feat: Use OCM cli to submit OCM components in KLM e2e (#2863)

feat(e2e): add OCM CLI support and improve template-operator e2e deployment

- Add install-ocm-cli action (.github/actions/install-ocm-cli/action.yml) to install OCM CLI with checksum verification.
- Expose ocm_cli_version and template_operator_version outputs in get-configuration action and wire them into workflows.
- Install ocm-cli from setup-tools and pass ocm_cli_version to the setup step.
- Checkout template-operator using template_operator_version and pass module_version into the deploy action.
- Enhance deploy-template-operator-with-modulereleasemeta:
  - Read module version from versions.yaml, set image tags with yq and build manifests.
  - Use modulectl to generate component constructor and OCM CLI to create/transfer CTF to registries (support local & private registries).
  - Add debug checks for ModuleTemplate / ModuleReleaseMeta and registry contents.
  - Pass both the OCM release version and the actual deployable image version to deploy_moduletemplate.
- Update deploy_moduletemplate.sh:
  - Add required DEPLOYABLE_IMAGE_VERSION parameter and input validation.
  - Use modulectl + ocm to generate/push component versions, patch manifests, apply ModuleTemplate, and clean up temp files.
  - Improve logging and error handling.
- Add ocm-config-local-registry.yaml and ocm-config-private-registry.yaml under scripts/tests.
- Add contributor documentation for creating ModuleTemplate with modulectl + OCM CLI and link it from ModuleTemplate docs.
- Improve teardown/debug scripts output for easier troubleshooting.
- Bump tooling in versions.yaml: modulectl -> 2.5.0, add ocm-cli 0.32.0, add template-operator version.
- Minor formatting and reliability improvements across workflows and scripts.
- No breaking API changes; this improves e2e reliability by aligning deployed images with versions.yaml and pushing component descriptors via OCM.

Author: medmes

.github/actions/deploy-template-operator-with-modulereleasemeta/action.yml

@@ -2,9 +2,8 @@ name: Deploy template-operator With ModuleReleaseMeta
 description: Deploys a test-specific template-operator and corresponding ModuleReleaseMeta.
 inputs:
   module_version:
-    description: "Version of the template operator to be deployed, should be aligned with the latest version released in github."
+    description: "Version of the template operator to be deployed, should be aligned with the version in versions.yaml"
     required: true
-    default: "1.0.4"
 runs:
   using: composite
   steps:
@@ -22,6 +21,8 @@ runs:
         cp ../lifecycle-manager/scripts/tests/deploy_moduletemplate.sh .
         cp ../lifecycle-manager/scripts/tests/deploy_modulereleasemeta.sh .
         cp ../lifecycle-manager/scripts/tests/deploy_mandatory_modulereleasemeta.sh .
+        cp ../lifecycle-manager/scripts/tests/ocm-config-local-registry.yaml .
+        cp ../lifecycle-manager/scripts/tests/ocm-config-private-registry.yaml .
     - name: Create and apply Template Operator ModuleTemplate from the latest release
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
@@ -31,10 +32,9 @@ runs:
         }}
       shell: bash
       run: |
-        modulectl create --config-file ./module-config.yaml --registry http://localhost:5111 --insecure
-        sed -i 's/localhost:5111/k3d-kcp-registry.localhost:5000/g' ./template.yaml
-        kubectl get crds
-        kubectl apply -f template.yaml
+        yq eval '.images[0].newTag = "${{ inputs.module_version }}"' -i config/manager/deployment/kustomization.yaml
+        make build-manifests
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ inputs.module_version }} ${{ inputs.module_version }} true false true false
     - name: Create and apply Template Operator ModuleTemplate with ModuleDeploymentNameInOlderVersion
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
@@ -44,9 +44,10 @@ runs:
         }}
       shell: bash
       run: |
+        yq eval '.images[0].newTag = "${{ env.OlderVersion }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
         yq eval '(. | select(.kind == "Deployment") | .metadata.name) = "${{ env.ModuleDeploymentNameInOlderVersion }}"' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.OlderVersion }}
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.OlderVersion }} ${{ inputs.module_version }} true false true false
     - name: Create and apply Template Operator ModuleTemplate with ModuleDeploymentNameInNewerVersion
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
@@ -67,18 +68,44 @@ runs:
           REQUIRE_DOWNTIME=false
         fi
 
+        yq eval '.images[0].newTag = "${{ env.NewerVersion }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
         yq eval '(. | select(.kind == "Deployment") | .metadata.name) = "${{ env.ModuleDeploymentNameInNewerVersion }}"' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.NewerVersion }} $INCLUDE_DEFAULT_CR $MANDATORY $DEPLOY_MODULETEMPLATE $REQUIRE_DOWNTIME
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.NewerVersion }} ${{ inputs.module_version }} $INCLUDE_DEFAULT_CR $MANDATORY $DEPLOY_MODULETEMPLATE $REQUIRE_DOWNTIME
     - name: Create and apply Template Operator ModuleTemplate in private registry
       working-directory: template-operator
       if: ${{ matrix.e2e-test == 'oci-reg-cred-secret' }}
       shell: bash
       run: |
-        modulectl create --config-file ./module-config.yaml --registry http://k3d-private-oci-reg.localhost:5001 --registry-credentials myuser:mypass --insecure
-        sed -i 's/k3d-private-oci-reg.localhost:5001/private-oci-reg.localhost:5000/g' ./template.yaml
+        MODULE_CONFIG="./module-config.yaml"
+        REGISTRY_URL="k3d-private-oci-reg.localhost:5001"
+        REGISTRY_CREDS="myuser:mypass"
+        COMPONENT_CONSTRUCTOR_FILE="./component-constructor.yaml"
+        CTF_DIR="./component-ctf"
+        TEMPLATE_FILE="./template.yaml"
+        TARGET_REGISTRY="private-oci-reg.localhost:5000"
+        OCM_CONFIG="./ocm-config-private-registry.yaml"
+
+        echo "creating ModuleTemplate"
+        modulectl create \
+          --config-file "${MODULE_CONFIG}" \
+          --disable-ocm-registry-push \
+          --output-constructor-file "${COMPONENT_CONSTRUCTOR_FILE}"
+
+        echo "pushing OCM components..."
+        ocm --config "${OCM_CONFIG}" add componentversions --create --file "${CTF_DIR}" --skip-digest-generation "${COMPONENT_CONSTRUCTOR_FILE}"
+        ocm --config "${OCM_CONFIG}" transfer ctf \
+          --overwrite \
+          --no-update \
+          "${CTF_DIR}" \
+          "http://${REGISTRY_URL}"
+
+        echo "Verifying component in private registry..."
+        curl -s -u myuser:mypass "http://${REGISTRY_URL}/v2/_catalog" || echo "Warning: Could not verify registry catalog"
+
+        echo "No baseUrl patching needed for private registry..."
         kubectl get crds
-        kubectl apply -f template.yaml
+        kubectl apply -f <(yq eval '.metadata.namespace = "kcp-system"' "${TEMPLATE_FILE}")
     - name: Create and apply ModuleReleaseMeta from the template-operator repo
       working-directory: template-operator
       if: ${{ matrix.e2e-test == 'kyma-metrics' ||
@@ -126,9 +153,10 @@ runs:
         }}
       shell: bash
       run: |
+        yq eval '.images[0].newTag = "${{ env.OlderVersionForMandatoryModule }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
         yq eval '(. | select(.kind == "Deployment") | .metadata.name) = "${{ env.ModuleDeploymentNameInOlderVersion }}"' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.OlderVersionForMandatoryModule }} true true false
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.OlderVersionForMandatoryModule }} ${{ inputs.module_version }} true true false false
         yq eval 'del(.spec.mandatory)' -i template.yaml
         kubectl apply -f template.yaml
         rm -f template.yaml
@@ -140,9 +168,10 @@ runs:
       working-directory: template-operator
       shell: bash
       run: |
+        yq eval '.images[0].newTag = "${{ env.NewerVersionForMandatoryModule }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
         yq eval '(. | select(.kind == "Deployment") | .metadata.name) = "${{ env.ModuleDeploymentNameInNewerVersion }}"' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.NewerVersionForMandatoryModule }} true true false
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.NewerVersionForMandatoryModule }} ${{ inputs.module_version }} true true false false
         yq eval 'del(.spec.mandatory)' -i template.yaml
         cp template.yaml ../lifecycle-manager/tests/e2e/mandatory_template_v2.yaml
     - name: Create and apply ModuleReleaseMeta Template Operator with newer version in fast channel and older version in regular channel
@@ -157,14 +186,16 @@ runs:
       shell: bash
       run: |
         # Create and apply ModuleReleaseMeta with version when deployment is in warning state
+        yq eval '.images[0].newTag = "${{ env.VersionForDeploymentInWarning }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
         yq eval '(. | select(.kind == "Deployment") | .spec.template.spec.containers[0].args) = ["--leader-elect", "--final-state=Warning", "--final-deletion-state=Warning"]' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.VersionForDeploymentInWarning }}
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.VersionForDeploymentInWarning }} ${{ inputs.module_version }} true false true false
         ./deploy_modulereleasemeta.sh ${{ env.ModuleName }} regular:${{ env.VersionForDeploymentInWarning }}
 
         # Create and apply ModuleReleaseMeta with version when deployment is misconfigured
+        yq eval '.images[0].newTag = "${{ env.VersionForMisconfiguredDeploymentImage }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
-        yq eval '(. | select(.kind == "Deployment") | .spec.template.spec.containers[0].image) = "non-working/path:001"' -i template-operator.yaml
+        yq eval '(. | select(.kind == "Deployment") | .spec.template.spec.containers[0].image) = "non-working/path:0.0.1"' -i template-operator.yaml
         yq eval '(. | select(.kind == "Deployment") | .spec.progressDeadlineSeconds) = 60' -i template-operator.yaml
         yq eval '(. | select(.kind == "Deployment") | .spec.template.spec.containers[0].livenessProbe) = {
           "httpGet": {"path": "/healthz", "port": 8081},
@@ -174,31 +205,34 @@ runs:
           "httpGet": {"path": "/readyz", "port": 8081},
           "initialDelaySeconds": 5, "periodSeconds": 5, "failureThreshold": 1
         }' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.MisconfiguredModuleName }} ${{ env.VersionForMisconfiguredDeploymentImage }}
+        ./deploy_moduletemplate.sh ${{ env.MisconfiguredModuleName }} ${{ env.VersionForMisconfiguredDeploymentImage }} ${{ inputs.module_version }} true false true false
         ./deploy_modulereleasemeta.sh ${{ env.MisconfiguredModuleName }} regular:${{ env.VersionForMisconfiguredDeploymentImage }}
     - name: Create ModuleTemplate and ModuleReleaseMeta for Module Status test with StatefulSet
       working-directory: template-operator
       if: ${{ matrix.e2e-test == 'module-status-decoupling-with-statefulset'}}
       shell: bash
       run: |
         # Create and apply ModuleReleaseMeta with version when statefulset is in warning state
+        yq eval '.images[0].newTag = "${{ env.VersionForStatefulSetInWarning }}"' -i config/manager/statefulset/kustomization.yaml
         make build-statefulset-manifests
         yq eval '(. | select(.kind == "StatefulSet") | .spec.template.spec.containers[0].args) = ["--leader-elect", "--final-state=Warning", "--final-deletion-state=Warning"]' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.VersionForStatefulSetInWarning }}
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.VersionForStatefulSetInWarning }} ${{ inputs.module_version }} true false true false
         ./deploy_modulereleasemeta.sh ${{ env.ModuleName }} regular:${{ env.VersionForStatefulSetInWarning }}
 
         # Create and apply ModuleReleaseMeta with version when statefulset is misconfigured
+        yq eval '.images[0].newTag = "${{ env.VersionForMisconfiguredStatefulSetImage }}"' -i config/manager/statefulset/kustomization.yaml
         make build-statefulset-manifests
-        yq eval '(. | select(.kind == "StatefulSet") | .spec.template.spec.containers[0].image) = "non-working/path:002"' -i template-operator.yaml
-        ./deploy_moduletemplate.sh ${{ env.MisconfiguredModuleName }} ${{ env.VersionForMisconfiguredStatefulSetImage }}
+        yq eval '(. | select(.kind == "StatefulSet") | .spec.template.spec.containers[0].image) = "non-working/path:0.0.2"' -i template-operator.yaml
+        ./deploy_moduletemplate.sh ${{ env.MisconfiguredModuleName }} ${{ env.VersionForMisconfiguredStatefulSetImage }} ${{ inputs.module_version }} true false true false
         ./deploy_modulereleasemeta.sh ${{ env.MisconfiguredModuleName }} regular:${{ env.VersionForMisconfiguredStatefulSetImage }}
     - name: Create Template Operator Module without default CR and apply ModuleReleaseMeta
       working-directory: template-operator
       if: ${{ matrix.e2e-test == 'module-without-default-cr' }}
       shell: bash
       run: |
+        yq eval '.images[0].newTag = "${{ env.VersionForNoDefaultCR }}"' -i config/manager/deployment/kustomization.yaml
         make build-manifests
-        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.VersionForNoDefaultCR }} false
+        ./deploy_moduletemplate.sh ${{ env.ModuleName }} ${{ env.VersionForNoDefaultCR }} ${{ inputs.module_version }} false false true false
         ./deploy_modulereleasemeta.sh ${{ env.ModuleName }} regular:${{ env.VersionForNoDefaultCR }}
     - name: Apply ModuleReleaseMeta with ModuleTemplate with name <modulename>-<channel>
       working-directory: template-operator
@@ -220,3 +254,21 @@ runs:
       shell: bash
       run: |
         kubectl apply -f tests/e2e/moduletemplate/moduletemplate_template_operator_transferred.yaml
+    - name: Debug - Check ModuleTemplate and Component Status
+      working-directory: lifecycle-manager
+      shell: bash
+      run: |
+        echo "=== Checking ModuleTemplates in kcp-system ==="
+        kubectl get moduletemplates -n kcp-system -o wide || echo "Failed to get ModuleTemplates"
+
+        echo ""
+        echo "=== Checking ModuleReleaseMeta ==="
+        kubectl get modulereleasemeta -n kcp-system -o wide || echo "Failed to get ModuleReleaseMeta"
+
+        echo ""
+        echo "=== Checking if components are in registry ==="
+        curl -s "http://localhost:5111/v2/_catalog" || echo "Warning: Could not query registry catalog"
+
+        echo ""
+        echo "=== Checking if component version exists ==="
+        curl -s "http://localhost:5111/v2/component-descriptors/kyma-project.io/module/template-operator/tags/list" || echo "Warning: Could not list component tags"

.github/actions/get-configuration/action.yml

@@ -10,9 +10,15 @@ outputs:
   k3d_version:
     description: The version of k3d to install. For example, 5.6.0.
     value: ${{ steps.define-variables.outputs.k3d_version }}
+  ocm_cli_version:
+    description: The version of ocm-cli to install. For example, 0.32.0.
+    value: ${{ steps.define-variables.outputs.ocm_cli_version }}
   modulectl_version:
     description: The version of modulectl to install. For example, 1.0.0.
     value: ${{ steps.define-variables.outputs.modulectl_version }}
+  template_operator_version:
+    description: The version of template-operator to checkout. Defaults to value from versions.yaml.
+    value: ${{ steps.define-variables.outputs.template_operator_version }}
   cert_manager_version:
     description: The version of cert-manager to deploy. For example, 1.13.3.
     value: ${{ steps.define-variables.outputs.cert_manager_version }}
@@ -42,7 +48,9 @@ runs:
       run: |
         echo "istio_version=$(yq e '.istio' versions.yaml)" >> $GITHUB_OUTPUT
         echo "k3d_version=$(yq e '.k3d' versions.yaml)" >> $GITHUB_OUTPUT
+        echo "ocm_cli_version=$(yq e '.ocm-cli' versions.yaml)" >> $GITHUB_OUTPUT
         echo "modulectl_version=$(yq e '.modulectl' versions.yaml)" >> $GITHUB_OUTPUT
+        echo "template_operator_version=$(yq e '.template-operator' versions.yaml)" >> $GITHUB_OUTPUT
         echo "cert_manager_version=$(yq e '.certManager' versions.yaml)" >> $GITHUB_OUTPUT
         echo "gardener_cert_manager_version=$(yq e '.gardenerCertManager' versions.yaml)" >> $GITHUB_OUTPUT
         echo "golangci_lint_version=$(yq e '.golangciLint' versions.yaml)" >> $GITHUB_OUTPUT

.github/actions/install-ocm-cli/action.yml

@@ -0,0 +1,74 @@
+name: Install ocm-cli
+description: Installs the OCM CLI binary (Linux amd64) with checksum verification; requires explicit release version.
+inputs:
+  ocm_cli_version:
+    description: Explicit release tag (e.g. v0.32.0). No 'latest'.
+    required: true
+  install_path:
+    description: Directory to place the binary
+    required: false
+    default: $(pwd)/ocm/bin
+  verify_checksum:
+    description: "'true' to verify checksum (sha256)"
+    required: false
+    default: 'true'
+runs:
+  using: composite
+  steps:
+    - name: Validate version input
+      id: validate
+      shell: bash
+      run: |
+        set -euo pipefail
+        VERSION=${{ inputs.ocm_cli_version }}
+        if [ -z "${VERSION}" ]; then
+          echo "Version input empty; aborting." >&2
+          exit 1
+        fi
+        if [ "${VERSION}" = "latest" ] || [ "${VERSION}" = "main" ]; then
+          echo "Dynamic versions ('latest'/'main') are not allowed; provide an explicit tag like v0.32.0." >&2
+          exit 1
+        fi
+        if ! echo "${VERSION}" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+          echo "Version '${VERSION}' does not match required pattern MAJOR.MINOR.PATCH." >&2
+          exit 1
+        fi
+        echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+    - name: Download ocm-cli (Linux amd64)
+      shell: bash
+      run: |
+        set -euo pipefail
+        VERSION=${{ steps.validate.outputs.version }}
+        VERSION_NO_V="${VERSION#v}"
+        INSTALL_PATH=${{ inputs.install_path }}
+        mkdir -p "${INSTALL_PATH}"
+
+        ARCHIVE="ocm-${VERSION_NO_V}-linux-amd64.tar.gz"
+        BINARY_URL="https://github.com/open-component-model/ocm/releases/download/v${VERSION}/${ARCHIVE}"
+        SHA_URL="${BINARY_URL}.sha256"
+
+        echo "Downloading ${ARCHIVE}"
+        curl -sSfL "${BINARY_URL}" -o "/tmp/${ARCHIVE}"
+
+        if [ "${{ inputs.verify_checksum }}" = "true" ]; then
+          echo "Verifying checksum"
+          curl -sSfL "${SHA_URL}" -o "/tmp/${ARCHIVE}.sha256"
+          EXPECTED_SHA="$(cat /tmp/${ARCHIVE}.sha256 | tr -d '\n\r')"
+          echo "${EXPECTED_SHA}  /tmp/${ARCHIVE}" | sha256sum -c -
+        else
+          echo "Checksum verification skipped"
+        fi
+
+        tar -xzf "/tmp/${ARCHIVE}" -C "${INSTALL_PATH}"
+        if [ ! -x "${INSTALL_PATH}/ocm" ]; then
+          echo "ocm binary not found after extraction" >&2
+          exit 1
+        fi
+        echo "${INSTALL_PATH}" >> "$GITHUB_PATH"
+    - name: Test ocm installation
+      shell: bash
+      run: |
+        set -euo pipefail
+        INSTALLED_VERSION="$(ocm version | yq -p json -oy '.GitVersion')"
+        echo "OCM CLI version: ${INSTALLED_VERSION}"
+        ocm help >/dev/null

.github/actions/setup-tools/action.yml

@@ -10,6 +10,8 @@ inputs:
   k3d_version:
     description: The version of k3d to install. For example, 5.6.0.
     required: true
+  ocm_cli_version:
+    description: The version of ocm-cli to install. For example, 0.32.0.
   modulectl_version:
     description: The version of modulectl to install. For example, 1.0.0.
     required: true
@@ -28,6 +30,9 @@ runs:
     - uses: ./lifecycle-manager/.github/actions/install-istioctl
       with:
         istio_version: ${{ inputs.istio_version }}
+    - uses: ./lifecycle-manager/.github/actions/install-ocm-cli
+      with:
+        ocm_cli_version: ${{ inputs.ocm_cli_version }}
     - uses: ./lifecycle-manager/.github/actions/install-modulectl
       with:
         modulectl_version: ${{ inputs.modulectl_version }}