Add Openshift Virtualization FBC post-release tasks

fbc/fbc-post-release.yaml

@@ -0,0 +1,130 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: fbc-post-release
+spec:
+  description: This tasks gets all the required data of an FBC build and commits it to a payload repository to be used in a GitOps environment.
+  params:
+    - name: snapshot
+      type: string
+    - name: cnv_version
+      type: string
+    - name: releaseplan_id
+      type: string
+    - name: environment
+      type: string
+  tasks:
+    - name: get-info
+      params:
+        - name: SNAPSHOT
+          value: "$(params.snapshot)"
+        - name: CNV_VERSION
+          value: "$(params.cnv_version)"
+        - name: RELEASEPLAN_ID
+          value: "$(params.releaseplan_id)"
+        - name: ENVIRONMENT
+          value: "$(params.environment)"
+      taskSpec:
+        params:
+          - name: SNAPSHOT
+            type: string
+          - name: CNV_VERSION
+            type: string
+          - name: RELEASEPLAN_ID
+            type: string
+          - name: ENVIRONMENT
+            type: string
+        steps:
+          - name: get-info
+            image: quay.io/konflux-ci/release-service-utils:0a58b6a6b562879e89395636d97931f2dcbb494c
+            envFrom:
+              - secretRef:
+                  name: cnv-ci-release-token
+            script: |
+              #!/usr/bin/env bash
+              set -eo pipefail
+
+              snapshot_id=$(echo "$(params.SNAPSHOT)" | awk -F'/' '{print $2}')
+              release_id=$(kubectl get release --sort-by=.metadata.creationTimestamp -o json | \
+              jq -r --arg snapshot "${snapshot_id}" --arg releaseplan "$(params.RELEASEPLAN_ID)" \
+              '.items[] | select(.spec.snapshot == $snapshot and .spec.releasePlan == $releaseplan) | .metadata.name' | tail -n 1)
+
+              released_status=$(kubectl get release "${release_id}" -oyaml | yq '.status.conditions[] | select(.type == "ManagedPipelineProcessed") | .status')
+              if [ "$released_status" != "True" ]; then
+                echo "Release failed. Not continuing with post-release."
+                exit 1
+              fi
+
+              cnv_version="$(params.CNV_VERSION)"
+              snapshot_data=$(kubectl get snapshot "${snapshot_id}" -oyaml)
+              fbc_fragment=$(echo "${snapshot_data}" | yq '.spec.components[0].containerImage')
+              index_image=$(kubectl get release "${release_id}" -oyaml | yq ".status.artifacts.index_image.\"${cnv_version}\".index_image")
+              from_index="registry-proxy.engineering.redhat.com/rh-osbs/iib-pub-pending:${cnv_version}"
+
+              git_commit=$(echo "${snapshot_data}" | yq '.spec.components[0].source.git.revision')
+              git_repo=$(echo "${snapshot_data}" | yq '.spec.components[0].source.git.url')
+              gitfbcdir=$(mktemp -d) && cd "${gitfbcdir}"
+              git init
+              git remote add origin "${git_repo}.git"
+              git fetch origin "${git_commit}" --depth 1
+              git checkout "${git_commit}"
+              image_sha=$(yq '.image' ${cnv_version}/updated_image.yaml)
+              channel=$(yq '.channel' ${cnv_version}/updated_image.yaml)
+              hco_bundle_version=$(yq '.hco-bundle-version' ${cnv_version}/updated_image.yaml)
+              hco_bundle_url=$(yq '.hco-bundle-url' ${cnv_version}/updated_image.yaml)
+
+              if [[ $hco_bundle_version == v4.99* ]]; then
+                cnv_version="v4.99"
+              fi
+
+              gitpayloaddir=$(mktemp -d) && cd "${gitpayloaddir}"
+              git clone https://${github_token}@github.com/openshift-cnv/cnv-fbc-payloads-new.git && cd cnv-fbc-payloads-new
+              git config --global user.name "${github_username}"
+              git config --global user.email "[email protected]"
+
+              case $(params.ENVIRONMENT) in
+              "production")
+                NEXT_STAGE="verify-production-release"
+                ;;
+              "stage")
+                NEXT_STAGE="stage"
+                ;;
+              *)
+                echo "Unknown environment: $(params.ENVIRONMENT)"
+                exit 1
+                ;;
+              esac
+              save_folder="${cnv_version//./-}/lanes/${channel}/${NEXT_STAGE}"
+              mkdir -p "${save_folder}"
+              echo "" > "${save_folder}/payload.yaml"
+              yq e ".index_image = \"${index_image}\"" -i ${save_folder}/payload.yaml
+              yq e ".snapshot_id = \"${snapshot_id}\"" -i ${save_folder}/payload.yaml
+              yq e ".from_index = \"${from_index}\"" -i ${save_folder}/payload.yaml
+              yq e ".fbc_fragment = \"${fbc_fragment}\"" -i ${save_folder}/payload.yaml
+              yq e ".channel = \"${channel}\"" -i ${save_folder}/payload.yaml
+              yq e ".hco_bundle_registry_by_sha = \"${image_sha}\"" -i ${save_folder}/payload.yaml
+              image_base=$(echo "${image_sha}" | cut -d'@' -f1)
+              yq e ".hco_bundle_registry_by_tag = \"${image_base}:${hco_bundle_version}\"" -i ${save_folder}/payload.yaml
+              yq e ".hco_bundle_version = \"${hco_bundle_version}\"" -i ${save_folder}/payload.yaml
+              yq e ".hco_bundle_url = \"${hco_bundle_url}\"" -i ${save_folder}/payload.yaml
+              # Add the minor version number from the bundle for Kargo
+              yq e '.minorVersion = (.hco_bundle_version | split("-") | .[0])' -i ${save_folder}/payload.yaml
+              yq e '.rhelVersion = (.minorVersion | split(".") | .[3])' -i ${save_folder}/payload.yaml
+              yq e ".version = \"${cnv_version//./-}\"" -i ${save_folder}/payload.yaml
+              yq e ".releasePlan = \"${NEXT_STAGE}\"" -i ${save_folder}/payload.yaml
+              yq e ".freightName = \"${snapshot_id}\"" -i ${save_folder}/payload.yaml
+              yq e ".freightID = null" -i ${save_folder}/payload.yaml
+              yq e ".prNumber = null" -i ${save_folder}/payload.yaml
+              # add a firstRelease flag to the payload
+              patch_version=$(echo "$hco_bundle_version" | grep -oP 'v\d+\.\d+\.\K\d+')
+              if [ "$patch_version" -eq 0 ]; then
+                yq -i '.firstRelease = true' ${save_folder}/payload.yaml
+              else
+                yq -i '.firstRelease = false' ${save_folder}/payload.yaml
+              fi
+
+
+              git add .
+              git commit -m "Update payload $hco_bundle_version"
+              git push origin main

pipelines/update-bundle.yaml

@@ -0,0 +1,163 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: update-bundle
+spec:
+  description: This tasks gets all the required data of an FBC build and commits it to a payload repository to be used in a GitOps environment.
+  params:
+    - name: snapshot
+      type: string
+  tasks:
+    - name: update-bundle
+      params:
+        - name: SNAPSHOT
+          value: "$(params.snapshot)"
+      taskSpec:
+        params:
+          - name: SNAPSHOT
+            type: string
+        results:
+          - name: snapshots-to-release
+            description: Contents of the snapshots.json file
+          - name: bundle-version
+            description: NVR of the bundle
+        volumes:
+          - name: quay-creds
+            secret:
+              secretName: quay-builds-creds
+        steps:
+          - name: update-bundle
+            image: quay.io/konflux-ci/release-service-utils@sha256:2f9e6863e82bbc9ddce5a290f3fd0e87657c475e3de8a832b2ef7f8d0671e7d3
+            envFrom:
+              - secretRef:
+                  name: hco-updater-gitlab-token
+            script: |
+              #!/usr/bin/env bash
+              set -eo pipefail
+
+              SNAPSHOT_ID=$(echo "$(params.SNAPSHOT)" | awk -F'/' '{print $2}')
+              SNAPSHOT_DATA=$(kubectl get snapshot $SNAPSHOT_ID -ojson)
+              NAMESPACE=$(jq -r '.metadata.namespace' <<< "$SNAPSHOT_DATA")
+              APPLICATION=$(jq -r '.spec.application' <<< "$SNAPSHOT_DATA")
+              VERSION=$(echo "$NAMESPACE" | cut -d'-' -f1,2)
+              REPO_URL="https://gitlab.cee.redhat.com/openshift-virtualization/konflux-builds/${VERSION}/hco-bundle-registry.git"
+              REPO_URL=$(echo "$REPO_URL" | sed "s|https://|https://oauth2:${GITLAB_TOKEN}@|")
+
+              git clone $REPO_URL --depth 50
+              cd hco-bundle-registry
+              git remote set-url origin "$REPO_URL"
+              git config user.name "submodule-sync"
+              git config user.email "[email protected]"
+
+              IMAGES=$(jq -r '.spec.components[].containerImage' <<< "$SNAPSHOT_DATA")
+
+              # Make sure all the commits in every component are the same
+              if jq -e '[.spec.components[].source.git.revision] | unique | length == 1' <<< "$SNAPSHOT_DATA" > /dev/null; then
+                echo "The snapshot has all the components pointing to the same commit, continuing."
+              else
+                echo "Commits are inconsistent!"
+                exit 1
+              fi
+
+              function update_images_snapshots() {
+                for img in $IMAGES; do
+                  image_name_sha=$(echo "${img##*/}")
+                  image_name=$(echo "$image_name_sha" | cut -d'@' -f1)
+
+                  if [[ "$image_name" == *"-operator-rhel"* ]]; then
+                    json_file="components/hco-bundle-registry/core-params.json"
+                  else
+                    json_file="components/hco-bundle-registry/extra-params.json"
+                  fi
+                  jq ".\"${image_name}-image\" = \"${image_name_sha}\"" "$json_file" > "${json_file}.tmp" && mv "${json_file}.tmp" "$json_file"
+                done
+
+                snapshots_file="components/hco-bundle-registry/snapshots.json"
+                touch ${snapshots_file}
+                jq -n \
+                  --slurpfile f "$snapshots_file" \
+                  --arg app "$APPLICATION" \
+                  --arg snap "$SNAPSHOT_ID" \
+                  '$f[0] // {} | .[$app] = $snap' \
+                > "$snapshots_file.tmp" \
+                && mv "$snapshots_file.tmp" "$snapshots_file"
+              }
+
+              update_images_snapshots
+
+              git add .
+              # Check if there are actually changes before committing
+              if ! git diff-index --quiet HEAD; then
+                git commit -m "Update HCO bundle registry with new images"
+                git pull --rebase origin main
+                git push origin main
+              else
+                echo "No changes detected in the bundle registry. Skipping git push."
+              fi
+
+              if [[ "$(params.SNAPSHOT)" == *"hco-bundle-registry"* ]]; then
+                REPO_REVISION=$(jq -r '.spec.components[].source.git.revision' <<< "$SNAPSHOT_DATA")
+
+                BUNDLE_VERSION=$(cat build-bundle.json | jq -r '.metadata.Version | "\(.XY).\(.Z)-\(.release)" | sub("^v"; "")')
+                echo -n "$BUNDLE_VERSION" > /tekton/results/bundle-version
+
+                # Make sure we are getting the exact snapshots from the bundle
+                git checkout $REPO_REVISION
+
+                # Update the bundle snapshot as its not updated in this commit
+                update_images_snapshots
+
+                SNAPSHOTS_TO_RELEASE=$(cat $snapshots_file)
+                echo -n "$SNAPSHOTS_TO_RELEASE" > /tekton/results/snapshots-to-release
+              fi
+          - name: push-release-chart
+            image: quay.io/redhat-user-workloads/ocp-virt-images-tenant/pipeline-tools@sha256:18f9f819e9393891ce7ae19414a5672786e3efb120bdeaa2c254d8ba5d8e2493
+            envFrom:
+              - secretRef:
+                  name: hco-updater-gitlab-token
+              - secretRef:
+                  name: quay-builds-creds
+            volumeMounts:
+              - name: quay-creds
+                mountPath: /tmp/quay-builds-creds
+                readOnly: true
+            script: |
+              #!/usr/bin/env bash
+              set -eo pipefail
+
+              # Only continue if its releasing hco-bundle-registry
+              if [[ "$(params.SNAPSHOT)" != *"hco-bundle-registry"* ]]; then
+                echo "Skipping push-release-chart: snapshot parameter does not contain 'hco-bundle-registry'"
+                exit 0
+              fi
+
+              # Read results from previous step
+              SNAPSHOTS_TO_RELEASE=$(cat /tekton/results/snapshots-to-release)
+              BUNDLE_VERSION=$(cat /tekton/results/bundle-version)
+              XY=$(echo "$BUNDLE_VERSION" | cut -d'.' -f1,2 | tr '.' '-')
+
+              TMPDIR=$(mktemp -d)
+              cd "$TMPDIR"
+              export HOME=/tmp
+              git clone https://gitlab.cee.redhat.com/openshift-virtualization/konflux-builds/release-chart.git --depth 1
+              cd release-chart/release-orchestrator
+              yq -i ".version = \"$BUNDLE_VERSION\"" Chart.yaml
+              yq -i ".global.releasePlan = \"TODO-RELEASEPLAN\"" values.yaml
+              yq -i ".global.targetNamespace = \"v${XY}-openshift-virtualization-tenant\"" values.yaml
+
+              # Update values.yaml with snapshots from SNAPSHOTS_TO_RELEASE
+              echo "$SNAPSHOTS_TO_RELEASE" | jq -r '{snapshots: .}' | yq eval -P '.' > /tmp/snapshots_with_key.yaml
+              yq eval-all '. as $item ireduce ({}; . * $item)' values.yaml /tmp/snapshots_with_key.yaml -i
+
+              DOCKER_CONFIG=$(cat /tmp/quay-builds-creds/.dockerconfigjson)
+              QUAY_USERNAME=$(echo "${DOCKER_CONFIG}" | jq -r '.auths | to_entries[] | select(.key | contains("quay.io")) | .value.username')
+              QUAY_PASSWORD=$(echo "${DOCKER_CONFIG}" | jq -r '.auths | to_entries[] | select(.key | contains("quay.io")) | .value.password')
+              QUAY_URL=$(echo "${DOCKER_CONFIG}" | jq -r '.auths | to_entries[] | .key')
+
+              echo "${QUAY_PASSWORD}" | helm registry login quay.io --username "${QUAY_USERNAME}" --password-stdin
+
+              PACKAGE_OUTPUT=$(helm package . 2>&1)
+              PACKAGE_FILE=$(echo "${PACKAGE_OUTPUT}" | grep -oP 'Successfully packaged chart and saved it to: \K.*')
+
+              helm push $PACKAGE_FILE oci://${QUAY_URL}