|
| 1 | +# operator-pipelines |
| 2 | + |
| 3 | +For a concise summary of the project's purpose, read [pipelines overview](docs/users/pipelines_overview.md). |
| 4 | + |
| 5 | +**Toolchain:** Python, Poetry, tox, Ansible, Tekton (OpenShift Pipelines) |
| 6 | + |
| 7 | +## Architecture |
| 8 | + |
| 9 | +- **Tekton pipelines** (`ansible/roles/operator-pipeline/templates/openshift/pipelines/`) define the end-to-end flows. The main pipelines are: |
| 10 | + - `operator-ci-pipeline.yml` — ISV CI pipeline for partners to test operators on their own infrastructure without submitting to Red Hat. |
| 11 | + - `operator-hosted-pipeline.yml` — Hosted pipeline that accepts operator submissions, runs linting, static checks and dynamic tests (preflight checks), and communicates with Red Hat internal systems to control certification flow. Used for both ISV and community operators. |
| 12 | + - `operator-release-pipeline.yml` — Release pipeline that distributes operators to index images (community-operator-index, certified-operator-index, redhat-marketplace-index). |
| 13 | +- **Tekton tasks** (`ansible/roles/operator-pipeline/templates/openshift/tasks/`) are the individual pipeline steps. Tasks typically invoke a Python entrypoint as its container command. See `apply-test-waivers.yml` for a minimal example. |
| 14 | +- **Python core logic** (`operatorcert/` covered by unit tests in structurally matching `tests/` folder) — Entrypoints in `operatorcert/entrypoints` registered in `pyproject.toml` as `[project.scripts]` are directly used by Tekton tasks. The `operatorcert` also includes Pyxis, IIB, GitHub, OPM clients and bundle/catalog models used by entrypoints. |
| 15 | +- **Documentation** (`docs/`, user-facing `docs/user/`) |
| 16 | + |
| 17 | +## Conventions for making changes to the pipelines |
| 18 | + |
| 19 | +- Avoid including credentials within Task scripts. |
| 20 | + - Avoid the use of `set -x` in shell scripts which _could_ expose credentials |
| 21 | + to the console. |
| 22 | +- Don't use workspaces for passing secrets. Use `secretKeyRef` and `volumeMount` |
| 23 | + with secret and key names instead. |
| 24 | + - Reason: It adds unnecessary complexity to `tkn` commands. |
| 25 | +- Use images from trusted registries/namespaces. |
| 26 | + - registry.redhat.io |
| 27 | + - registry.access.redhat.com |
| 28 | + - quay.io/redhat-isv |
| 29 | + - quay.io/opdev |
| 30 | +- Use image pull specs with digests instead of tags wherever possible. |
| 31 | +- Tasks must implement their own skipping behavior, if needed. |
| 32 | + - Reason: If a task is not executed, any dependent tasks will not be |
| 33 | + executed either. |
| 34 | +- Don't use ClusterTasks or upstream tasks. All tasks are defined in this repo. |
| 35 | +- Document all params, especially pipeline params. |
| 36 | +- Output human readable logs. |
| 37 | +- Use reasonable defaults for params wherever possible. |
| 38 | + |
| 39 | +## PR Conventions |
| 40 | + |
| 41 | +- Run `tox` (all environments) before submitting. For all the details about the tox environments including unit testing, linting, type checking, formatting, etc. use `skills/running-tests-and-quality-gates`. This includes single-file verification commands, like `poetry run black --check path/to/file.py`, `poetry run mypy --strict --ignore-missing-imports path/to/file.py`, etc. |
| 42 | +- Integration tests should NOT be run by an agent as they can take a lot of time to finish and generate extensive logs. Upon asking, agent should inform the developer about the integration tests setup and how to run them manually using `skills/integration-tests/`. |
| 43 | +- Test coverage of code should remain at 100%. |
| 44 | +- All of the quality gates above are enforced in CI. |
0 commit comments