Automate Operator certification

.github/workflows/ci.yml

@@ -145,6 +145,9 @@ jobs:
           filters: |
             charts:
             - charts/nginx-gateway-fabric/**/*
+            rbac:
+            - operators/config/rbac/role.yaml
+            - charts/nginx-gateway-fabric/templates/clusterrole.yaml
 
       - name: Output Variables
         id: vars
@@ -164,6 +167,10 @@ jobs:
       - name: Check if all the generated files are up to date
         run: make generate-all && git diff --exit-code
 
+      - name: Verify Operator RBAC Synchronization
+        if: steps.filter.outputs.rbac == 'true'
+        run: ./operators/scripts/verify-rbac-sync.sh
+
   unit-tests:
     name: Unit Tests
     runs-on: ubuntu-24.04
@@ -460,6 +467,27 @@ jobs:
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  redhat-certification:
+    name: Submit images for RedHat certification
+    needs: [build-oss, build-operator]
+    if: ${{ inputs.is_production_release }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: ngf
+            tag: ${{ inputs.release_version }}
+          - image: nginx
+            tag: ${{ inputs.release_version }}
+          - image: operator
+            tag: ${{ inputs.operator_version }}
+    uses: ./.github/workflows/redhat-certification.yml
+    with:
+      image: ${{ matrix.image }}
+      tag: ${{ matrix.tag }}
+      dry_run: ${{ inputs.dry_run }}
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]

.github/workflows/operator-bundle-pr.yml

@@ -0,0 +1,104 @@
+name: Operator Bundle PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      operator-version:
+        description: "Operator version for bundle generation"
+        required: true
+        default: "0.0.0"
+      submit-to-redhat:
+        description: "Submit bundle to RedHat certified-operators repo"
+        required: false
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  bundle:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+
+      - name: Install operator-sdk
+        run: |
+          OPERATOR_SDK_VERSION=v1.42.0 # renovate: datasource=github-tags depName=operator-framework/operator-sdk
+          curl -sSLo /tmp/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${OPERATOR_SDK_VERSION}/operator-sdk_linux-amd64
+          chmod +x /tmp/operator-sdk
+          sudo mv /tmp/operator-sdk /usr/local/bin/operator-sdk
+
+      - name: Generate Bundle
+        working-directory: operators
+        run: |
+          make bundle-release
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Generate operator bundle for v${{ inputs.operator-version }}
+          title: Operator Bundle v${{ inputs.operator-version }}
+          draft: true
+          delete-branch: true
+          branch: operator/bundle-${{ inputs.operator-version }}
+          author: nginx-bot <integrations@nginx.com>
+          committer: nginx-bot <integrations@nginx.com>
+          body: |
+            This automated PR generates the operator bundle for v${{ inputs.operator-version }}.
+
+            ## What's Changed
+            - Updated NGF image versions in sample manifests using image digests
+            - Generated bundle manifests and metadata
+            - Updated ClusterServiceVersion with proper annotations and descriptors
+            - Added OpenShift compatibility annotations
+
+      - name: Checkout certified-operators repo
+        if: ${{ inputs.submit-to-redhat }}
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          token: ${{ secrets.NGINX_PAT }}
+          repository: nginx-bot/certified-operators
+          path: certified-operators
+
+      - name: Update certified-operators repo
+        if: ${{ inputs.submit-to-redhat }}
+        working-directory: certified-operators/operators/nginx-gateway-fabric-operator
+        run: |
+          mkdir v${{ inputs.operator-version }}
+          cp -R ../../../operators/bundle/manifests v${{ inputs.operator-version }}/
+          cp -R ../../../operators/bundle/metadata v${{ inputs.operator-version }}/
+
+      - name: Commit and push to certified-operators
+        if: ${{ inputs.submit-to-redhat }}
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
+        with:
+          commit_message: operator nginx-gateway-fabric-operator (v${{ inputs.operator-version }})
+          commit_author: nginx-bot <integrations@nginx.com>
+          commit_user_name: nginx-bot
+          commit_user_email: integrations@nginx.com
+          create_branch: true
+          branch: update-nginx-gateway-fabric-operator-to-v${{ inputs.operator-version }}
+          repository: certified-operators
+
+      - name: Create PR to RedHat certified-operators
+        if: ${{ inputs.submit-to-redhat }}
+        working-directory: certified-operators
+        run: |
+          gh pr create --title "operator nginx-gateway-fabric-operator (v${{ inputs.operator-version }})" --body "Update nginx-gateway-fabric-operator to v${{ inputs.operator-version }}" --head nginx-bot:update-nginx-gateway-fabric-operator-to-v${{ inputs.operator-version }} --base main --repo redhat-openshift-ecosystem/certified-operators
+        env:
+          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

.github/workflows/redhat-certification.yml

@@ -0,0 +1,78 @@
+name: RedHat Certification
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        description: "Image type to certify (ngf, nginx, operator)"
+        required: true
+        type: string
+      tag:
+        description: "Image tag to certify"
+        required: true
+        type: string
+      dry_run:
+        description: "Run preflight checks without submitting"
+        required: false
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  certify:
+    name: Submit ${{ inputs.image }} image for certification
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Set image reference
+        id: image
+        run: |
+          case "${{ inputs.image }}" in
+            ngf)
+              echo "ref=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric:${{ inputs.tag }}-ubi" >> $GITHUB_OUTPUT
+              ;;
+            nginx)
+              echo "ref=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx:${{ inputs.tag }}-ubi" >> $GITHUB_OUTPUT
+              ;;
+            operator)
+              echo "ref=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator:${{ inputs.tag }}" >> $GITHUB_OUTPUT
+              ;;
+            *)
+              echo "Error: Unknown image type: ${{ inputs.image }}"
+              exit 1
+              ;;
+          esac
+
+      - name: Set component ID environment variable
+        run: |
+          case "${{ inputs.image }}" in
+            ngf)
+              echo "COMPONENT_ID=${{ secrets.CERTIFICATION_COMPONENT_ID_NGF }}" >> $GITHUB_ENV
+              ;;
+            nginx)
+              echo "COMPONENT_ID=${{ secrets.CERTIFICATION_COMPONENT_ID_NGINX }}" >> $GITHUB_ENV
+              ;;
+            operator)
+              echo "COMPONENT_ID=${{ secrets.CERTIFICATION_COMPONENT_ID_OPERATOR }}" >> $GITHUB_ENV
+              ;;
+          esac
+
+      - name: Install preflight
+        run: |
+          PREFLIGHT_VERSION=1.14.1 # renovate: datasource=github-tags depName=redhat-openshift-ecosystem/openshift-preflight
+          curl -sSLo /tmp/preflight https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${PREFLIGHT_VERSION}/preflight-linux-amd64
+          chmod +x /tmp/preflight
+          sudo mv /tmp/preflight /usr/local/bin/preflight
+          preflight version
+
+      - name: Run preflight check${{ !inputs.dry_run && ' and submit' || '' }}
+        run: |
+          preflight check container ${{ steps.image.outputs.ref }} \
+            --pyxis-api-token="${{ secrets.PYXIS_API_TOKEN }}" \
+            --certification-component-id="${COMPONENT_ID}" \
+            ${{ !inputs.dry_run && '--submit' || '' }}

.github/workflows/release-pr.yml

@@ -7,6 +7,10 @@ on:
         description: "Version to release"
         required: true
         default: "0.0.0"
+      operator-version:
+        description: "Operator version to release"
+        required: true
+        default: "0.0.0"
 
 defaults:
   run:
@@ -55,6 +59,22 @@ jobs:
           include: "charts/nginx-gateway-fabric/*.yaml"
           regex: false
 
+      - name: Find and Replace
+        uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # 3.0.5
+        with:
+          find: "edge"
+          replace: ${{ inputs.operator-version }}
+          include: "operators/Dockerfile"
+          regex: false
+
+      - name: Find and Replace
+        uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # 3.0.5
+        with:
+          find: "VERSION ?= edge"
+          replace: "VERSION ?= ${{ inputs.operator-version }}"
+          include: "operators/Makefile"
+          regex: false
+
       - name: Find and Replace
         uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # 3.0.5
         with:

.yamllint.yaml

@@ -29,6 +29,7 @@ rules:
     check-multi-line-strings: true
     ignore: |
       operators/**/*
+      .github/workflows/redhat-certification.yml
   key-duplicates: enable
   key-ordering: disable
   line-length:

Makefile

@@ -165,7 +165,11 @@ generate-helm-schema: ## Generate the Helm chart schema
 	go run github.com/dadav/helm-schema/cmd/helm-schema@$(HELM_SCHEMA_VERSION) --chart-search-root=charts --add-schema-reference "--skip-auto-generation=required,additionalProperties" --append-newline
 
 .PHONY: generate-all
-generate-all: generate generate-crds generate-helm-schema generate-manifests generate-api-docs generate-helm-docs ## Generate all the necessary files
+generate-all: generate generate-crds generate-helm-schema generate-manifests generate-api-docs generate-helm-docs verify-operator-rbac ## Generate all the necessary files
+
+.PHONY: verify-operator-rbac
+verify-operator-rbac: ## Verify operator RBAC is in sync with Helm chart
+	@./operators/scripts/verify-rbac-sync.sh
 
 .PHONY: clean
 clean: ## Clean the build

docs/developer/release-process.md

@@ -69,22 +69,34 @@ To create a new release, follow these steps:
    - Build NGF, NGINX and NGINX Plus container images with the release tag `X.Y.Z` and push them to the registries.
    - Package and publish the Helm chart to the registry.
    - Create a GitHub release with an autogenerated changelog and attached release artifacts.
-7. Prepare and merge a PR into the main branch to update with similar information that you did in the release branch docs PR. Specifically:
+   - Automatically submit UBI images for RedHat certification: The NGF, NGINX, and Operator UBI images are automatically submitted to the RedHat Partner Portal for preflight certification.
+7. Operator Bundle Generation:
+   - You can generate and submit the operator bundle by running the [Operator Bundle PR workflow](https://github.com/nginx/nginx-gateway-fabric/actions/workflows/operator-bundle-pr.yml) with the following inputs:
+     - Set `operator-version` to the operator version (e.g., `1.0.1`, without the `v` prefix)
+     - Set `submit-to-redhat` to `true` if you want to automatically open a PR to the [RedHat certified-operators repository](https://github.com/redhat-openshift-ecosystem/certified-operators)
+   - This workflow will:
+     - Generate the operator bundle manifests using image digests
+     - Create a draft PR in the NGF repository with the bundle changes
+     - If `submit-to-redhat` is enabled, automatically fork and open a PR to the RedHat certified-operators repo
+   - Review and merge the internal bundle PR once approved
+   - Monitor the RedHat certified-operators PR for review feedback
+8. Prepare and merge a PR into the main branch to update with similar information that you did in the release branch docs and operator bundle PRs. Specifically:
     1. [README](/README.md) to include the information about the latest release.
     2. [changelog](/CHANGELOG.md).
     3. Helm chart `version` field.
     4. `GW_API_PREV_VERSION` in tests Makefile, if necessary.
     5. Any references in the docs to the previous release.
     6. Any installation instructions to ensure that the supported Gateway API and NGF versions are correct. Specifically, helm README.
-8. Prepare and merge a PR into the main branch of the [documentation repository](https://github.com/nginx/documentation) from the relevant release branch, such as `ngf-release-2.0`.
+    7. The operator bundle changes.
+9. Prepare and merge a PR into the main branch of the [documentation repository](https://github.com/nginx/documentation) from the relevant release branch, such as `ngf-release-2.0`.
    - In the NGF repo, run `make generate-api-docs` and copy the generated file from `docs/api/content.md` into the documentation repo to `content/ngf/reference/api.md`.
    - Update the HTML file located at `layouts/shortcodes/version-ngf.html` with the latest version. Ensure you do not add an empty line to the file.
    - Documentation is built and deployed automatically from `main`, and will trigger when merging to it.
    - Create a new branch for the next release version, in the format `ngf-release-<i>.<i>`, substituting the *i* placeholders for major and minor version numbers.
-9. Close the issue created in Step 1.
-10. Ensure that the [associated milestone](https://github.com/nginx/nginx-gateway-fabric/milestones) is closed.
-11. Verify that published artifacts in the release can be installed properly.
-12. Submit the `conformance-profile.yaml` artifact from the release to the [Gateway API repo](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports).
+10. Close the issue created in Step 1.
+11. Ensure that the [associated milestone](https://github.com/nginx/nginx-gateway-fabric/milestones) is closed.
+12. Verify that published artifacts in the release can be installed properly.
+13. Submit the `conformance-profile.yaml` artifact from the release to the [Gateway API repo](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports).
     - Create a fork of the repository
     - Name the file based on the requirements of the [README](https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/reports/README.md). Update the README in the ngf directory and update the site source if necessary (see following example).
     - Open a PR. [Example](https://github.com/kubernetes-sigs/gateway-api/pull/3149)
@@ -105,5 +117,5 @@ To create a new release, follow these steps:
    branch.
 4. Test the release branch for release-readiness.
 5. If a problem is found, return to Step 2.
-6. Follow Steps 5-7 from the [Major or Minor Release](#major-or-minor-release) section.
+6. Follow Steps 5-8 from the [Major or Minor Release](#major-or-minor-release) section.
 7. Prepare and merge a PR into the main branch of the [documentation repository](https://github.com/nginx/documentation) to update the NGF version in `layouts/shortcodes/version-ngf.html`. If any of our APIs have changed, in the NGF repo, run `make generate-api-docs` and copy the generated file from `docs/api/content.md` into the documentation repo to `content/ngf/reference/api.md`.

operators/Dockerfile

@@ -10,7 +10,7 @@ COPY LICENSE /licenses/LICENSE
 LABEL name="nginx-gateway-fabric-operator" \
       maintainer="kubernetes@nginx.com" \
       vendor="F5 NGINX" \
-      version="1.0.0" \
+      version="edge" \
       release="1" \
       summary="NGINX Gateway Fabric Operator" \
       description="Helm-based operator for NGINX Gateway Fabric"

operators/Makefile

@@ -1,6 +1,6 @@
 # VERSION defines the project version for the bundle.
 # Update this value when you upgrade the version of the operator.
-VERSION ?= 1.0.1
+VERSION ?= edge
 
 # renovate: datasource=github-tags depName=operator-framework/operator-sdk
 OPERATOR_SDK_VERSION ?= v1.42.0
@@ -41,6 +41,10 @@ all: docker-build
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.PHONY: verify-rbac
+verify-rbac: ## Verify operator RBAC includes all Helm chart permissions.
+	@./scripts/verify-rbac-sync.sh
+
 ##@ Build
 
 .PHONY: run
@@ -140,7 +144,7 @@ endif
 endif
 
 .PHONY: bundle
-bundle: kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
+bundle: verify-rbac kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
 	$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)