QG 4 checks Release 24.03

[saudkhan116]

QG checks

Please keep this issue open until QG 24.03 is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Please keep this issue open until QG is concluded!

Product Name: Digital Product Pass
Dev SPOC: @matbmoser , @saudkhan116, @davidzynda, @dsrparracho
Helm Chart Version: v2.1.4
App Version: v2.1.3 -> https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v2.1.3
QG5 Approval: yes/no

Release Managemnet Reference Issue: eclipse-tractusx/sig-release#511

Check of Tractus-X Release Guidelines

• Currently implemented automatic checks can be found under your product on our Release Guidelines Checks Board
• This QG Check is depending on the mandatory information from our current Release Guidelines

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate install instructions either INSTALL.md or in README.md #189
• TRG 1.03 appropriate CHANGELOG.md
• TRG 1.04 diagrams as code / editable static files #182

TRG 2 Git

• TRG 2.01 default branch is named main
• TRG 2.03 repository structure

Checks within TRG 2.03

• TRG 2.03 /docs directory contains detailed product related documentation for the Tractus-X product
• TRG 2.03 /charts directory contains the Helm chart for the Tractus-X product IF available
• TRG 2.03 AUTHORS.md file (optional) (TRG 2.03)
• TRG 2.03 CODE_OF_CONDUCT.md file (TRG 2.03)
• TRG 2.03 CONTRIBUTING.md file (TRG 2.03)
• TRG 2.03 DEPENDENCIES file(s) with up to date content (Dash tool generated) (TRG 2.03)
• TRG 2.03 LICENSE file (TRG 2.03)
• TRG 2.03 NOTICE.md file (TRG 2.03)
• TRG 2.03 SECURITY.md file (TRG 2.03)

• TRG 2.04 leading product repository

Checks within TRG 2.04

• TRG 2.04 repository name must be productname without prefix or suffix
• TRG 2.04 should contain the release
• TRG 2.04 references/urls to the product's other repositories
• TRG 2.04 might contain product helm chart(s)
• TRG 2.04 README.md: contains the urls for the underlying applications

• TRG 2.05 .tractusx metafile in a proper format
• TRG 2.06 Dependabot #183

TRG 3 Kubernetes

• TRG 3.02 persistent volume and persistent volume claim is used when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging

• TRG 4.02 base image is agreed, use minor/major tag, use base images as-is #184

• TRG 4.03 image has USER command and Non Root Container #185

Checks within TRG 4.03

• TRG 4.03 deployment.yaml has runAsUser and allowPrivilegeEscalation: false properly set

• TRG 4.04 Image signing

• TRG 4.05 released image must be place DockerHub as mandatory container registry; remove GHCR references

• TRG 4.06 Notice File for DockerHub has all necessary information

  Checks within TRG 4.06

  • TRG 4.06 Link to the source of your base image (Container registry and GitHub if available) #188
  • TRG 4.06 Link to your product image on DockerHub
  • TRG 4.06 Link to your repository on GitHub
  • TRG 4.06 Direct link to the Dockerfile used to build your image
  • TRG 4.06 Link to LICENCE file in your repo as Project License (make clear, that this is the PROJECT licence, not an image license

• TRG 4.07 Read-only filesystems

TRG 5 Helm

• TRG 5.01 Helm chart must be released

Checks within TRG 5.01

• TRG 5.01 appropriate semantic versioning for version and appVersion has to be used in Chart.yaml
• TRG 5.01 must not contain any environment specific values-xyz.yaml #186
• TRG 5.01 values.yaml file must contain proper default values/placeholders
• TRG 5.01 No hostname provided for ingress
• TRG 5.01 Ingress is disabled
• TRG 5.01 No references to any secret engine service (e.g.: Hashicorp Vault)
• TRG 5.01 Dependencies should be prefixed with the nameOverride and/or fullnameOverride properties
• TRG 5.01 Image tag is set to the Chart.yaml appVersion property
• TRG 5.01 must be deployable to any environment without overwriting default values with a simple helm install command
• TRG 5.01 dependencies have to be declared in Chart.yaml NOT requirements.yml

• TRG 5.02 Helm chart location in /charts directory and correct structure

Checks within TRG 5.02

• TRG 5.02 each file must contain the Apache 2.0 Licence
• TRG 5.02 latest tag is not used in helm chart be default

charts/ 
    chartNameA/
      Chart.yaml
      ... 
    chartNameB/
      Chart.yaml
      ...
AUTHORS.md 
DEPENDENCIES.md 
LICENCE 
README.md 

• TRG 5.04 CPU / MEM resource requests and limits and are properly set
• TRG 5.05 Chart Values
• TRG 5.06 Application must be configurable through the Helm chart
• TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
• TRG 5.08 Product has a single deployable helm chart that contains all components

Checks within TRG 5.08

• TRG 5.08 name of the Chart should be just the product-name without prefix or suffix
• TRG 5.08 values file should contain all available variables (even from subcharts) with default values and comments about what they do
• TRG 5.08 helm install command should successfully install the chart to any supported Kubernetes version cluster (without overwriting default values)
• TRG 5.08 helm test runs without errors

• TRG 5.09 Helm Test running properly

Checks within TRG 5.09

• TRG 5.09 A GitHub action exist which builds or uses the helm chart which gets released
• TRG 5.09 The GitHub action can be triggered manually through Github WebUI manually running a workflow
• TRG 5.09 Helm test verifies that the application is up and running

• TRG 5.10 Products need to support 3 versions at a time

Checks within TRG 5.10

• TRG 5.10 latest (K8s version 1.25)
• TRG 5.10 latest - 1 (K8s version 1.24)
• TRG 5.10 latest - 2 (K8s version 1.23)

• TRG 5.11 Upgradeability PRERELEASE

Checks within TRG 5.11

• TRG 5.11 Based on the Helm test workflow, you must provide a GitHub action which takes the latest released helm chart, does an installation of it and then execute the upgrade to the current / new version.

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation chore: update code of conduct to latest version #226
• TRG 7.02 License and copyright header #187
• TRG 7.03 IP checks for project content
• TRG 7.04 IP checks for 3rd party content

Checks within TRG 7.04

• TRG 7.04 DEPENDENCIES file is up-to-date and reflects the current use of the 3rd party content
• TRG 7.04 all libraries listed there should have the status "approved"
• TRG 7.04 no libraries with status "rejected"
• TRG 7.04 for libraries with status "restricted", the according IP issues must be present (issue number in the source column)

• TRG 7.05 Legal information for distributions
• TRG 7.06 Legal information for end user content
• TRG 7.07 Legal notice for documentation
• TRG 7.08 Legal notice for KIT documentation (CC-BY-4.0)

Hints

Information Sharing

[matbmoser]

This TRG is missing: https://eclipse-tractusx.github.io/docs/release/trg-1/trg-1-4

[saudkhan116]

This TRG is missing: https://eclipse-tractusx.github.io/docs/release/trg-1/trg-1-4

Hi @matbmoser, its added now.

Thanks for highlighting it.

[matbmoser]

With the Version v2.1.1 we include all the requirements from the TRGs additionally this also was implemented: eclipse-tractusx/eclipse-tractusx.github.io#629

[matbmoser]

I will open this ticket so that it can be reviewed

[hzierer]

Thanks for all the preparatory work.

Can you please uncheck the 7.01 as the code of conduct file is outdated: #226

[matbmoser]

@hzierer thanks,

Good that you saw that, I thought that it did not changed respect to the previous release. Hope that is not the only thing we need to update.
We will merge your PR now 👍🏻

I added the PR next to the 7.01 if you find something more please let us know.

Thank you 💯

[matbmoser]

#231 was solved in release: https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v2.1.3

[matbmoser]

Charts updated here #235 to solve this issue #234

[matbmoser]

The latest charts we go are in v2.1.4

[hzierer]

almost everything good to go from System team side - one small issue with the documentation remains, which will be clarified tomorrow

[matbmoser]

Open discussion in issue: #236 to track progress.
Closing this ticket.