From 50b99b7b9a91136c40404f6fb5e154b5425bb978 Mon Sep 17 00:00:00 2001 From: Ankit152 Date: Wed, 8 Apr 2026 14:45:47 +0530 Subject: [PATCH] chore: update boilerplate in ADO Signed-off-by: Ankit152 --- .tekton/addon-operator-pko-pull-request.yaml | 3 +- .tekton/addon-operator-pko-push.yaml | 3 +- OWNERS_ALIASES | 1 - boilerplate/_data/last-boilerplate-commit | 2 +- .../golang-osd-operator/OWNERS_ALIASES | 1 - .../openshift/golang-osd-operator/README.md | 12 +++ .../golang-osd-operator/olm_pko_migration.py | 2 + .../openshift/golang-osd-operator/standard.mk | 78 ++++++++++++++++++- build/Dockerfile | 2 +- build/Dockerfile.olm-registry | 2 +- build/Dockerfile.webhook | 2 +- deploy_pko/ConfigMap-trusted-ca-bundle.yaml | 4 +- 12 files changed, 101 insertions(+), 11 deletions(-) diff --git a/.tekton/addon-operator-pko-pull-request.yaml b/.tekton/addon-operator-pko-pull-request.yaml index 2e9ead4a2..a03a8a791 100644 --- a/.tekton/addon-operator-pko-pull-request.yaml +++ b/.tekton/addon-operator-pko-pull-request.yaml @@ -7,7 +7,8 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: 'true' pipelinesascode.tekton.dev/max-keep-runs: '3' - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" labels: appstudio.openshift.io/application: addon-operator appstudio.openshift.io/component: addon-operator-pko diff --git a/.tekton/addon-operator-pko-push.yaml b/.tekton/addon-operator-pko-push.yaml index bed5531b3..c32208b15 100644 --- a/.tekton/addon-operator-pko-push.yaml +++ b/.tekton/addon-operator-pko-push.yaml @@ -7,7 +7,8 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: 'false' pipelinesascode.tekton.dev/max-keep-runs: '3' - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" labels: appstudio.openshift.io/application: addon-operator appstudio.openshift.io/component: addon-operator-pko diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 3c43bbc8b..e0e91ef22 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -61,7 +61,6 @@ aliases: - casey-williams-rh - boranx srep-functional-team-thor: - - a7vicky - diakovnec - MitaliBhalla - feichashao diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index 54e3398be..841c8a45d 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -f03571416bfe939238200ef033d06d6ad4ab0738 +e3f009d62af7f2238476d8e66285075a2b73aaf2 diff --git a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES index 3c43bbc8b..e0e91ef22 100644 --- a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES +++ b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES @@ -61,7 +61,6 @@ aliases: - casey-williams-rh - boranx srep-functional-team-thor: - - a7vicky - diakovnec - MitaliBhalla - feichashao diff --git a/boilerplate/openshift/golang-osd-operator/README.md b/boilerplate/openshift/golang-osd-operator/README.md index 0f415ee09..fea37f6af 100644 --- a/boilerplate/openshift/golang-osd-operator/README.md +++ b/boilerplate/openshift/golang-osd-operator/README.md @@ -119,6 +119,18 @@ Checks consist of: - `go generate`. This is a no-op if you have no `//go:generate` directives in your code. +## PKO (Package Operator) fixture validation + +Operators deployed via [Package Operator](https://package-operator.run/) can define snapshot test fixtures that validate `.gotmpl` template rendering. If `deploy_pko/manifest.yaml` exists and contains a `test:` section, the following targets are available: + +- `make validate-pko-fixtures` validates that committed fixtures in `deploy_pko/.test-fixtures/` match the current template output. This runs automatically as part of `make validate` (and therefore `make container-validate`). Repos without PKO test fixtures are silently skipped. +- `make generate-pko-fixtures` regenerates fixtures after intentional changes to `.gotmpl` files or `manifest.yaml` config. Review the diff and commit the updated fixtures alongside the template changes. +- `make container-generate-pko-fixtures` runs fixture generation inside the boilerplate backing container, which has `kubectl-package` pre-installed. Useful if you don't have `kubectl-package` installed locally. The repository is bind-mounted into the container, so the generated fixtures appear directly in your local `deploy_pko/.test-fixtures/` directory — no manual copy step needed. + +Both targets require `kubectl-package`. If it is not found, the target fails with installation instructions. The backing container image includes `kubectl-package`, so `make container-validate` and `make container-generate-pko-fixtures` always work. + +**Important:** Buildah's `COPY *` includes dotfiles and dotdirs (contrary to standard glob behavior), so `deploy_pko/.test-fixtures/` will be included in the PKO OCI image unless excluded. `make generate-pko-fixtures` automatically creates a `deploy_pko/.dockerignore` with `.test-fixtures` to prevent this. `make validate-pko-fixtures` verifies the exclusion exists. Without it, PKO will see duplicate objects and fail to deploy the ClusterPackage. + ## FIPS (Federal Information Processing Standards) To enable FIPS in your build there is a `make ensure-fips` target. diff --git a/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py b/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py index f47eee7b0..abcd28d3f 100644 --- a/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py +++ b/boilerplate/openshift/golang-osd-operator/olm_pko_migration.py @@ -563,6 +563,8 @@ def annotate_manifests(manifests: list[str]) -> list[dict[str, Any]]: annotated.append(manifest) elif kind == "ServiceMonitor": annotated.append(annotate(manifest, PHASE_DEPLOY)) + elif kind == "ConfigMap": + annotated.append(annotate(manifest, PHASE_DEPLOY)) else: print(f"Unhandled type: {kind}") annotated.append(manifest) diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index 9e3249dfd..922a68029 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -309,10 +309,82 @@ prow-config: # Targets used by prow ###################### +# validate-pko-fixtures: Validate PKO package templates against committed snapshot fixtures. +# Silently skips if deploy_pko/ has no manifest.yaml with a test section. +# Requires kubectl-package; see https://github.com/package-operator/package-operator/releases +.PHONY: validate-pko-fixtures +validate-pko-fixtures: + @if [ -d deploy_pko ] && grep -q '^test:' deploy_pko/manifest.yaml 2>/dev/null; then \ + if ! command -v kubectl-package >/dev/null 2>&1; then \ + echo "ERROR: kubectl-package is not installed." >&2; \ + echo "Install it from: https://github.com/package-operator/package-operator/releases" >&2; \ + echo "Example: curl -L -o /usr/local/bin/kubectl-package https://github.com/package-operator/package-operator/releases/download/v1.18.6/kubectl-package_linux_amd64 && chmod +x /usr/local/bin/kubectl-package" >&2; \ + exit 1; \ + fi; \ + echo "Validating PKO package fixtures..."; \ + kubectl-package validate deploy_pko/ || \ + (echo "ERROR: PKO fixture validation failed. Rendered templates do not match committed fixtures." >&2; \ + echo "If you intentionally changed a deploy_pko/ .gotmpl or manifest.yaml config, regenerate fixtures:" >&2; \ + echo " make generate-pko-fixtures" >&2; \ + echo " git diff deploy_pko/.test-fixtures/" >&2; \ + echo "Review the diff to confirm only your intended changes are reflected, then commit the updated fixtures." >&2; \ + echo "If you did NOT intend to change template output, your modifications may have introduced an unintended" >&2; \ + echo "regression in the rendered deployment manifests. Review your changes to deploy_pko/ carefully." >&2; \ + exit 1); \ + if [ -d deploy_pko/.test-fixtures ]; then \ + ignore_file=""; \ + if [ -f deploy_pko/.containerignore ]; then \ + ignore_file="deploy_pko/.containerignore"; \ + elif [ -f deploy_pko/.dockerignore ]; then \ + ignore_file="deploy_pko/.dockerignore"; \ + fi; \ + if [ -z "$$ignore_file" ]; then \ + echo "ERROR: deploy_pko/.test-fixtures/ exists but no .dockerignore or .containerignore found in deploy_pko/." >&2; \ + echo "Without it, test fixtures will be included in the PKO OCI image, causing Duplicate Object errors." >&2; \ + echo "Fix: run 'make generate-pko-fixtures' to auto-create deploy_pko/.dockerignore" >&2; \ + exit 1; \ + elif ! grep -q '\.test-fixtures' "$$ignore_file"; then \ + echo "ERROR: $$ignore_file exists but does not exclude .test-fixtures." >&2; \ + echo "Without this exclusion, test fixtures will be included in the PKO OCI image." >&2; \ + echo "Fix: add '.test-fixtures' to $$ignore_file" >&2; \ + exit 1; \ + fi; \ + fi; \ + fi + +# generate-pko-fixtures: Regenerate PKO snapshot fixtures after template changes. +# Requires kubectl-package; see https://github.com/package-operator/package-operator/releases +.PHONY: generate-pko-fixtures +generate-pko-fixtures: + @if [ -d deploy_pko ] && grep -q '^test:' deploy_pko/manifest.yaml 2>/dev/null; then \ + if ! command -v kubectl-package >/dev/null 2>&1; then \ + echo "ERROR: kubectl-package is not installed." >&2; \ + echo "Install it from: https://github.com/package-operator/package-operator/releases" >&2; \ + echo "Example: curl -L -o /usr/local/bin/kubectl-package https://github.com/package-operator/package-operator/releases/download/v1.18.6/kubectl-package_linux_amd64 && chmod +x /usr/local/bin/kubectl-package" >&2; \ + exit 1; \ + fi; \ + echo "Regenerating PKO test fixtures..."; \ + rm -rf deploy_pko/.test-fixtures; \ + kubectl-package validate deploy_pko/ && \ + if [ ! -f deploy_pko/.dockerignore ] && [ ! -f deploy_pko/.containerignore ]; then \ + echo ".test-fixtures" > deploy_pko/.dockerignore; \ + echo "Created deploy_pko/.dockerignore to exclude .test-fixtures from PKO image."; \ + elif [ -f deploy_pko/.dockerignore ] && ! grep -q '\.test-fixtures' deploy_pko/.dockerignore; then \ + echo ".test-fixtures" >> deploy_pko/.dockerignore; \ + echo "Added .test-fixtures to deploy_pko/.dockerignore."; \ + elif [ -f deploy_pko/.containerignore ] && ! grep -q '\.test-fixtures' deploy_pko/.containerignore; then \ + echo ".test-fixtures" >> deploy_pko/.containerignore; \ + echo "Added .test-fixtures to deploy_pko/.containerignore."; \ + fi; \ + echo "Fixtures regenerated. Review with 'git diff deploy_pko/.test-fixtures/' and commit."; \ + else \ + echo "No PKO test configuration found in deploy_pko/manifest.yaml, nothing to generate."; \ + fi + # validate: Ensure code generation has not been forgotten; and ensure # generated and boilerplate code has not been modified. .PHONY: validate -validate: boilerplate-freeze-check generate-check +validate: boilerplate-freeze-check generate-check validate-pko-fixtures # lint: Perform static analysis. .PHONY: lint @@ -396,6 +468,10 @@ container-validate: container-coverage: ${BOILERPLATE_CONTAINER_MAKE} coverage +.PHONY: container-generate-pko-fixtures +container-generate-pko-fixtures: + ${BOILERPLATE_CONTAINER_MAKE} generate-pko-fixtures + # Run all container-* validation targets in sequence. # Set NONINTERACTIVE=true to skip debug shells and fail fast for CI/automation. .PHONY: container-all diff --git a/build/Dockerfile b/build/Dockerfile index a07892b31..3979ce37b 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -10,7 +10,7 @@ COPY . . RUN make go-build ### -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1775623882 ENV USER_UID=1001 \ USER_NAME=addon-operator diff --git a/build/Dockerfile.olm-registry b/build/Dockerfile.olm-registry index d2a643725..be9e6c7ea 100644 --- a/build/Dockerfile.olm-registry +++ b/build/Dockerfile.olm-registry @@ -4,7 +4,7 @@ COPY ${SAAS_OPERATOR_DIR} manifests RUN initializer --permissive # ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1775623882 COPY --from=builder /bin/registry-server /bin/registry-server COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe diff --git a/build/Dockerfile.webhook b/build/Dockerfile.webhook index 35832f8e6..47fdb88ab 100644 --- a/build/Dockerfile.webhook +++ b/build/Dockerfile.webhook @@ -10,7 +10,7 @@ COPY . . RUN GOOS=linux CGO_ENABLED=1 GOARCH=amd64 GOFLAGS="" go build -o build/_output/bin/addon-operator-webhook ./cmd/addon-operator-webhook ### -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1775623882 ENV USER_UID=1001 \ USER_NAME=addon-operator diff --git a/deploy_pko/ConfigMap-trusted-ca-bundle.yaml b/deploy_pko/ConfigMap-trusted-ca-bundle.yaml index 6912f6d81..9899a8b7f 100644 --- a/deploy_pko/ConfigMap-trusted-ca-bundle.yaml +++ b/deploy_pko/ConfigMap-trusted-ca-bundle.yaml @@ -3,8 +3,8 @@ kind: ConfigMap metadata: namespace: openshift-addon-operator name: trusted-ca-bundle + labels: + config.openshift.io/inject-trusted-cabundle: 'true' annotations: package-operator.run/phase: deploy package-operator.run/collision-protection: IfNoController - labels: - config.openshift.io/inject-trusted-cabundle: 'true'