rh-gitops-midstream
diff --git a/‎.tekton/MIGRATION_SUMMARY.md‎
Lines changed: 196 additions & 0 deletions b/‎.tekton/MIGRATION_SUMMARY.md‎
Lines changed: 196 additions & 0 deletions
diff --git a/‎.tekton/integration-tests/pipelines/gitops-bundle-lowest-integration-test-pipeline.yaml‎
Lines changed: 53 additions & 6 deletions b/‎.tekton/integration-tests/pipelines/gitops-bundle-lowest-integration-test-pipeline.yaml‎
Lines changed: 53 additions & 6 deletions
@@ -0,0 +1,196 @@
+# Migration to Containerized Test Scripts
+
+## What Was Changed
+
+### 1. Created Test Runner Image (`.tekton/test-image/`)
+
+**New directory structure:**
+```
+.tekton/test-image/
+├── Dockerfile                              # Container image with all dependencies
+├── scripts/                                # All test logic lives here
+│   ├── install-operator-bundle.sh          # Migrated from inline YAML script
+│   ├── install-operator-subscription.sh    # For catalog testing
+│   ├── run-e2e-tests.sh                    # Migrated from run-gitops-operator-e2e-minimal
+│   └── run-dast-scan.sh                    # For DAST security scans
+├── config/
+│   └── image-mirrors.yaml                  # Centralized mirror configuration
+└── README.md                               # Local testing guide
+```
+
+**Key benefits:**
+- All scripts are now executable bash files (not YAML heredocs)
+- Scripts configured via environment variables only
+- Can be tested locally with `docker run`
+- Version controlled with the code
+
+### 2. Created Kaniko Build Task (`.tekton/tasks/build-test-image-kaniko.yaml`)
+
+Based on proven GitLab CI pattern:
+- Uses Kaniko (unprivileged, no daemon required)
+- Quay caching enabled for fast rebuilds
+- Tags images with commit SHA for traceability
+- Images expire after 7 days
+
+### 3. Created Thin Wrapper StepActions
+
+**`.tekton/steps/install-operator.yaml`:**
+- Replaces `install-gitops-operator-bundle.yaml`
+- Thin wrapper that just calls `/scripts/install-operator-bundle.sh`
+- Uses test image built from PR code
+
+**`.tekton/steps/run-tests.yaml`:**
+- Replaces `run-gitops-operator-e2e-minimal.yaml`
+- Routes to appropriate test script based on `testType` parameter
+- Supports: e2e, dast (extensible for more)
+
+### 4. Updated Release Pipeline
+
+**Changes to `gitops-bundle-lowest-integration-test-pipeline.yaml`:**
+
+1. **Added workspace:**
+   ```yaml
+   workspaces:
+     - name: shared-workspace
+   ```
+
+2. **Added build-test-image task:**
+   ```yaml
+   - name: build-test-image
+     runAfter: [extract-step-actions-ref]
+     # Builds test image from PR commit
+     # Result: IMAGE_URL used by all subsequent steps
+   ```
+
+3. **Updated install-operator task:**
+   - Now depends on `build-test-image`
+   - Uses new `.tekton/steps/install-operator.yaml` wrapper
+   - Passes `testImage` parameter
+
+4. **Updated test-operator task:**
+   - Uses new `.tekton/steps/run-tests.yaml` wrapper
+   - Passes `testImage` and `testType: e2e`
+
+## Self-Testability Preserved
+
+The pipeline still tests with PR code:
+
+```
+SNAPSHOT → extract-step-actions-ref → SOURCE_URL + SOURCE_REVISION
+                                            ↓
+                                      build-test-image
+                                            ↓
+                                      Image tagged: abc12345
+                                            ↓
+                                All steps use this image
+```
+
+**Result:** Scripts from the PR are baked into the image and used for testing.
+
+## Migration Impact
+
+### What Still Works ✅
+- Self-testability (tests use PR code)
+- Extract-step-actions-ref pattern
+- Parallel execution (cluster provision + image build)
+- All existing functionality preserved
+
+### What's Better ✅
+- Scripts testable locally (`docker run`)
+- Faster iteration (edit bash, not YAML)
+- Easier debugging (pull exact image, run interactively)
+- No inline heredocs (proper syntax highlighting)
+- No hardcoded values in scripts (env vars only)
+
+### What's New ✅
+- Kaniko caching (faster rebuilds)
+- Image expiration (auto-cleanup)
+- Extensible test framework (easy to add new test types)
+
+## How to Test Locally
+
+### Build Test Image
+
+```bash
+cd .tekton/test-image
+docker build -t gitops-test-runner:dev .
+```
+
+### Test Install Script
+
+```bash
+docker run --rm -it \
+  -e BUNDLE_IMAGE="quay.io/.../bundle:latest" \
+  -e KUBECONFIG="/kube/config" \
+  -v ~/.kube/config:/kube/config:ro \
+  gitops-test-runner:dev \
+  /scripts/install-operator-bundle.sh
+```
+
+### Test E2E Script
+
+```bash
+docker run --rm -it \
+  -e KUBECONFIG="/kube/config" \
+  -e BRANCH="master" \
+  -v ~/.kube/config:/kube/config:ro \
+  -v $(pwd)/workspace:/workspace \
+  gitops-test-runner:dev \
+  /scripts/run-e2e-tests.sh
+```
+
+See `.tekton/test-image/README.md` for complete local testing guide.
+
+## Required Secret
+
+The pipeline now needs a secret for pushing test images to Quay:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitops-test-runner-image-push
+  namespace: rh-openshift-gitops-tenant
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: <base64-encoded-docker-config>
+```
+
+This should have push access to:
+`quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/gitops-test-runner`
+
+## Rollback Plan
+
+If issues are found, the backup is at:
+```
+.tekton/integration-tests/pipelines/gitops-bundle-lowest-integration-test-pipeline.yaml.backup
+```
+
+To rollback:
+```bash
+cd .tekton/integration-tests/pipelines/
+mv gitops-bundle-lowest-integration-test-pipeline.yaml gitops-bundle-lowest-integration-test-pipeline.yaml.new
+mv gitops-bundle-lowest-integration-test-pipeline.yaml.backup gitops-bundle-lowest-integration-test-pipeline.yaml
+```
+
+## Next Steps
+
+### Testing
+1. Create the `gitops-test-runner-image-push` secret
+2. Trigger a pipeline run
+3. Verify image builds successfully
+4. Verify tests pass using the built image
+
+### Future Enhancements
+1. Add DAST scan to release pipeline (use `testType: dast`)
+2. Add smoke tests (`/scripts/run-smoke-tests.sh`)
+3. Add performance tests (`/scripts/run-performance-tests.sh`)
+4. Migrate catalog repo to use same test image
+
+## Questions?
+
+See:
+- `.tekton/test-image/README.md` - Local testing guide
+- `.tekton/tasks/build-test-image-kaniko.yaml` - Image build process
+- `.tekton/steps/install-operator.yaml` - Thin wrapper pattern
+- `.tekton/steps/run-tests.yaml` - Test routing logic
@@ -7,6 +7,9 @@ spec:
   description: |
     An integration test which provisions an ephemeral Hypershift cluster and deploys an Operator
     bundle from a Konflux snapshot.
+  workspaces:
+    - name: shared-workspace
+      description: Shared workspace for git clone and Kaniko builds
   params:
     - description: Snapshot of the application
       name: SNAPSHOT
@@ -165,6 +168,33 @@ spec:
               with open("$(results.STEP_ACTIONS_REVISION.path)", "w") as f:
                   f.write(rev)
 
+    # Build test image using Kaniko - runs early so it's ready when needed
+    - name: build-test-image
+      runAfter:
+        - extract-step-actions-ref
+      taskRef:
+        resolver: git
+        params:
+          - name: url
+            value: $(tasks.extract-step-actions-ref.results.STEP_ACTIONS_URL)
+          - name: revision
+            value: $(tasks.extract-step-actions-ref.results.STEP_ACTIONS_REVISION)
+          - name: pathInRepo
+            value: .tekton/tasks/build-test-image-kaniko.yaml
+      params:
+        - name: SOURCE_URL
+          value: $(tasks.extract-step-actions-ref.results.STEP_ACTIONS_URL)
+        - name: SOURCE_REVISION
+          value: $(tasks.extract-step-actions-ref.results.STEP_ACTIONS_REVISION)
+        - name: IMAGE_EXPIRES_AFTER
+          value: "7d"
+      workspaces:
+        - name: source
+          workspace: shared-workspace
+        - name: dockerconfig
+          secret:
+            secretName: gitops-test-runner-image-push
+
     - name: parse-metadata
       taskRef:
         resolver: git
@@ -446,7 +476,10 @@ spec:
       runAfter:
         - provision-cluster
         - patch-bundle-images
+        - build-test-image
       params:
+        - name: testImage
+          value: "$(tasks.build-test-image.results.IMAGE_URL)"
         - name: bundleImage
           value: "$(tasks.patch-bundle-images.results.patchedBundleImage)"
         - name: namespace
@@ -463,6 +496,8 @@ spec:
           value: $(tasks.extract-step-actions-ref.results.STEP_ACTIONS_REVISION)
       taskSpec:
         params:
+          - name: testImage
+            type: string
           - name: bundleImage
             type: string
           - name: namespace
@@ -507,14 +542,18 @@ spec:
                 - name: revision
                   value: $(params.STEP_ACTIONS_REVISION)
                 - name: pathInRepo
-                  value: .tekton/steps/install-gitops-operator-bundle.yaml
+                  value: .tekton/steps/install-operator.yaml
             params:
-              - name: installTimeout
-                value: "$(params.INSTALL_TIMEOUT)"
+              - name: testImage
+                value: $(params.testImage)
+              - name: installMethod
+                value: bundle
               - name: bundleImage
                 value: "$(params.bundleImage)"
               - name: namespace
                 value: "openshift-gitops-operator"
+              - name: installTimeout
+                value: "$(params.installTimeout)"
               - name: credentials
                 value: credentials
               - name: kubeconfig
@@ -523,6 +562,8 @@ spec:
       runAfter:
         - install-operator
       params:
+        - name: testImage
+          value: "$(tasks.build-test-image.results.IMAGE_URL)"
         - name: eaasSpaceSecretRef
           value: $(tasks.provision-eaas-space.results.secretRef)
         - name: clusterName
@@ -533,6 +574,8 @@ spec:
           value: $(tasks.extract-step-actions-ref.results.STEP_ACTIONS_REVISION)
       taskSpec:
         params:
+          - name: testImage
+            type: string
           - name: eaasSpaceSecretRef
             type: string
           - name: clusterName
@@ -571,13 +614,17 @@ spec:
                 - name: revision
                   value: $(params.STEP_ACTIONS_REVISION)
                 - name: pathInRepo
-                  value: .tekton/steps/run-gitops-operator-e2e-minimal.yaml
+                  value: .tekton/steps/run-tests.yaml
             params:
+              - name: testImage
+                value: $(params.testImage)
+              - name: testType
+                value: e2e
               - name: credentials
                 value: credentials
               - name: kubeconfig
                 value: "$(steps.get-kubeconfig.results.kubeconfig)"
-              - name: branch
+              - name: testBranch
                 value: master
-              - name: test_dir
+              - name: testDir
                 value: "./test/openshift/e2e/ginkgo/parallel"