Add support for make test/preflight-<target>

Adding targets for running preflight tests. These only work on Linux
machines since preflight is currently not available on other platforms.

The preflight tasks all assume you've got a running OpenShift cluster
and that GCP_PROJECT and KUBECONFIG are set accordingly in the env.

Author: pseudomuto

.gitignore

@@ -63,5 +63,5 @@ bundle/
 faq
 
 _artifacts
-bundle.Dockerfile
+artifacts
 tmp

Makefile

@@ -210,6 +210,12 @@ test/e2e/testrunner-openshift-packaging: test/openshift-package
 		--action_env=APP_VERSION=$(APP_VERSION) \
 		--action_env=DOCKER_REGISTRY=$(DOCKER_REGISTRY)
 
+# Run preflight checks for OpenShift. This expects a running OpenShift cluster.
+# Eg. make test/preflight-<operator|bundle|marketplace>
+test/preflight-%: CONTAINER=$*
+test/preflight-%: release/generate-bundle
+	@bazel run //hack:redhat-preflight -- $(CONTAINER)
+
 #
 # Different dev targets
 #
@@ -267,6 +273,7 @@ dev/up: dev/down
 
 .PHONY: dev/down
 dev/down:
+	@bazel build //hack/bin:k3d
 	@hack/dev.sh down
 #
 # Targets that allow to install the operator on an existing cluster

config/default/BUILD.bazel

@@ -34,6 +34,7 @@ k8s_deploy(
         # when running locally, use the image from the local codebase
         "cockroachdb/cockroach-operator:$(APP_VERSION)": "//cmd/cockroach-operator:operator_image",
     },
+		resolver_args = ["--allow_unused_images"],
     template = ":manifest",
 )
 

config/manifests/bases/cockroach-operator.clusterserviceversion.yaml

@@ -178,6 +178,7 @@ spec:
   - email: [email protected]
     name: Cockroach Labs Support
   maturity: stable
+  minKubeVersion: 1.18.0
   provider:
     name: Cockroach Labs
   version: 0.0.0

config/templates/csv.yaml.in

@@ -178,6 +178,7 @@ spec:
   - email: [email protected]
     name: Cockroach Labs Support
   maturity: stable
+  minKubeVersion: 1.18.0
   provider:
     name: Cockroach Labs
   version: 0.0.0

hack/BUILD.bazel

@@ -129,6 +129,17 @@ sh_binary(
     ],
 )
 
+sh_binary(
+    name = "redhat-preflight",
+    srcs = ["redhat.sh"],
+    data = [
+			JQ,
+      OPM,
+      "//hack/bin:preflight",
+      "@//:all-srcs",
+    ],
+)
+
 filegroup(
     name = "package-srcs",
     srcs = glob(["**"]),

hack/bundle.sh

@@ -85,17 +85,19 @@ generate_bundle() {
   mv "${dir}/metadata/annotations.yaml.new" "${dir}/metadata/annotations.yaml"
 
   # add supported openshift versions
-  echo "  com.redhat.openshift.versions: 4.7-4.9" >> "${dir}/metadata/annotations.yaml"
+  echo "  com.redhat.openshift.versions: 4.7-4.10" >> "${dir}/metadata/annotations.yaml"
 
   # Update CSV with correct images, and timestamps
   adapt_csv "${dir}" "${img}"
 
   # move the dockerfile into the bundle directory and make it valid
   sed \
-    -e "s+${dir}/++g" bundle.Dockerfile \ # fix up paths
-    -e "/\s*COPY tests/d" > "${dir}/Dockerfile" # remove scorecard tests
+    -e "/\s*tests\/scorecard/d" \
+    -e "s+${dir}/++g" \
+    bundle.Dockerfile > "${dir}/Dockerfile"
 
   rm bundle.Dockerfile
+	rm "${dir}/manifests/cockroach-operator-webhook-service_v1_service.yaml"
 }
 
 adapt_csv() {

hack/redhat.sh

@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The Cockroach Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -euo pipefail
+
+# include bazel binaries in the path
+PATH="bazel-bin/hack/bin:${PATH}"
+
+# Global preflight settings
+export PFLT_DOCKERCONFIG="${HOME}/.docker/config.json"
+export PFLT_LOGLEVEL=debug
+
+OPERATOR="cockroachdb/cockroach-operator"
+REGISTRY="gcr.io/${GCP_PROJECT}"
+VERSION="$(cat version.txt)"
+IMAGE="${OPERATOR}:v${VERSION}"
+BUNDLE_IMAGE="${OPERATOR}-bundle:v${VERSION}"
+BUNDLE_INDEX="${OPERATOR}-index:v${VERSION}"
+RHMP_BUNDLE_IMAGE="${OPERATOR}-bundle-rhmp:v${VERSION}"
+RHMP_BUNDLE_INDEX="${OPERATOR}-index-rhmp:v${VERSION}"
+
+main() {
+  # Switch to the build directory. The bundle directory is not part of source
+  # controller and therefore isn't a bazel target. This means when we run this
+  # script, there's no way to reference the Dockerfile created by the call to
+  # make release/generate-bundle (prerequisite of make test/preflight). By cd'ing
+  # into the build directory, we'll have access to _all_ the files.
+  if [[ -n "${BUILD_WORKSPACE_DIRECTORY}" ]]; then
+    cd "${BUILD_WORKSPACE_DIRECTORY}"
+  fi
+
+  case "${1:-}" in
+    operator)
+			publish_operator_image
+      preflight_operator;;
+    bundle)
+			publish_bundle_image "${REGISTRY}/${BUNDLE_IMAGE}" "bundle/cockroachdb-certified"
+			publish_bundle_index "${REGISTRY}/${BUNDLE_IMAGE}" "${REGISTRY}/${BUNDLE_INDEX}"
+			preflight_bundle "${REGISTRY}/${BUNDLE_IMAGE}" "${REGISTRY}/${BUNDLE_INDEX}"
+			ensure_success;;
+    marketplace)
+			publish_bundle_image "${REGISTRY}/${RHMP_BUNDLE_IMAGE}" "bundle/cockroachdb-certified-rhmp"
+			publish_bundle_index "${REGISTRY}/${RHMP_BUNDLE_IMAGE}" "${REGISTRY}/${RHMP_BUNDLE_INDEX}"
+			preflight_bundle "${REGISTRY}/${RHMP_BUNDLE_IMAGE}" "${REGISTRY}/${RHMP_BUNDLE_INDEX}"
+			ensure_success;;
+    *)
+      echo "ERROR: Unknown command: ${1}" 1>&2
+      echo "Usage bazel run //hack:redhat-preflight -- <operator|bundle|marketplace>." 1>&2
+      exit 1;;
+  esac
+}
+
+publish_operator_image() {
+  echo "Publishing operator image to local repo..."
+  APP_VERSION="v${VERSION}" \
+    DOCKER_REGISTRY="${REGISTRY}" \
+    DOCKER_IMAGE_REPOSITORY="${IMAGE%:*}" \
+    bazel run --stamp --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //:push_operator_image
+}
+
+preflight_operator() {
+  echo "Running preflight checks on operator image..."
+  preflight check container "${REGISTRY}/${IMAGE}" \
+    --docker-config "${HOME}/.docker/config.json"
+}
+
+publish_bundle_image() {
+	local img="${1}"
+	local dir="${2}"
+
+  echo "Publishing ${img}..."
+  pushd "${dir}"
+  docker build -t "${img}" .
+  docker push "${img}"
+  popd
+}
+
+publish_bundle_index() {
+	local bundle_img="${1}"
+	local index_img="${2}"
+
+  echo "Publishing ${index_img}..."
+  opm index add \
+    --container-tool docker \
+    --bundles "${bundle_img}" \
+    --tag "${index_img}"
+}
+
+preflight_bundle() {
+	local bundle_img="${1}"
+	local index_img="${2}"
+
+  echo "Running preflight checks on bundle image..."
+	echo "  IMAGE: ${bundle_img}"
+
+	PFLT_INDEXIMAGE="${index_img}" preflight check operator "${bundle_img}"
+}
+
+ensure_success() {
+	if [[ $(cat artifacts/results.json | jq -r .passed) == 'false' ]]; then
+		# error already displayed
+		exit 1
+	fi
+}
+
+main "$@"