Introduce 'run-opm-command' in the fbc pipeline

Author: rauhersu

.konflux/Dockerfile.catalog

@@ -2,37 +2,18 @@
 ARG OPM_IMAGE=registry.redhat.io/openshift4/ose-operator-registry-rhel9:v4.18
 ARG BUILDER_IMAGE=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.23
 
-# build the catalog
+# fix the catalog (talm exclusive, naming issue)
 FROM ${BUILDER_IMAGE} AS builder
 
-# create dir structure to generate the catalog
-RUN mkdir -p /app/hack /app/.konflux/catalog
+# create dir structure to fix the catalog
+RUN mkdir -p /app/.konflux/catalog
 COPY Makefile /app
 COPY .konflux/catalog/ /app/.konflux/catalog/
-COPY telco5g-konflux /app/telco5g-konflux
-
 # we need to copy the vendor/ folder as the Makefile depends on it
 COPY vendor/ /app/vendor/
 
-# generate the catalog
-
-# debug
-RUN echo "root dir" && ls -lra $HOME
-
 WORKDIR /app
-RUN --mount=type=secret,id=telco-5g-redhat-pull-secret/.dockerconfigjson \
-    mkdir -p $HOME/.docker/ && \
-    cp /run/secrets/telco-5g-redhat-pull-secret/.dockerconfigjson $HOME/.docker/config.json
-
-# debug
-RUN echo "run secrets" && ls -lra /run/secrets/ && echo "docker dir" && ls -lra $HOME/.docker/ && cat $HOME/.docker/config.json
-
-ENV REGISTRY_AUTH_FILE=$HOME/.docker/config.json
-
-# The Konflux build is not hermetic so it will download the tools (opm, yq, etc) automatically
-# Konflux will externally sync the submodules so we can skip it here
-RUN SKIP_SUBMODULE_SYNC=yes make konflux-generate-catalog-production && \
-    rm -f $HOME/.docker/config.json
+RUN SKIP_SUBMODULE_SYNC=yes make konflux-fix-catalog-name
 
 # run the catalog
 FROM ${OPM_IMAGE}
@@ -43,6 +24,8 @@ CMD ["serve", "/configs", "--cache-dir=/tmp/cache"]
 # ensure this correponds to olm.package name
 ENV PACKAGE_NAME=topology-aware-lifecycle-manager
 
+# This assumes that the catalog is already built and exists in the .konflux/catalog/$PACKAGE_NAME directory
+# This should be done automatically by the fbc pipeline using the `run-opm-command` task
 COPY --from=builder /app/.konflux/catalog/$PACKAGE_NAME/ /configs/$PACKAGE_NAME
 # RUN ["/bin/opm", "validate", "/configs/topology-aware-lifecycle-manager"]
 RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"]

.konflux/catalog/catalog-idms.yaml

@@ -0,0 +1,12 @@
+---
+# We use this IDMS to map the quay.io build to registry.redhat.io in the catalog.json post rendering
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: catalog-idms
+spec:
+  imageDigestMirrors:
+  - mirrors:
+    - quay.io/redhat-user-workloads/telco-5g-tenant/topology-aware-lifecycle-manager-bundle-4-18
+    source: registry.redhat.io/openshift4/topology-aware-lifecycle-manager-operator-bundle
+

.tekton/fbc-pipeline.yaml

@@ -148,18 +148,78 @@ spec:
       workspaces:
         - name: basic-auth
           workspace: git-auth
+    - name: run-opm-pre-actions
+      params:
+        - name: ociStorage
+          value: $(params.output-image).script
+        - name: ociArtifactExpiresAfter
+          value: $(params.image-expires-after)
+        - name: SCRIPT_RUNNER_IMAGE
+          value: quay.io/konflux-ci/yq:latest
+        # update catalog template
+        - name: SCRIPT
+          value: ./telco5g-konflux/scripts/catalog/konflux-update-catalog-template.sh --set-catalog-template-input-file .konflux/catalog/catalog-template.in.yaml --set-bundle-builds-file .konflux/catalog/bundle.builds.in.yaml
+        - name: HERMETIC
+          value: $(params.hermetic)
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+      runAfter:
+        - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: run-script-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-run-script-oci-ta:0.1@sha256:834a934f1e631a79aea7f2d001162cf90086e664e648c8ca15b69ad9798571ee
+        - name: kind
+          value: task
+        resolver: bundles
+    - name: run-opm-command
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.run-opm-pre-actions.results.SCRIPT_ARTIFACT)
+        - name: ociStorage
+          value: $(params.output-image).opm
+        - name: ociArtifactExpiresAfter
+          value: $(params.image-expires-after)
+        - name: OPM_ARGS
+          value:
+            - alpha
+            - render-template
+            - basic
+            # arg for OCP 4.17 and newer
+            - "--migrate-level=bundle-object-to-csv-metadata"
+            - ".konflux/catalog/catalog-template.in.yaml"
+        - name: OPM_OUTPUT_PATH
+          value: ".konflux/catalog/topology-aware-lifecycle-manager/catalog.json"
+        # replace catalog.json pullspecs with idms config
+        - name: IDMS_PATH
+          value: ".konflux/catalog/catalog-idms.yaml"
+        - name: FILE_TO_UPDATE_PULLSPEC
+          value: ".konflux/catalog/topology-aware-lifecycle-manager/catalog.json"
+      runAfter:
+        - run-opm-pre-actions
+      taskRef:
+        params:
+          - name: name
+            value: run-opm-command-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-run-opm-command-oci-ta:0.1@sha256:4ab5dba35166a976c3d6293913501fdfc79a3222395388fc6208641ab8bc9359
+          - name: kind
+            value: task
+        resolver: bundles
     - name: prefetch-dependencies
       params:
         - name: input
           value: $(params.prefetch-input)
         - name: SOURCE_ARTIFACT
-          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+          value: $(tasks.run-opm-command.results.SOURCE_ARTIFACT)
         - name: ociStorage
           value: $(params.output-image).prefetch
         - name: ociArtifactExpiresAfter
           value: $(params.image-expires-after)
       runAfter:
-        - clone-repository
+        - run-opm-command
       taskRef:
         params:
           - name: name
@@ -202,6 +262,9 @@ spec:
           value: $(params.build-args-file)
         - name: SOURCE_ARTIFACT
           value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: ADDITIONAL_BASE_IMAGES
+          value:
+            - $(tasks.run-opm-pre-actions.results.SCRIPT_RUNNER_IMAGE_REFERENCE)
         - name: CACHI2_ARTIFACT
           value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
         - name: IMAGE_APPEND_PLATFORM

.tekton/topology-aware-lifecycle-manager-fbc-4-18-pull-request.yaml

@@ -48,9 +48,8 @@ spec:
       value: .konflux/container_build_args.conf
     - name: additional-tags
       value: []
-    # We have configured an fbc exception for hermetic builds on the release repo.
     - name: hermetic
-      value: "false"
+      value: "true"
   pipelineRef:
     name: fbc-pipeline
   taskRunTemplate:

.tekton/topology-aware-lifecycle-manager-fbc-4-18-push.yaml

@@ -45,9 +45,8 @@ spec:
       value: .konflux/container_build_args.conf
     - name: additional-tags
       value: ["latest"]
-    # We have configured an fbc exception for hermetic builds on the release repo.
     - name: hermetic
-      value: "false"
+      value: "true"
   pipelineRef:
     name: fbc-pipeline
   taskRunTemplate:

Makefile

@@ -86,7 +86,7 @@ CRD_OPTIONS ?= "crd"
 PACKAGE_NAME_KONFLUX = topology-aware-lifecycle-manager
 CATALOG_TEMPLATE_KONFLUX_INPUT = .konflux/catalog/catalog-template.in.yaml
 CATALOG_TEMPLATE_KONFLUX_OUTPUT = .konflux/catalog/catalog-template.out.yaml
-CATALOG_KONFLUX = .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.yaml
+CATALOG_KONFLUX = .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.json
 
 # Konflux bundle image configuration
 BUNDLE_NAME_SUFFIX = bundle-4-18
@@ -554,9 +554,9 @@ sync-git-submodules:
 .PHONY: konflux-fix-catalog-name
 konflux-fix-catalog-name: ## Fix catalog package name for TALM
 	if [ "$$(uname)" = "Darwin" ]; then \
-		sed -i '' 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.yaml; \
+		sed -i '' 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' $(CATALOG_KONFLUX); \
 	else \
-		sed -i 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.yaml; \
+		sed -i 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' $(CATALOG_KONFLUX); \
 	fi
 
 .PHONY: konflux-validate-catalog-template-bundle