Boilerplate: Update to 309c34dc461b882681142051706cc3d5b5af5f8b

Conventions: - openshift/golang-osd-operator: Update --- openshift/boilerplate@25bf147...309c34d commit: 5f1d9a464728641d0c5ea1828fed7b5b2361c99f author: Arjun Naik Small improvements to make it easier to run csv-generate test locally Signed-off-by: Arjun Naik <anaik@redhat.com> commit: b926c8703e255748b632d0dabdb061f439b581d4 author: Arjun Naik Updated the hack generation script Signed-off-by: Arjun Naik <anaik@redhat.com> commit: 639160e9a92475f0a446c44aff3ad202d935e83e author: Arjun Naik Updated test case for CSV generation Signed-off-by: Arjun Naik <anaik@redhat.com> commit: 1dc94f0588ad8177e8804a8adf3bed94333453ec author: Arjun Naik Use trim_index and add default namespace for rolebinding subject SA Signed-off-by: Arjun Naik <anaik@redhat.com> commit: 2c6032115302c4449b8843b076a59d0cf2d25fa9 author: Arjun Naik Add roles into CSV permissions Signed-off-by: Arjun Naik <anaik@redhat.com> commit: a9321bb73ef42b9e30d3ec7673ddc1b7f3c99876 author: Eric Fried csv-generate: Use the project's major.minor Finishes resolving a [TODO](openshift/boilerplate@8e99ebe#diff-424ddf34b68cef0633f4520f756a919d70a24880b5ab931d3cd85d17f8659b5fL93-R110) whereby the csv generator scripts were hardcoding the operator's major.minor version to 0.1. With this commit, common-generate-operator-bundle.py no longer accepts separate arguments for commit number or hash to construct the `{major}.{minor}.{commit-count}-{commit-hash}`. It now accepts `-V operator-version` where `operator-version` is already in that form. commit: b707cd183bce5fbe1281109cdbf211c607d054f8 author: Eric Fried Generate operator bundle generically and inclusively This is an almost-total rewrite of the common operator bundle generator script to accommodate variations in boilerplate consumers. Before: The script looked for specific files by name. This wasn't a big deal as long as consumers had the right corresponding file they could simply rename. However, it would blow up if those files weren't present or didn't contain exactly what was expected; or (importantly) if more than one file of that kind was needed. After: The script processes all yaml documents under the deploy/ subdirectory, regardless of filename, including cases where multiple yaml documents exist in a single file, and processes them based on their Kind. The following are treated specially: - CustomResourceDefinitions: These are registered as "owned" in the CSV. Otherwise they are copied into the bundle directory as usual. - ClusterRoles: These are folded into the CSV's `clusterPermissions` and *not* copied into the bundle directory. - ClusterRoleBindings: These are only used to discover the appropriate `serviceAccountName` for their corresponding ClusterRoles. They are not copied into the bundle directory. If any ClusterRoleBindings are "left over" at the end (not used to find a ServiceAccount), an error is raised. - Deployment: We explicitly validate that there is exactly one of these. We fold the contents into the CSV's `deployments`. The Deployment is *not* copied to the bundle directory. - ServiceAccounts: These are *ignored*, as we assume they correspond exactly to those listed in ClusterRoleBindings or the Deployment's Pod spec. TODO:s - The CSV [schema](https://docs.openshift.com/container-platform/4.5/rest_api/operatorhub_apis/clusterserviceversion-operators-coreos-com-v1alpha1.html) appears to support Role[Binding]s in a manner similar to ClusterRole[Binding]s. Assuming OLM supports that, we should use it. For now, this commit treats Role[Binding]s as generic resources and simply copies them into the bundle, as consumers appeared to be doing. - We should validate ServiceAccounts to make sure they correspond to [Cluster]RoleBindings or Pod specs in the Deployment, and error if any are "left over". commit: bfcccf9262c7f9cd1fa7b9c0676a03fe476a579c author: James Harrington Removed to pass tests commit: fa055ee00a16f0f25aba8542b4c441be161ce8cb author: James Harrington Include package.yaml in OLM bundle commit: 32fa7dc294da442d1333551c5554652095c3306c author: Eric Fried golang-osd-operator: Pull operator image by digest This commit tweaks the common CSV generator logic such that the operator image is referenced by digest (`{registry}/{repo}/{operator}@sha256:{digest}`) rather than by tag (`{registry}/{repo}/{operator}:v{major}.{minor}.{count}-{commit-sha}`). **NOTE:** This does not affect how the catalog image is pulled. That requires changes in the app-interface saas file and the consuming repository's OLM template. commit: 4bba942de7a8d389a46f606c798a512c0f903d9b author: Eric Fried golang-osd-operator: Enable app-sre build and deploy This commit adds the top-level script to perform the end-to-end app-sre build and deploy sequence, and enables it by default for consumers via the `build-push` make target. It also enables (and documents) local testing of this sequence without changing code. commit: dec995b5d0a456d48898807f617580ec3c54d079 author: Eric Fried Enable selecting test cases With this commit, you can use a `CASE_GLOB` variable to restrict which tests are run by `make test` (aka `make pr-check`). The value of `CASE_GLOB` is passed to `find ... -name`, so may be anything that will accept. For example, to run just the test case named `06-csv-generate`, you can run: ``` make CASE_GLOB=06-csv-generate test ``` This also works via `container-make`, which can be convenient for debugging CI failures: ``` ./boilerplate/_lib/container-make CASE_GLOB=06-csv-generate pr-check ``` commit: 8e99ebe14d1c7c547c9de3fa5d94e876fd674f8d author: Eric Fried golang-osd-operator: Pull operator image by digest This commit tweaks the common CSV generator logic such that the operator image is referenced by digest (`{registry}/{repo}/{operator}@sha256:{digest}`) rather than by tag (`{registry}/{repo}/{operator}:v{major}.{minor}.{count}-{commit-sha}`). **NOTE:** This does not affect how the catalog image is pulled. That requires changes in the app-interface saas file and the consuming repository's OLM template. commit: aeca64eaa1fee9b69d0797e7d8bf06f792a907b8 author: Eric Fried golang-osd-operator: Enable app-sre build and deploy This commit adds the top-level script to perform the end-to-end app-sre build and deploy sequence, and enables it by default for consumers via the `build-push` make target. It also enables (and documents) local testing of this sequence without changing code. commit: c937d6ab7756ea4f287ae828cd21dbd0e5415f20 author: Eric Fried Enable container-make in boilerplate itself Previously in order for `container-make` to function in the boilerplate repository itself, you had to set the `LATEST_IMAGE_TAG` environment variable manually. With this commit, if it's unset and we're in boilerplate, we discover it from git. commit: 05f546cc7e24911477b504df585f63dbd53445ba author: Eric Fried Document subscribers Add documentation for the `subscribers.yaml` file and the `subscriber` utility. commit: 10166fa7731ab847c291a85e78b4f0318f52a0b2 author: Benjamin Dematteo Fixing the bad variable used for calling the generate scripts commit: 0813021e913229a7f0c62a4f86c3a0814b627bc7 author: James Harrington Erroneous additional parameter specified commit: d7c8056d99bade30bed6fdc4d376ce979bfa8558 author: Eric Fried Pin yq to 3.4.1 in csv-generate.sh See openshift/osd-metrics-exporter#43 for details. commit: cf31f7abe2964e70b6fdef249ac984822bce0cef author: Eric Fried image-v0.5.1: registry.svc.ci.openshift.org is dead We need to build our image `FROM registry.ci.openshift.org` now, since `registry.svc.ci.openshift.org` has been decommissioned. image-v0.5.0 will never build and is therefore unusable. commit: 96415a636afa0e304dbdab60318fd4f9e2bbc825 author: Manuel Dewald add operator-sdk v1.2.0 commit: 19951d141e1c7a2b371a5ec34784e7005c073345 author: Eric Fried image-v0.5.0: more go helpers Add the following to the backing image: - controller-gen - kustomize - go-bindata commit: 262eaba2a0a13e3220e7586b5b9cd6b9be733d6e author: Rafa Porres Molina Do not evaluate main with an or conditional Not only it is not needed, it can deactivate the effect of set -e Signed-off-by: Rafa Porres Molina <rporresm@redhat.com> commit: a8324a4e572ba4568cd92d5b69c9c74d11cdce8b author: Eric Fried Fix container-make for openapi-gen `openapi-gen` is really picky about how `GOPATH` is set with respect to the path to the repo clone it's working on. And CI is really picky about where things like `go mod download` are allowed to write. With this change, we make sure the path inside `container-make`'s container gels with `GOPATH` so `openapi-gen` works as expected. Co-Authored-By: Kirk Bater <kbater@redhat.com> commit: f700776ea385de430a71398ee3e05c5304a2e502 author: Kirk Bater Adds extra debug output to isclean commit: d6e0c61cf1cba062b0ae9281adbdbf4bbf6c954b author: Benjamin Dematteo Removing explicit call to python3 commit: 048e344dd49f9fb8070808b404721c75ddfd0f72 author: Manuel Dewald Allow configuration of MAINPACKAGE and TESTTARGETS * Consuming operators may want to have a different set of TESTTARGETS * MAINPACKAGE differs for operator-sdk v1, allowing to override it will help onboarding operators on operator-sdk v1 commit: 9ac2810dcaf56eaacd9e3cc2d076961ca49ab212 author: Benjamin Dematteo Integrating comments from MR review commit: 60959312e1f456a47968bc8cc5839ee3435e6cdd author: Eric Fried golang-osd-operator: Cap concurrency for codecov Some consumers were regularly having their coverage CI pods OOM-killed. Experimenting with the prow configuration, we found we needed to set the memory limits unreasonably high to make it work. By default, cover tool runs with a number of threads equal to the detected number of CPUs. In the CI environment at this time, that appears to be 16. With this commit, we cap it at 4, which brings the memory usage down to a manageable level without unduly affecting the runtime of the job. commit: 5cf48e3eb539b9c26d8ae4999758f790175a28da author: Benjamin Dematteo Fixing tests commit: f5a20e2644ff854ff42ff7881d1e8788878d48d6 author: Benjamin Dematteo First commit for the bundle-generate commit: b86c5e0dcd7a2f664a55236dc42de87658814d4c author: Eric Fried Update subscribers The following have been onboarded and are marked as such: - aws-account-operator - aws-efs-operator - managed-upgrade-operator commit: 3dd1657739fe1ab4604f25bd5b777c8a66e9dd4c author: Rafa Porres Molina Add dry run mode to test to avoid pushes Signed-off-by: Rafa Porres Molina <rporresm@redhat.com> commit: ed0062e80fd0d826b303e87632eca0dba88f81ed author: Rafa Porres Molina Add missing push in git operations This was left behind in the refactoring made in #104 Signed-off-by: Rafa Porres Molina <rporresm@redhat.com> commit: dce934aab89c2a423ebc848c0621ecf1e6df52e6 author: Eric Fried Improvements to container-make - Run the container as self. Previously it was running as root, which had some unintended consequences, including leaving root-owned files in your repo. - If the target fails, stay in the container so you can debug. - Prints a usage statement if invoked with -h/--help.
openshift · Apr 14, 2021 · 7af57ce · 7af57ce
1 parent 6142ca3
commit 7af57ce
Show file tree

Hide file tree

Showing 19 changed files with 995 additions and 21 deletions.
diff --git a/.ci-operator.yaml b/.ci-operator.yaml
@@ -1,4 +1,4 @@
 build_root_image:
   name: boilerplate
   namespace: openshift
-  tag: image-v0.4.0
+  tag: image-v0.5.1
diff --git a/boilerplate/_data/backing-image-tag b/boilerplate/_data/backing-image-tag
@@ -1 +1 @@
-image-v0.4.0
+image-v0.5.1
diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit
@@ -1 +1 @@
-25bf1477435cc1d54ed1a0dff1c1f16405144db3
+309c34dc461b882681142051706cc3d5b5af5f8b
diff --git a/boilerplate/_lib/common.sh b/boilerplate/_lib/common.sh
@@ -42,11 +42,26 @@ grpcurl_version() {
     $grpcurl -version 2>&1 | cut -d " " -f 2
 }
 
+## repo_import REPODIR
+#
+# Print the qualified org/name of the current repository, e.g.
+# "openshift/wizbang-foo-operator". This relies on git remotes being set
+# reasonably.
 repo_name() {
+    # Just strip off the first component of the import-ish path
+    repo_import $1 | sed 's,^[^/]*/,,'
+}
+
+## repo_import REPODIR
+#
+# Print the go import-ish path to the current repository, e.g.
+# "github.com/openshift/wizbang-foo-operator". This relies on git
+# remotes being set reasonably.
+repo_import() {
     # Account for remotes which are
     # - upstream or origin
     # - ssh ("git@host.com:org/name.git") or https ("https://host.com/org/name.git")
-    (git -C $1 config --get remote.upstream.url || git -C $1 config --get remote.origin.url) | sed 's,git@[^:]*:,,; s,https://[^/]*/,,; s/\.git$//'
+    (git -C $1 config --get remote.upstream.url || git -C $1 config --get remote.origin.url) | sed 's,git@\([^:]*\):,\1/,; s,https://,,; s/\.git$//'
 }
 
 ## current_branch REPO
@@ -59,6 +74,56 @@ current_branch() {
     )
 }
 
+## image_exits_in_repo IMAGE_URI
+#
+# Checks whether IMAGE_URI -- e.g. quay.io/app-sre/osd-metrics-exporter:abcd123
+# -- exists in the remote repository.
+# If so, returns success.
+# If the image does not exist, but the query was otherwise successful, returns
+# failure.
+# If the query fails for any reason, prints an error and *exits* nonzero.
+image_exists_in_repo() {
+    local image_uri=$1
+    local output
+
+    output=$(skopeo inspect docker://${image_uri} 2>&1)
+    if [[ $? -eq 0 ]]; then
+        # The image exists. Sanity check the output.
+        local digest=$(echo $output | jq -r .Digest)
+        if [[ -z "$digest" ]]; then
+            echo "Unexpected error: skopeo inspect succeeded, but output contained no .Digest"
+            echo "Here's the output:"
+            echo "$output"
+            exit 1
+        fi
+        echo "Image ${image_uri} exists with digest $digest."
+        return 0
+    elif [[ "$output" == *"manifest unknown"* ]]; then
+        # We were able to talk to the repository, but the tag doesn't exist.
+        # This is the normal "green field" case.
+        echo "Image ${image_uri} does not exist in the repository."
+        return 1
+    elif [[ "$output" == *"was deleted or has expired"* ]]; then
+        # This should be rare, but accounts for cases where we had to
+        # manually delete an image.
+        echo "Image ${image_uri} was deleted from the repository."
+        echo "Proceeding as if it never existed."
+        return 1
+    else
+        # Any other error. For example:
+        #   - "unauthorized: access to the requested resource is not
+        #     authorized". This happens not just on auth errors, but if we
+        #     reference a repository that doesn't exist.
+        #   - "no such host".
+        #   - Network or other infrastructure failures.
+        # In all these cases, we want to bail, because we don't know whether
+        # the image exists (and we'd likely fail to push it anyway).
+        echo "Error querying the repository for ${image_uri}:"
+        echo "$output"
+        exit 1
+    fi
+}
+
 if [ "$BOILERPLATE_SET_X" ]; then
   set -x
 fi
@@ -99,11 +164,17 @@ fi
 # The namespace of the ImageStream by which prow will import the image.
 IMAGE_NAMESPACE=openshift
 IMAGE_NAME=boilerplate
-# LATEST_IMAGE_TAG may be set by `update`, in which case that's the
-# value we want to use.
-# Accommodate older consumers who don't have backing-image-tag yet.
-if [[ -z "$LATEST_IMAGE_TAG" ]] && [[ -f ${CONVENTION_ROOT}/_data/backing-image-tag ]]; then
-    LATEST_IMAGE_TAG=$(cat ${CONVENTION_ROOT}/_data/backing-image-tag)
+# LATEST_IMAGE_TAG may be set manually or by `update`, in which case
+# that's the value we want to use.
+if [[ -z "$LATEST_IMAGE_TAG" ]]; then
+    # (Non-ancient) consumers will have the tag in this file.
+    if [[ -f ${CONVENTION_ROOT}/_data/backing-image-tag ]]; then
+        LATEST_IMAGE_TAG=$(cat ${CONVENTION_ROOT}/_data/backing-image-tag)
+
+    # In boilerplate itself, we can discover the latest from git.
+    elif [[ $(repo_name .) == openshift/boilerplate ]]; then
+        LATEST_IMAGE_TAG=$(git describe --tags --abbrev=0 --match image-v*)
+    fi
 fi
 # The public image location
 IMAGE_PULL_PATH=quay.io/app-sre/$IMAGE_NAME:$LATEST_IMAGE_TAG
diff --git a/boilerplate/_lib/container-make b/boilerplate/_lib/container-make
@@ -1,10 +1,41 @@
-#!/bin/bash
+#!/bin/bash -x
+
+if [[ "$1" == "-h"* ]] || [[ "$1" == "--h"* ]]; then
+  echo "Usage: $0 {arguments to the real 'make'}"
+  echo "Runs 'make' in the boilerplate backing container."
+  echo "If the command fails, starts a shell in the container so you can debug."
+  exit -1
+fi
 
 source ${0%/*}/common.sh
 
 CONTAINER_ENGINE=$(command -v podman || command -v docker)
 [[ -n "$CONTAINER_ENGINE" ]] || err "Couldn't find a container engine. Are you already in a container?"
 
-# echo this regardless of BOILERPLATE_SET_X
-set -x
-$CONTAINER_ENGINE run --rm -v "$REPO_ROOT":"$REPO_ROOT" $IMAGE_PULL_PATH /bin/sh -c "cd $REPO_ROOT; make $@"
+# Make sure the mount inside the container is named in such a way that
+# - openapi-gen (which relies on GOPATH) produces absolute paths; and
+# - other go-ish paths are writeable, e.g. for `go mod download`.
+CONTAINER_MOUNT=/go/src/$(repo_import $REPO_ROOT)
+
+# First set up a detached container with the repo mounted.
+banner "Starting the container"
+container_id=$($CONTAINER_ENGINE run -d -v "$REPO_ROOT":"$CONTAINER_MOUNT" $IMAGE_PULL_PATH tail -f /dev/null)
+if [[ $? -ne 0 ]] || [[ -z "$container_id" ]]; then
+  err "Couldn't start detached container"
+fi
+
+# Now run our `make` command in it with the right UID and working directory
+args="exec -it -u $(id -u):0 -w $CONTAINER_MOUNT $container_id"
+banner "Running: make $@"
+$CONTAINER_ENGINE $args make "$@"
+rc=$?
+
+# If it failed, drop into the container in a shell
+if [[ $rc -ne 0 ]]; then
+  banner "The 'make' command failed! Starting a shell in the container for debugging. Just 'exit' when done."
+  $CONTAINER_ENGINE $args /bin/bash
+fi
+
+# Finally, remove the container
+banner "Cleaning up the container"
+$CONTAINER_ENGINE rm -f $container_id >/dev/null
diff --git a/boilerplate/generated-includes.mk b/boilerplate/generated-includes.mk
@@ -2,5 +2,6 @@
 # This file automatically includes any *.mk files in your subscribed
 # conventions. Please ensure your base Makefile includes only this file.
 include boilerplate/_lib/boilerplate.mk
+include boilerplate/openshift/golang-osd-operator/csv-generate/csv-generate.mk
 include boilerplate/openshift/golang-osd-operator/project.mk
 include boilerplate/openshift/golang-osd-operator/standard.mk
diff --git a/boilerplate/openshift/golang-osd-operator/README.md b/boilerplate/openshift/golang-osd-operator/README.md
@@ -1,5 +1,14 @@
 # Conventions for OSD operators written in Go
 
+- [Conventions for OSD operators written in Go](#conventions-for-osd-operators-written-in-go)
+  - [`make` targets and functions.](#make-targets-and-functions)
+    - [Prow](#prow)
+      - [Local Testing](#local-testing)
+    - [app-sre](#app-sre)
+  - [Code coverage](#code-coverage)
+  - [Linting and other static analysis with `golangci-lint`](#linting-and-other-static-analysis-with-golangci-lint)
+  - [Checks on generated code](#checks-on-generated-code)
+
 This convention is suitable for both cluster- and hive-deployed operators.
 
 The following components are included:
@@ -44,10 +53,23 @@ This will generate a delta configuring prow to:
 - Run the `coverage` target in a postsubmit. This is the step that
   updates your coverage report in codecov.io.
 
+#### Local Testing
+You can run these `make` targets locally during development to test your
+code changes. However, differences in platforms and environments may
+lead to unpredictable results. Therefore boilerplate provides a utility
+to run targets in a container environment that is designed to be as
+similar as possible to CI:
+
+```shell
+$ ./boilerplate/_lib/container-make {target}
+```
+
 ### app-sre
 
 The `build-push` target builds and pushes the operator and OLM registry images,
 ready to be SaaS-deployed.
+By default it is configured to be run from the app-sre jenkins pipelines.
+Consult [this doc](app-sre.md) for information on local execution/testing.
 
 ## Code coverage
 - A `codecov.sh` script, referenced by the `coverage` `make` target, to
@@ -95,5 +117,3 @@ Checks consist of:
 * `openapi-gen`. This is a no-op if your operator has no APIs.
 * `go generate`. This is a no-op if you have no `//go:generate`
   directives in your code.
-
-## More coming soon
diff --git a/boilerplate/openshift/golang-osd-operator/app-sre-build-deploy.sh b/boilerplate/openshift/golang-osd-operator/app-sre-build-deploy.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -ev
+
+usage() {
+    echo "$0 OPERATOR_IMAGE_URI REGISTRY_IMAGE CURRENT_COMMIT"
+    exit -1
+}
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+source $REPO_ROOT/boilerplate/_lib/common.sh
+
+[[ $# -eq 3 ]] || usage
+
+OPERATOR_IMAGE_URI=$1
+REGISTRY_IMAGE=$2
+CURRENT_COMMIT=$3
+
+# Don't rebuild the image if it already exists in the repository
+if image_exists_in_repo "${OPERATOR_IMAGE_URI}"; then
+    echo "Skipping operator image build/push"
+else
+    # build and push the operator image
+    make docker-push
+fi
+
+for channel in staging production; do
+    # If the catalog image already exists, short out
+    if image_exists_in_repo "${REGISTRY_IMAGE}:${channel}-${CURRENT_COMMIT}"; then
+        echo "Catalog image ${REGISTRY_IMAGE}:${channel}-${CURRENT_COMMIT} already "
+        echo "exists. Assuming this means the saas bundle work has also been done "
+        echo "properly. Nothing to do!"
+    else
+        # build the CSV and create & push image catalog for the appropriate channel
+        make ${channel}-common-csv-build ${channel}-catalog-build ${channel}-catalog-publish
+    fi
+done
diff --git a/boilerplate/openshift/golang-osd-operator/app-sre.md b/boilerplate/openshift/golang-osd-operator/app-sre.md
@@ -0,0 +1,71 @@
+# Testing APP-SRE Scripts Locally
+
+- [Testing APP-SRE Scripts Locally](#testing-app-sre-scripts-locally)
+  - [Create image repositories](#create-image-repositories)
+  - [Fork the SaaS bundle repository](#fork-the-saas-bundle-repository)
+  - [Set environment variables](#set-environment-variables)
+  - [Execute](#execute)
+
+Local testing of APP-SRE pipelines requires the following setup:
+
+## Create image repositories
+In your image registry*, create two repositories in your personal namespace.
+Make sure they are **public**.
+1. For the operator image, name the repository the same as the operator, e.g. `deadmanssnitch-operator`.
+2. For the catalog image, append `-registry` to the operator name, e.g. `deadamnssnitch-operator-registry`.
+
+*We assume you are using quay.io.
+If not, you will need to set the `IMAGE_REGISTRY` environment variable (see [below](#set-environment-variables)).
+
+## Fork the SaaS bundle repository
+The SaaS bundle repository for `$OPERATOR_NAME` should be located at `https://gitlab.cee.redhat.com/service/saas-{operator}-bundle`, e.g. https://gitlab.cee.redhat.com/service/saas-deadmanssnitch-operator-bundle.
+Fork it to your personal namespace.
+
+## Set environment variables
+```bash
+# The process creates artifacts in your git clone. Some of the make targets
+# will bounce when the repository is not clean. Override this behavior:
+export ALLOW_DIRTY_CHECKOUT=true
+
+# If you are using an image registry other than quay.io, configure it thus:
+# export IMAGE_REGISTRY=docker.io
+
+# Your personal repository space in the image registry.
+export IMAGE_REPOSITORY=2uasimojo
+
+# These are used to authenticate to your personal image registry.
+# E.g. for quay.io, generate these values via
+#    Account Settings => Generate Encrypted Password.
+export REGISTRY_USER=<your registry username>
+export REGISTRY_TOKEN=<token obtained from the registry>
+# FIXME: we shouldn't need both REGISTRY_* and QUAY_*
+export QUAY_USER=$REGISTRY_USER
+export QUAY_TOKEN=$REGISTRY_TOKEN
+
+# Tell the scripts where to find your fork of the SaaS bundle repository.
+# Except for the authentication part, this should correspond to what you see in the
+# https "clone" button in your fork.
+# Generate an access token via Settings => Access Tokens. Enable `write_repository`.
+# - {gitlab-user} is your username in gitlab
+# - {gitlab-token} is the authentication token you generated above
+# - {operator} is the name of the consumer repository, e.g. `deadmanssnitch-operator`
+export GIT_PATH=https://{gitlab-user}:{gitlab-token}@gitlab.cee.redhat.com/{gitlab-user}/saas-{operator}-bundle.git
+```
+
+## Execute
+At this point you should be able to run
+```
+make build-push
+```
+
+This will create the following artifacts if it succeeds
+(`{hash}` is the 7-digit SHA of the current git commit in the repository under test):
+- Operator image in your personal operator repository, tagged `v{major}.{minor}.{commit-count}-{hash}` (e.g. `v0.1.228-e0b6129`) and `latest`
+- Two catalog images in your personal registry repository:
+  - One image tagged `staging-{hash}` and `staging-latest`
+  - The other tagged `production-{hash}` and `production-latest`
+- Two commits in your fork of the SaaS bundle repository:
+  - One in the `staging` branch
+  - The other in the `production` branch
+  These are also present locally in a `saas-{operator-name}-bundle` subdirectory of your operator repository clone.
+  You can inspect the artifacts therein to make sure e.g. the CSV was generated correctly.
diff --git a/boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh b/boilerplate/openshift/golang-osd-operator/build-opm-catalog.sh
@@ -286,6 +286,9 @@ function add_current_version_to_bundle_versions_file() {
 
     git commit -m "$message"
 
+    log "Pushing the repository changes to $OLM_BUNDLE_VERSIONS_REPO into $OLM_BUNDLE_VERSIONS_REPO_BRANCH branch"
+    [[ "$DRY_RUN" == "false" ]] && git push origin "$OLM_BUNDLE_VERSIONS_REPO_BRANCH"
+
     cd "$current_directory"
 }
 
@@ -376,5 +379,5 @@ function main() {
 
 # Main
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
-  main || exit 1
+  main
 fi
diff --git a/boilerplate/openshift/golang-osd-operator/codecov.sh b/boilerplate/openshift/golang-osd-operator/codecov.sh
@@ -9,7 +9,12 @@ CI_SERVER_URL=https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test
 COVER_PROFILE=${COVER_PROFILE:-coverage.out}
 JOB_TYPE=${JOB_TYPE:-"local"}
 
-make -C "${REPO_ROOT}" go-test TESTOPTS="-coverprofile=${COVER_PROFILE}.tmp -covermode=atomic -coverpkg=./..."
+# Default concurrency to four threads. By default it's the number of procs,
+# which seems to be 16 in the CI env. Some consumers' coverage jobs were
+# regularly getting OOM-killed; so do this rather than boost the pod resources
+# unreasonably.
+COV_THREAD_COUNT=${COV_THREAD_COUNT:-4}
+make -C "${REPO_ROOT}" go-test TESTOPTS="-coverprofile=${COVER_PROFILE}.tmp -covermode=atomic -coverpkg=./... -p ${COV_THREAD_COUNT}"
 
 # Remove generated files from coverage profile
 grep -v "zz_generated" "${COVER_PROFILE}.tmp" > "${COVER_PROFILE}"