refactor: modular pipeline architecture with multi-platform support

- Create new modular pipeline structure in pipelines/ directory
- Add platform abstraction layer (OpenShift, AKS, EKS, GKE)
- Implement core utilities (env, k8s, logging, reporting)
- Add deployment modules (Helm, PostgreSQL, orchestrator workflows)
- Create job handlers for different CI scenarios (pull, nightly, upgrade)
- Extract PostgreSQL TLS certificates to temporary directory (security)
- Add orchestrator feature flags (INSTALL_ORCHESTRATOR_INFRA/PLUGINS)
- Fix code review findings (Qodo analysis):
  - Fix undefined variable in error message
  - Replace base64 -w 0 with portable version for macOS
  - Correct yq path for orchestrator plugin removal
- Update .gitignore for pipeline artifacts

This refactoring improves code organization, portability, and
security while maintaining compatibility with existing CI workflows.

Author: gustavolira

.gitignore

@@ -76,4 +76,10 @@ dynamic-plugins-root/*
 # Python Caches
 **/__pycache__/
 **/.pytest_cache/
-**/.venv/
+**/.venv/
+
+# Pipeline transient artifacts
+pipelines/artifact_dir/
+pipelines/shared_dir/
+# Relatórios gerados durante execuções locais
+pipelines/artifact_dir/reporting/

pipelines/config/k8s-resources/postgres/postgres-cred.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 metadata:
   name: postgres-cred
 data:
-  POSTGRES_PASSWORD: eVUqOGEuLS52WXFZfXp6ZzYydHBhO2cz
+  POSTGRES_PASSWORD: NHN5eD1wPGpxUW4uczFpVlMtKSg5KU8v
   POSTGRES_PORT: NTQzMg==
   POSTGRES_USER: amFudXMtaWRw
   POSTGRES_HOST: cG9zdGdyZXNzLWV4dGVybmFsLWRiLXByaW1hcnkucG9zdGdyZXNzLWV4dGVybmFsLWRiLnN2Yy5jbHVzdGVyLmxvY2Fs

pipelines/core/env.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 # Core environment variables for RHDH CI/CD Pipeline
-# shellcheck disable=SC2034
+# shellcheck disable=SC2034,SC2155
+# SC2034: Allow unused variables (exported for child processes)
+# SC2155: Allow export with command substitution (intentional for secret loading)
 
 # Prevent double sourcing
 if [[ -n "${__CORE_ENV_SH_LOADED__:-}" ]]; then
@@ -17,9 +19,11 @@ set -a             # Automatically export all variables
 # Get the directory where the script is located
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Pipeline root is one level up from core/
-export PIPELINES_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+PIPELINES_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+export PIPELINES_ROOT
 # Project root (where pipelines/ is located)
-export PROJECT_ROOT="$(cd "${PIPELINES_ROOT}/.." && pwd)"
+PROJECT_ROOT="$(cd "${PIPELINES_ROOT}/.." && pwd)"
+export PROJECT_ROOT
 
 # ============================================================================
 # Environment Detection

pipelines/core/k8s.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# shellcheck disable=SC2155
 # Kubernetes/OpenShift utilities for RHDH CI/CD Pipeline
 
 # Prevent double sourcing
@@ -536,7 +537,7 @@ encode_base64_nowrap() {
     echo -n "${value}" | base64
   else
     # Linux with -w 0
-    echo -n "${value}" | base64 -w 0
+    echo -n "${value}" | base64 | tr -d '\n'
   fi
 }
 

pipelines/core/reporting.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# shellcheck disable=SC2155
 # Test reporting and artifact management for RHDH CI/CD Pipeline
 
 # Prevent double sourcing

pipelines/main.sh

@@ -60,8 +60,10 @@ cleanup() {
   log_section "Pipeline Cleanup"
 
   # Calculate duration
-  local end_time=$(date +%s)
-  local duration=$(calculate_duration ${START_TIME} ${end_time})
+  local end_time
+  end_time=$(date +%s)
+  local duration
+  duration=$(calculate_duration "${START_TIME}" "${end_time}")
   log_info "Total execution time: ${duration}"
 
   # Generate final summary if we ran any deployments
@@ -75,7 +77,7 @@ cleanup() {
     log_error "Pipeline completed with errors (exit code: ${exit_code})"
   fi
 
-  exit ${exit_code}
+  exit "${exit_code}"
 }
 
 trap cleanup EXIT
@@ -168,5 +170,5 @@ esac
 # ============================================================================
 # Exit with proper code
 # ============================================================================
-exit ${OVERALL_RESULT}
+exit "${OVERALL_RESULT}"
 

pipelines/modules/deployment/helm.sh

@@ -38,8 +38,8 @@ prepare_helm_values() {
   if [[ "${INSTALL_ORCHESTRATOR_PLUGINS:-true}" != "true" ]]; then
     log_info "Removing orchestrator plugins from Helm values (INSTALL_ORCHESTRATOR_PLUGINS=false)"
     if command -v yq &>/dev/null; then
-      # delete any element in dynamicPlugins array where package contains 'orchestrator'
-      yq -i 'del(.global.dynamicPlugins."*"[] | select(.package | test("orchestrator")))' "${out_file}"
+      # delete any element in global.dynamic.plugins array where package contains 'orchestrator'
+      yq -i 'del(.global.dynamic.plugins[] | select(.package | test("orchestrator")))' "${out_file}"
     else
       log_warning "yq not found – cannot strip orchestrator plugins."
     fi
@@ -61,10 +61,10 @@ perform_helm_install() {
   log_debug "Release: ${release_name}, Namespace: ${namespace}, Values: ${value_file}"
 
   local original_values="${PIPELINES_ROOT}/config/helm-values/${value_file}"
-
+  
   if [[ ! -f "${original_values}" ]]; then
-      log_error "Values file not found: ${values_path}"
-      return 1
+    log_error "Values file not found: ${original_values}"
+    return 1
   fi
 
   # Preprocess values (strip orchestrator plugins when disabled)
@@ -123,7 +123,7 @@ apply_yaml_files() {
   done
 
   # Encode URLs for secrets
-  local dh_target_url=$(echo -n "test-backstage-customization-provider-${project}.${K8S_CLUSTER_ROUTER_BASE}" | base64 -w 0)
+  local dh_target_url=$(echo -n "test-backstage-customization-provider-${project}.${K8S_CLUSTER_ROUTER_BASE}" | base64 | tr -d '\n')
   local rhdh_base_url_encoded=$(echo -n "${rhdh_base_url}" | base64 | tr -d '\n')
   local rhdh_base_url_http=$(echo -n "${rhdh_base_url/https/http}" | base64 | tr -d '\n')
 
@@ -303,20 +303,27 @@ configure_external_postgres_db() {
   oc apply -f "${resources_dir}/postgres.yaml" --namespace="${NAME_SPACE_POSTGRES_DB}"
   sleep 5
 
-  # Extract certificates
+  # Extract certificates to a temporary directory (avoid leaving files in repo)
+  local tmpdir
+  tmpdir=$(mktemp -d)
+  log_debug "Using tmpdir ${tmpdir} for PG TLS artifacts"
+
   oc get secret postgress-external-db-cluster-cert -n "${NAME_SPACE_POSTGRES_DB}" \
-    -o jsonpath='{.data.ca\.crt}' | base64 --decode > postgres-ca
+    -o jsonpath='{.data.ca\.crt}'   | base64 --decode > "${tmpdir}/ca.crt"
   oc get secret postgress-external-db-cluster-cert -n "${NAME_SPACE_POSTGRES_DB}" \
-    -o jsonpath='{.data.tls\.crt}' | base64 --decode > postgres-tls-crt
+    -o jsonpath='{.data.tls\.crt}' | base64 --decode > "${tmpdir}/tls.crt"
   oc get secret postgress-external-db-cluster-cert -n "${NAME_SPACE_POSTGRES_DB}" \
-    -o jsonpath='{.data.tls\.key}' | base64 --decode > postgres-tsl-key
-  
-  # Create secret in target namespace
+    -o jsonpath='{.data.tls\.key}' | base64 --decode > "${tmpdir}/tls.key"
+
+  # Create / update secret in target namespace with the extracted files
   oc create secret generic postgress-external-db-cluster-cert \
-    --from-file=ca.crt=postgres-ca \
-    --from-file=tls.crt=postgres-tls-crt \
-    --from-file=tls.key=postgres-tsl-key \
+    --from-file=ca.crt="${tmpdir}/ca.crt" \
+    --from-file=tls.crt="${tmpdir}/tls.crt" \
+    --from-file=tls.key="${tmpdir}/tls.key" \
     --dry-run=client -o yaml | oc apply -f - --namespace="${project}"
+
+  # Clean up temporary directory
+  rm -rf "${tmpdir}"
 
   # Update PostgreSQL credentials
   local postgres_password=$(oc get secret/postgress-external-db-pguser-janus-idp \