Step: optional-operators-cvp-common-scorecard

The operator cvp scorecard test for bundle images from brew registry.

Container image used for this step: ci/cvp-operator-scorecard:v1

ci/cvp-operator-scorecard:v1 resolves to an image imported from the specified imagestream tag on the build farm (documentation).

Environment

In addition to the default environment, the step exposes the following:

Variable Name Type Variable Content
BUNDLE_IMAGE Dependency[?] Pull specification for bundle-image image

Source Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/bash

set -o nounset
set -o errexit
set -o pipefail
set -x

run_scorecard() {
        local retries_max=3
        local attempt_num=1
        until [[ $(jq . "$2") ]]
        
        do
            "$1"
            if (( attempt_num==retries_max ))
            then
                    echo "Retry attempt number: $attempt_num of $retries_max of scorecard tests failed. No more attempts. "
                    return 1
            else
                    echo "Retry attempt number: $attempt_num of $retries_max failed. Retrying."
                    sleep 5
                    ((attempt_num++))
            fi
        done
}

basic_tests() {
operator-sdk scorecard --config "${SCORECARD_CONFIG}" \
                       --namespace "${NAMESPACE}" \
                       --kubeconfig "${KUBECONFIG}" \
                       --verbose \
                       --output json \
                       "${OPERATOR_DIR}" > "${ARTIFACT_DIR}"/scorecard-output-basic.json || true
}

custom_tests() {
operator-sdk scorecard \
    --namespace="${NAMESPACE}" \
    --kubeconfig "${KUBECONFIG}" \
    --verbose \
    --output json \
    --wait-time 3000s \
    --service-account "${SCORECARD_SERVICE_ACCOUNT}" \
    "${OPERATOR_DIR}" > "${ARTIFACT_DIR}"/scorecard-output-custom.json || true
}

OPENSHIFT_AUTH="${OPENSHIFT_AUTH:-/var/run/brew-pullsecret/.dockerconfigjson}"
SCORECARD_CONFIG="${SCORECARD_CONFIG:-/tmp/config/scorecard-basic-config.yml}"

# Steps for running the basic operator-sdk scorecard test
# Expects the standard Prow environment variables to be set and
# the brew proxy registry credentials to be mounted

NAMESPACE=$(grep "install_namespace:" "${SHARED_DIR}"/oo_deployment_details.yaml | cut -d ':' -f2 | xargs)

pushd "${ARTIFACT_DIR}"
OPERATOR_DIR="test-operator"

echo "Starting the basic operator-sdk scorecard test for ${BUNDLE_IMAGE}"

echo "Extracting the operator bundle image into the operator directory"
mkdir -p "${OPERATOR_DIR}"
pushd "${OPERATOR_DIR}"
oc image extract "${BUNDLE_IMAGE}" --confirm -a "${OPENSHIFT_AUTH}"
chmod -R go+r ./
popd
echo "Extracted the following bundle data:"
tree "${OPERATOR_DIR}"

echo "Running the operator-sdk scorecard test using the basic configuration, json output and storing it in the artifacts directory"
run_scorecard basic_tests "${ARTIFACT_DIR}"/scorecard-output-basic.json

if [ -f "${OPERATOR_DIR}/tests/scorecard/config.yaml" ]; then
  echo "CUSTOM SCORECARD TESTS DETECTED"

  CUSTOM_SERVICE_ACCOUNT=$(/usr/local/bin/yq r "${OPERATOR_DIR}/tests/scorecard/config.yaml" 'serviceaccount')
  # Set the scorecard service account to the default value used by the command (`default`)
  SCORECARD_SERVICE_ACCOUNT="default"
  if [ "${CUSTOM_SERVICE_ACCOUNT}" != "" ] && [ "${CUSTOM_SERVICE_ACCOUNT}" != "null" ]; then
    echo "Creating service account ${CUSTOM_SERVICE_ACCOUNT} for usage wih the custom scorecard"
    oc create serviceaccount "${CUSTOM_SERVICE_ACCOUNT}" -n "${NAMESPACE}"
    oc create clusterrolebinding default-sa-crb --clusterrole=cluster-admin --serviceaccount="${NAMESPACE}":"${CUSTOM_SERVICE_ACCOUNT}"
    SCORECARD_SERVICE_ACCOUNT="${CUSTOM_SERVICE_ACCOUNT}"
  fi

  echo "Running the operator-sdk scorecard test using the custom, bundle-provided configuration, json output and storing it in the artifacts directory"
  # Runs the custom scorecard tests using the user-provided configuration
  # The wait-time is set higher to allow for long/complex custom tests, should be kept under 1h to not exceed pipeline max time
  # If a custom service account is defined in the scorecard config, it will be set in the '--service-account' option
  run_scorecard custom_tests "${ARTIFACT_DIR}"/scorecard-output-custom.json
fi

Properties

Property Value Description
Resource requests (cpu) 300m Used in .resources.requests of the pod running this step.
Resource requests (memory) 300Mi Used in .resources.requests of the pod running this step.

GitHub Link:

https://github.com/openshift/release/blob/master/ci-operator/step-registry/optional-operators/cvp-common/scorecard/optional-operators-cvp-common-scorecard-ref.yaml

Owners:

Approvers:

Source code for this page located on GitHub