send a pull request to
-   your `main` branch.
-
+Yes, you can do it. See [Pull Reqest: Testing in a
+Fork](./pull-request.md#testing-in-a-fork) for more information
 ### Can I use any command-line interface to create pull request?
 
 Yes, you can use the [GitHub CLI to create pull request][gh-cli-pr].
 
 ### How to update OWNERS file?
 
-Partners can refer to the [partner documentation][partners].
+Partners can refer to the [partner documentation for Submitting your Helm chart for certification][owner-file].
 
 For Red Hat and Community charts, submit a PR towards `main` branch with an _OWNERS_ file under your chart directory within your orgranization directory.
 
 ## Support
 
 You can use the issue tracker in this repository to report bugs.  If you are a
-partner, please refer to the [Technology Partner Success Desk
-documentation][partner-success-desk].
+partner, please refer to the [Partner Acceleration Desk
+documentation][partner-acceleration-desk].
 
 ---
 
 [^Top](#openshift-helm-charts-repository)
 
-[partners]: https://redhat-connect.gitbook.io/certification-guides/
+[partners]: https://access.redhat.com/documentation/en-us/red_hat_software_certification/
+[owner-file]: https://access.redhat.com/documentation/en-us/red_hat_software_certification/8.67/html/red_hat_software_certification_workflow_guide/submitting-your-helm-chart-for-certification_openshift-sw-cert-workflow-complete-pre-certification-checklist-for-helmcharts
 [chart-verifier]: https://github.com/redhat-certification/chart-verifier
 [index-url]: https://charts.openshift.io
 [pat]: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token
 [encyrpted-secret]: https://docs.github.com/en/actions/reference/encrypted-secrets
 [gh-cli-pr]: https://cli.github.com/manual/gh_pr_create
-[partner-success-desk]: https://redhat-connect.gitbook.io/red-hat-partner-connect-general-guide/managing-your-account/getting-help/technology-partner-success-desk
+[partner-acceleration-desk]: https://access.redhat.com/articles/6463941
 [new-issue]: https://github.com/openshift-helm-charts/repo/issues/new/choose
 [ascii-armor]: https://www.redhat.com/sysadmin/creating-gpg-keypairs
diff --git a/docs/pull-request.md b/docs/pull-request.md
@@ -27,3 +27,69 @@ The metadata line should meet the following requirements:
 2. The line starts with `/metadata` (space character is allowed before `/metadata`)
 3. After the JSON content, only space is allowed before the line end
 4. There will take at least one space immediately after `/metadata`
+
+## Testing in a Fork
+
+If you're making changes to workflows/scripts and want to test them before
+submitting a PR, you'll need to prepare a few prerequisites.
+
+1) A second account to use as your "Bot".
+    - This account is what does your "approvals" and interacts with GitHub on behalf of the GitHub Actions workflows. In some cases, the GitHub Actions Bot may be used, but generally, you will need a secondary account to interact with, approve, and merge your PRs (because you "can't approve your own" PRs).
+2) An OpenShift cluster (SNO works fine for most cases)
+    - Specifically for cases where your development requires you to run `chart-verifier` within the Pipeline. In order to do this successfully, you'll need a cluster for the pipeline to manipulate.
+
+With those in hand, follow the process below to configure your infrastructure.
+
+### Prepare GitHub
+
+1) Fork the repository to your own namespace/organization
+2) Ensure that the gh-pages branch exists in your fork, or otherwise pull the
+   branch from the origin and push it to your repository
+3) [Enable GitHub
+   Pages](https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site#creating-your-site)
+   for your repository. We do not use Custom Workflows for GitHub Pages as of
+   the time of this writing.
+4) Grant your "Bot" account access to your forked repository as a
+   [collaborator](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository).
+5) [Generate a Personal Access
+   Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
+   for your "Bot" that can write to the repository, update comments, approve
+   PRs, etc. (TODO: identify exact PAT perms necessary for both legacy and
+   fine-grained cases). Store this as `BOT_TOKEN` within your [repository
+   secrets](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
+6) [Configure GitHub
+   Actions](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository)
+   to run in your fork if they're not already allowed to do so.
+7) Create a new project directory within the
+   **charts/(community,partners,redhat)** directory for your chart submission,
+   with an appropriate OWNERS file that allows your GitHub Username to submit
+   PRs. If you don't, the pipeline will reject your PRs because "this user
+   cannot submit PRs to this project".
+    - Creating a partner project is the easiest, unless you're explicitly
+      testing Community or Red Hat workflows. The latter two have modified
+      submission workflows. that can get in the way of your testing.
+
+### Prepare your cluster
+
+A cluster is used to test the helm chart via "chart testing", which installs and
+runs certain tests against a given chart. Each PR gets its own namespace where
+the pipeline works during a PR's workflow execution. For that reason, we need
+to:
+
+1) Create the service account that's used to provision cluster namespaces and
+   tooling within your test cluster using [our
+   script](../scripts/src/saforcertadmin/create_sa.sh).
+2) Store the token in your [repository
+   secrets](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions)
+   as `CLUSTER_TOKEN`.
+3) Extract the cluster's API server address, base64 encode it, and store it in
+   your repository secrets as `API_SERVER`. E.g.
+
+```
+    yq .clusters[0].cluster.server /path/to/your/kubeconfig | base64
+```
+
+### Make your changes and tests
+
+At this point, you should be ready to make any workflow changes you want, submit
+a PR with an arbitrary chart, watch the pipelines, and then iterate as you need.