add internal registry

Signed-off-by: Per Goncalves da Silva <[email protected]>

.github/workflows/e2e-tests.yml

@@ -22,19 +22,6 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
-      # add the fixtures changed flag (UPDATE_FIXTURES) to the job output to others can use it
-      - name: Rebuild fixtures if necessary
-        id: fixtures
-        run: |
-          UPDATE_FIXTURES="$(scripts/e2e_test_fixtures.sh --check)"
-          if [ "${UPDATE_FIXTURES}" == "true" ]; then
-            # rebuild fixtures and export the images to .tar.gz files with --save
-            scripts/e2e_test_fixtures.sh --save
-          fi
-          
-          # Add UPDATE_FIXTURES to the job output
-          echo "UPDATE_FIXTURES=${UPDATE_FIXTURES}" >> $GITHUB_OUTPUT
-
       # build binaries and image for e2e test (includes experimental features)
       - name: Build OLM Image
         run: |
@@ -106,7 +93,7 @@ jobs:
             KIND_CREATE_OPTS="--kubeconfig=${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \
             HELM_INSTALL_OPTS="--kubeconfig ${E2E_KUBECONFIG_ROOT}/kubeconfig-${i}" \
             UPDATE_FIXTURES="${{ needs.build.outputs.UPDATE_FIXTURES }}" \
-            make kind-create deploy;
+            make kind-create image-registry build-and-load-e2e-fixture-images deploy;
           done
 
       # run non-flakes if matrix-id is not 'flakes'

Makefile

@@ -210,13 +210,26 @@ kind-create: kind-clean #HELP Create a new kind cluster $KIND_CLUSTER_NAME (defa
 	$(KIND) create cluster --name $(KIND_CLUSTER_NAME) --image $(KIND_CLUSTER_IMAGE) $(KIND_CREATE_OPTS)
 	$(KIND) export kubeconfig --name $(KIND_CLUSTER_NAME)
 
+.PHONY: image-registry
+E2E_REGISTRY_NAME := docker-registry
+E2E_REGISTRY_NAMESPACE := olm-e2e
+export REGISTRY_ROOT := $(E2E_REGISTRY_NAME).$(E2E_REGISTRY_NAMESPACE).svc:5000
+export CATALOG_IMG := $(REGISTRY_ROOT)/test-catalog:e2e
+image-registry: ## Setup in-cluster image registry
+	./scripts/image_registry.sh "$(E2E_REGISTRY_NAMESPACE)" "$(E2E_REGISTRY_NAME)"
+
+.PHONY: build-and-load-e2e-fixture-images
+build-and-load-e2e-fixture-images: # Build e2e fixture images and either kind-load or push them to an on-cluster registry
+	# build and kind-load fixture images
+	scripts/e2e_test_fixtures.sh --kind-load
+
+	# push the test-catalog to an on-cluster registry
+	./scripts/publish_e2e_catalog.sh $(E2E_REGISTRY_NAMESPACE) $(CATALOG_IMG)
+
 .PHONY: deploy
 OLM_IMAGE := quay.io/operator-framework/olm:local
 deploy: $(KIND) $(HELM) #HELP Deploy OLM to kind cluster $KIND_CLUSTER_NAME (default: kind-olmv0) using $OLM_IMAGE (default: quay.io/operator-framework/olm:local)
 	$(KIND) load docker-image $(OLM_IMAGE) --name $(KIND_CLUSTER_NAME)
-	@if [ "${UPDATE_FIXTURES}" = "true" ]; then \
-		scripts/e2e_test_fixtures.sh --kind-load --skip-build; \
-	fi
 	$(HELM) upgrade --install olm deploy/chart \
 		--set debug=true \
 		--set olm.image.ref=$(OLM_IMAGE) \

scripts/e2e_test_fixtures.sh

@@ -128,6 +128,8 @@ if [ "$BUILD" = "true" ]; then
   # See catalog_e2e_test.go
   # let's just reuse one of the other catalogs for this - the tests don't care about the content
   # only that a catalog's content can be extracted and served by a different container
+  # There is no point in kind-loading this image since the image pull policy is AlwaysPull
+  # This image will be published in an on cluster registry
   ${CONTAINER_RUNTIME} tag "${INDEX_V2}" "${TEST_CATALOG_IMAGE}"
 fi
 
@@ -139,7 +141,6 @@ if [ "$LOAD_KIND" = true ]; then
   ${KIND} load docker-image --name="${KIND_CLUSTER_NAME}" "${BUNDLE_V2_DEP_IMAGE}"
   ${KIND} load docker-image --name="${KIND_CLUSTER_NAME}" "${INDEX_V1}"
   ${KIND} load docker-image --name="${KIND_CLUSTER_NAME}" "${INDEX_V2}"
-  ${KIND} load docker-image --name="${KIND_CLUSTER_NAME}" "${TEST_CATALOG_IMAGE}"
 fi
 
 # Assumes images are already built
@@ -152,8 +153,6 @@ if [ "${SAVE}" = true ]; then
 
   ${CONTAINER_RUNTIME} save "${INDEX_V1}" | gzip > indexv1.tar.gz
   ${CONTAINER_RUNTIME} save "${INDEX_V2}" | gzip > indexv2.tar.gz
-
-  ${CONTAINER_RUNTIME} save "${TEST_CATALOG_IMAGE}" | gzip > testcatalog.tar.gz
 fi
 
 # Assumes images are already built
@@ -167,7 +166,4 @@ if [ "$PUSH" = true ]; then
   # push indexes
   ${CONTAINER_RUNTIME} push "${INDEX_V1}"
   ${CONTAINER_RUNTIME} push "${INDEX_V2}"
-
-  # push test catalog
-  ${CONTAINER_RUNTIME} push "${TEST_CATALOG_IMAGE}"
 fi

scripts/generate_registry_cert.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+set -x
+
+help="
+generate_registry_cert.sh is a script to generate the self-signed certificates used by the internal registry.
+Usage:
+  generate_registry_cert.sh [NAMESPACE] [NAME]
+
+Argument Descriptions:
+  - NAMESPACE is the namespace that should be created and is the namespace in which the image registry will be created
+  - NAME is the name that should be used for the image registry Deployment and Service
+"
+
+if [[ "$#" -ne 2 ]]; then
+  echo "Illegal number of arguments passed"
+  echo "${help}"
+  exit 1
+fi
+
+namespace=$1
+name=$2
+
+# Generate ECDSA private key
+openssl ecparam -genkey -name prime256v1 -out tls.key
+
+# Create CSR configuration file (csr.conf)
+cat <<EOF > csr.conf
+[ req ]
+prompt = no
+distinguished_name = dn
+x509_extensions = v3_req
+req_extensions = req_ext
+
+[ dn ]
+CN = ${name}.${namespace}.svc
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = ${name}.${namespace}.svc
+DNS.2 = ${name}.${namespace}.cluster.local
+EOF
+
+# Generate CSR
+openssl req -new -key tls.key -out tls.csr -config csr.conf
+
+# Create certificate configuration file (cert.conf)
+cat <<EOF > cert.conf
+[ req ]
+prompt = no
+distinguished_name = dn
+x509_extensions = v3_req
+req_extensions = req_ext
+
+[ dn ]
+CN = ${name}.${namespace}.svc
+
+[ v3_req ]
+subjectAltName = @alt_names
+basicConstraints = CA:TRUE
+
+[ alt_names ]
+DNS.1 = ${name}.${namespace}.svc
+DNS.2 = ${name}.${namespace}.cluster.local
+EOF
+
+# Generate self-signed certificate
+openssl req -x509 -key tls.key -in tls.csr -out tls.crt -days 3650 -config cert.conf
+
+# Remove temporary files
+rm -rf cert.conf csr.conf tls.csr

scripts/image_registry.sh

@@ -0,0 +1,100 @@
+#! /bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+set -x
+
+help="
+image_registry.sh is a script to stand up an image registry within a cluster.
+Usage:
+  image_registry.sh [NAMESPACE] [NAME]
+
+Argument Descriptions:
+  - NAMESPACE is the namespace that should be created and is the namespace in which the image registry will be created
+  - NAME is the name that should be used for the image registry Deployment and Service
+"
+
+if [[ "$#" -ne 2 ]]; then
+  echo "Illegal number of arguments passed"
+  echo "${help}"
+  exit 1
+fi
+
+namespace=$1
+name=$2
+
+# Generate self-signed TLS certificate
+./scripts/generate_registry_cert.sh "${namespace}" "${name}"
+
+# Read and base64 encode the certificate and key files
+CERT_FILE=$(cat "tls.crt" | base64 | tr -d '\n')
+KEY_FILE=$(cat "tls.key" | base64 | tr -d '\n')
+
+kubectl apply -f - << EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${namespace}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${namespace}-registry
+  namespace: ${namespace}
+type: Opaque
+data:
+  tls.crt: "${CERT_FILE}"
+  tls.key: "${KEY_FILE}"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${name}
+  namespace: ${namespace}
+  labels:
+    app: registry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: registry
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      containers:
+      - name: registry
+        image: registry:2
+        volumeMounts:
+        - name: certs-vol
+          mountPath: "/certs"
+        env:
+        - name: REGISTRY_HTTP_TLS_CERTIFICATE
+          value: "/certs/tls.crt"
+        - name: REGISTRY_HTTP_TLS_KEY
+          value: "/certs/tls.key"
+      volumes:
+        - name: certs-vol
+          secret:
+            secretName: ${namespace}-registry
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${name}
+  namespace: ${namespace}
+spec:
+  selector:
+    app: registry
+  ports:
+  - port: 5000
+    targetPort: 5000
+EOF
+
+kubectl wait --for=condition=Available -n "${namespace}" "deploy/${name}" --timeout=60s
+
+# Alternatively, just generate the pair once and save it to the repo. But then in 10 years we might need to generate a new certificate!
+rm -rf tls.crt tls.key

scripts/publish_e2e_catalog.sh

@@ -0,0 +1,73 @@
+#! /bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+help="
+build-push-e2e-catalog.sh is a script to build and push the e2e catalog image using kaniko.
+Usage:
+  build-push-e2e-catalog.sh [NAMESPACE] [TAG]
+
+Argument Descriptions:
+  - NAMESPACE is the namespace the kaniko Job should be created in
+  - TAG is the full tag used to build and push the catalog image
+"
+
+if [[ "$#" -ne 2 ]]; then
+  echo "Illegal number of arguments passed"
+  echo "${help}"
+  exit 1
+fi
+
+namespace=$1
+tag=$2
+
+OPM_VERSION=${OPM_VERSION:-"latest"}
+
+echo "${namespace}" "${tag}"
+
+# Delete existing configmaps
+kubectl delete configmap -n "${namespace}" test-catalog.dockerfile --ignore-not-found
+kubectl delete configmap -n "${namespace}" test-catalog.build-contents --ignore-not-found
+
+kubectl create configmap -n "${namespace}" --from-file=test/images/test-catalog/dockerfile test-catalog.dockerfile
+kubectl create configmap -n "${namespace}" --from-file=test/images/test-catalog/configs test-catalog.build-contents
+
+kubectl apply -f - << EOF
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kaniko
+  namespace: "${namespace}"
+spec:
+  template:
+    spec:
+      containers:
+      - name: kaniko
+        image: gcr.io/kaniko-project/executor:latest
+        args: [ "--build-arg=OPM_VERSION=${OPM_VERSION}",
+                "--dockerfile=/workspace/dockerfile",
+                "--context=/workspace",
+                "--destination=${tag}",
+                "--verbosity=trace",
+                "--skip-tls-verify"]
+        volumeMounts:
+          - name: dockerfile
+            mountPath: /workspace/
+          - name: build-contents
+            mountPath: /workspace/configs/
+      restartPolicy: Never
+      volumes:
+        - name: dockerfile
+          configMap:
+            name: test-catalog.dockerfile
+            items:
+              - key: dockerfile
+                path: dockerfile
+        - name: build-contents
+          configMap:
+            name: test-catalog.build-contents
+EOF
+
+kubectl wait --for=condition=Complete -n "${namespace}" jobs/kaniko --timeout=60s

test/e2e/catalog_e2e_test.go

@@ -41,6 +41,7 @@ const (
 	openshiftregistryFQDN = "image-registry.openshift-image-registry.svc:5000"
 	catsrcImage           = "docker://quay.io/olmtest/catsrc-update-test:"
 	badCSVDir             = "bad-csv"
+	testCatalogImage      = "docker-registry.olm-e2e.svc:5000/test-catalog:e2e"
 )
 
 var _ = Describe("Starting CatalogSource e2e tests", func() {
@@ -49,7 +50,6 @@ var _ = Describe("Starting CatalogSource e2e tests", func() {
 		c                   operatorclient.ClientInterface
 		crc                 versioned.Interface
 		packageserverClient *packageserverclientset.Clientset
-		testCatalogImage    string
 	)
 
 	BeforeEach(func() {
@@ -68,7 +68,6 @@ var _ = Describe("Starting CatalogSource e2e tests", func() {
 		c = ctx.Ctx().KubeClient()
 		crc = ctx.Ctx().OperatorClient()
 		packageserverClient = packageserverclientset.NewForConfigOrDie(ctx.Ctx().RESTConfig())
-		testCatalogImage = fmt.Sprintf("quay.io/olmtest/test-catalog:v%s", testOpmVersion)
 	})
 
 	AfterEach(func() {

test/images/test-catalog/configs/.indexignore

@@ -0,0 +1,2 @@
+/expected_all.json
+..*