CNF-20549 : [TALM 4.21] : New opm render mechanism for hermetic builds

.konflux/Dockerfile.catalog

@@ -3,37 +3,18 @@ ARG OPM_IMAGE=registry.redhat.io/openshift4/ose-operator-registry-rhel9:v4.20
 # CNF-18555: When there is a Konflux build available for this then we need to update from the brew image
 ARG BUILDER_IMAGE=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.24
 
-# build the catalog
+# fix the catalog (talm exclusive, naming issue)
 FROM ${BUILDER_IMAGE} AS builder
 
-# create dir structure to generate the catalog
-RUN mkdir -p /app/hack /app/.konflux/catalog
+# create dir structure to fix the catalog
+RUN mkdir -p /app/.konflux/catalog
 COPY Makefile /app
 COPY .konflux/catalog/ /app/.konflux/catalog/
-COPY telco5g-konflux /app/telco5g-konflux
-
 # we need to copy the vendor/ folder as the Makefile depends on it
 COPY vendor/ /app/vendor/
 
-# generate the catalog
-
-# debug
-RUN echo "root dir" && ls -lra $HOME
-
 WORKDIR /app
-RUN --mount=type=secret,id=telco-5g-redhat-pull-secret/.dockerconfigjson \
-    mkdir -p $HOME/.docker/ && \
-    cp /run/secrets/telco-5g-redhat-pull-secret/.dockerconfigjson $HOME/.docker/config.json
-
-# debug
-RUN echo "run secrets" && ls -lra /run/secrets/ && echo "docker dir" && ls -lra $HOME/.docker/ && cat $HOME/.docker/config.json
-
-ENV REGISTRY_AUTH_FILE=$HOME/.docker/config.json
-
-# The Konflux build is not hermetic so it will download the tools (opm, yq, etc) automatically
-# Konflux will externally sync the submodules so we can skip it here
-RUN SKIP_SUBMODULE_SYNC=yes make konflux-generate-catalog-production && \
-    rm -f $HOME/.docker/config.json
+RUN SKIP_SUBMODULE_SYNC=yes make konflux-fix-catalog-name
 
 # run the catalog
 FROM ${OPM_IMAGE}
@@ -44,6 +25,8 @@ CMD ["serve", "/configs", "--cache-dir=/tmp/cache"]
 # ensure this correponds to olm.package name
 ENV PACKAGE_NAME=topology-aware-lifecycle-manager
 
+# This assumes that the catalog is already built and exists in the .konflux/catalog/$PACKAGE_NAME directory
+# This should be done automatically by the fbc pipeline using the `run-opm-command` task
 COPY --from=builder /app/.konflux/catalog/$PACKAGE_NAME/ /configs/$PACKAGE_NAME
 # RUN ["/bin/opm", "validate", "/configs/topology-aware-lifecycle-manager"]
 RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"]

.konflux/catalog/.gitignore

@@ -1,2 +1,3 @@
-topology-aware-lifecycle-manager/catalog.yaml
 catalog-template.out.yaml
+topology-aware-lifecycle-manager/catalog.yaml
+topology-aware-lifecycle-manager/catalog.json

.konflux/catalog/catalog-idms.yaml

@@ -0,0 +1,11 @@
+---
+# We use this IDMS to map the quay.io build to registry.redhat.io in the catalog.json post rendering
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: catalog-idms
+spec:
+  imageDigestMirrors:
+  - mirrors:
+    - quay.io/redhat-user-workloads/telco-5g-tenant/topology-aware-lifecycle-manager-bundle-4-21
+    source: registry.redhat.io/openshift4/topology-aware-lifecycle-manager-operator-bundle

.tekton/fbc-pipeline.yaml

@@ -148,18 +148,78 @@ spec:
       workspaces:
         - name: basic-auth
           workspace: git-auth
+    - name: run-opm-pre-actions
+      params:
+        - name: ociStorage
+          value: $(params.output-image).script
+        - name: ociArtifactExpiresAfter
+          value: $(params.image-expires-after)
+        - name: SCRIPT_RUNNER_IMAGE
+          value: quay.io/konflux-ci/yq:latest
+        # update catalog template
+        - name: SCRIPT
+          value: ./telco5g-konflux/scripts/catalog/konflux-update-catalog-template.sh --set-catalog-template-input-file .konflux/catalog/catalog-template.in.yaml --set-bundle-builds-file .konflux/catalog/bundle.builds.in.yaml
+        - name: HERMETIC
+          value: $(params.hermetic)
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+      runAfter:
+        - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: run-script-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-run-script-oci-ta:0.1@sha256:834a934f1e631a79aea7f2d001162cf90086e664e648c8ca15b69ad9798571ee
+        - name: kind
+          value: task
+        resolver: bundles
+    - name: run-opm-command
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.run-opm-pre-actions.results.SCRIPT_ARTIFACT)
+        - name: ociStorage
+          value: $(params.output-image).opm
+        - name: ociArtifactExpiresAfter
+          value: $(params.image-expires-after)
+        - name: OPM_ARGS
+          value:
+            - alpha
+            - render-template
+            - basic
+            # arg for OCP 4.17 and newer
+            - "--migrate-level=bundle-object-to-csv-metadata"
+            - ".konflux/catalog/catalog-template.in.yaml"
+        - name: OPM_OUTPUT_PATH
+          value: ".konflux/catalog/topology-aware-lifecycle-manager/catalog.json"
+        # replace catalog.json pullspecs with idms config
+        - name: IDMS_PATH
+          value: ".konflux/catalog/catalog-idms.yaml"
+        - name: FILE_TO_UPDATE_PULLSPEC
+          value: ".konflux/catalog/topology-aware-lifecycle-manager/catalog.json"
+      runAfter:
+        - run-opm-pre-actions
+      taskRef:
+        params:
+          - name: name
+            value: run-opm-command-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-run-opm-command-oci-ta:0.1@sha256:4ab5dba35166a976c3d6293913501fdfc79a3222395388fc6208641ab8bc9359
+          - name: kind
+            value: task
+        resolver: bundles
     - name: prefetch-dependencies
       params:
         - name: input
           value: $(params.prefetch-input)
         - name: SOURCE_ARTIFACT
-          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+          value: $(tasks.run-opm-command.results.SOURCE_ARTIFACT)
         - name: ociStorage
           value: $(params.output-image).prefetch
         - name: ociArtifactExpiresAfter
           value: $(params.image-expires-after)
       runAfter:
-        - clone-repository
+        - run-opm-command
       taskRef:
         params:
           - name: name
@@ -202,6 +262,9 @@ spec:
           value: $(params.build-args-file)
         - name: SOURCE_ARTIFACT
           value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: ADDITIONAL_BASE_IMAGES
+          value:
+            - $(tasks.run-opm-pre-actions.results.SCRIPT_RUNNER_IMAGE_REFERENCE)
         - name: CACHI2_ARTIFACT
           value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
         - name: IMAGE_APPEND_PLATFORM

.tekton/topology-aware-lifecycle-manager-fbc-4-21-pull-request.yaml

@@ -47,9 +47,8 @@ spec:
       value: .konflux/container_build_args.conf
     - name: additional-tags
       value: []
-    # We have configured an fbc exception for hermetic builds on the release repo.
     - name: hermetic
-      value: "false"
+      value: "true"
   pipelineRef:
     name: fbc-pipeline
   taskRunTemplate:

.tekton/topology-aware-lifecycle-manager-fbc-4-21-push.yaml

@@ -44,9 +44,8 @@ spec:
       value: .konflux/container_build_args.conf
     - name: additional-tags
       value: ["latest"]
-    # We have configured an fbc exception for hermetic builds on the release repo.
     - name: hermetic
-      value: "false"
+      value: "true"
   pipelineRef:
     name: fbc-pipeline
   taskRunTemplate:

Makefile

@@ -86,7 +86,8 @@ CRD_OPTIONS ?= "crd"
 PACKAGE_NAME_KONFLUX = topology-aware-lifecycle-manager
 CATALOG_TEMPLATE_KONFLUX_INPUT = .konflux/catalog/catalog-template.in.yaml
 CATALOG_TEMPLATE_KONFLUX_OUTPUT = .konflux/catalog/catalog-template.out.yaml
-CATALOG_KONFLUX = .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.yaml
+CATALOG_OUTPUT_FORMAT = json
+CATALOG_KONFLUX = .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.$(CATALOG_OUTPUT_FORMAT)
 
 # Konflux bundle image configuration
 BUNDLE_NAME_SUFFIX = bundle-4-21
@@ -211,7 +212,7 @@ unittests: pre-cache-unit-test
 		rm -f recovery-coverage.out; \
 	fi
 	@echo "Coverage report generated: coverage.out"
-	
+
 .PHONY: common-deps-update
 common-deps-update:	controller-gen kustomize
 	go mod tidy
@@ -566,9 +567,9 @@ sync-git-submodules:
 .PHONY: konflux-fix-catalog-name
 konflux-fix-catalog-name: ## Fix catalog package name for TALM
 	if [ "$$(uname)" = "Darwin" ]; then \
-		sed -i '' 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.yaml; \
+		sed -i '' 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' $(CATALOG_KONFLUX); \
 	else \
-		sed -i 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' .konflux/catalog/$(PACKAGE_NAME_KONFLUX)/catalog.yaml; \
+		sed -i 's/cluster-group-upgrades-operator/topology-aware-lifecycle-manager/g' $(CATALOG_KONFLUX); \
 	fi
 
 .PHONY: konflux-validate-catalog-template-bundle
@@ -592,6 +593,7 @@ konflux-generate-catalog: sync-git-submodules yq opm ## generate a quay.io catal
 		CATALOG_TEMPLATE_KONFLUX_INPUT=$(PROJECT_DIR)/$(CATALOG_TEMPLATE_KONFLUX_INPUT) \
 		CATALOG_TEMPLATE_KONFLUX_OUTPUT=$(PROJECT_DIR)/$(CATALOG_TEMPLATE_KONFLUX_OUTPUT) \
 		CATALOG_KONFLUX=$(PROJECT_DIR)/$(CATALOG_KONFLUX) \
+		CATALOG_OUTPUT_FORMAT=$(CATALOG_OUTPUT_FORMAT) \
 		PACKAGE_NAME_KONFLUX=$(PACKAGE_NAME_KONFLUX) \
 		BUNDLE_BUILDS_FILE=$(PROJECT_DIR)/.konflux/catalog/bundle.builds.in.yaml \
 		OPM=$(OPM) \
@@ -605,6 +607,7 @@ konflux-generate-catalog-production: sync-git-submodules yq opm ## generate a re
 		CATALOG_TEMPLATE_KONFLUX_INPUT=$(PROJECT_DIR)/$(CATALOG_TEMPLATE_KONFLUX_INPUT) \
 		CATALOG_TEMPLATE_KONFLUX_OUTPUT=$(PROJECT_DIR)/$(CATALOG_TEMPLATE_KONFLUX_OUTPUT) \
 		CATALOG_KONFLUX=$(PROJECT_DIR)/$(CATALOG_KONFLUX) \
+		CATALOG_OUTPUT_FORMAT=$(CATALOG_OUTPUT_FORMAT) \
 		PACKAGE_NAME_KONFLUX=$(PACKAGE_NAME_KONFLUX) \
 		BUNDLE_NAME_SUFFIX=$(BUNDLE_NAME_SUFFIX) \
 		PRODUCTION_BUNDLE_NAME=$(PRODUCTION_BUNDLE_NAME) \