From 987a0bc60ab3a365805e055e379829739880484b Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 13:41:03 +0000 Subject: [PATCH 1/8] mirror-gui: add catalog-sync ci-operator variant and daily promotion Add openshift-mirror-gui-main__catalog-sync variant building mirror-gui-catalog-sync with Docker build-arg SYNC_CATALOGS=true for fresh operator catalog metadata. Regenerate presubmit/postsubmit jobs for the variant. Add a hand-maintained periodic promotion job (prowgen does not emit it); re-copy after prowgen. The default mirror-gui image tag is unchanged; the synced image is promoted as ocp/5.0:mirror-gui-catalog-sync to satisfy ci-operator duplicate-promotion checks. Co-authored-by: Cursor --- ...enshift-mirror-gui-main__catalog-sync.yaml | 58 ++++ .../openshift-mirror-gui-main-periodics.yaml | 67 ++++ ...openshift-mirror-gui-main-postsubmits.yaml | 63 ++++ .../openshift-mirror-gui-main-presubmits.yaml | 327 ++++++++++++++++++ 4 files changed, 515 insertions(+) create mode 100644 ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml create mode 100644 ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml diff --git a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml new file mode 100644 index 0000000000000..21d2753700780 --- /dev/null +++ b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml @@ -0,0 +1,58 @@ +build_root: + project_image: + dockerfile_path: .ci-operator/build-root/Dockerfile +images: + items: + - build_args: + - name: SYNC_CATALOGS + value: "true" + dockerfile_path: Dockerfile + to: mirror-gui-catalog-sync +promotion: + to: + - name: "5.0" + namespace: ocp +releases: + initial: + integration: + name: "5.0" + namespace: ocp + latest: + integration: + include_built_images: true + name: "5.0" + namespace: ocp +resources: + '*': + limits: + memory: 4Gi + requests: + cpu: 100m + memory: 200Mi +test_binary_build_commands: npm ci && npm run build +tests: +- as: lint + commands: npm run lint + container: + from: test-bin + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ +- as: unit + commands: npm run test + container: + from: test-bin + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ +- as: audit-catalog + commands: npx vitest run tests/scripts/auditFetchCatalogs.test.ts + container: + from: test-bin + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ +- as: catalog-integrity + commands: npx vitest run tests/scripts/catalogDataIntegrity.test.ts + container: + from: test-bin + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ +zz_generated_metadata: + branch: main + org: openshift + repo: mirror-gui + variant: catalog-sync diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml new file mode 100644 index 0000000000000..be2ee64a7a605 --- /dev/null +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml @@ -0,0 +1,67 @@ +periodics: +- agent: kubernetes + cluster: build03 + cron: 0 2 * * * + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + extra_refs: + - base_ref: main + org: openshift + repo: mirror-gui + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/is-promotion: "true" + ci-operator.openshift.io/variant: catalog-sync + max_concurrency: 1 + name: periodic-ci-openshift-mirror-gui-main-catalog-sync-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=catalog-sync + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml index 241f9a9768762..29630afe7e9d3 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml @@ -1,5 +1,68 @@ postsubmits: openshift/mirror-gui: + - agent: kubernetes + always_run: true + branches: + - ^main$ + cluster: build03 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/is-promotion: "true" + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-mirror-gui-main-catalog-sync-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=catalog-sync + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes always_run: true branches: diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml index 0ab2627dd61d7..178de2928de4c 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml @@ -130,6 +130,333 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )catalog-integrity,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-audit-catalog + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-audit-catalog + rerun_command: /test catalog-sync-audit-catalog + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=audit-catalog + - --variant=catalog-sync + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-audit-catalog,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-catalog-integrity + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-catalog-integrity + rerun_command: /test catalog-sync-catalog-integrity + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=catalog-integrity + - --variant=catalog-sync + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-catalog-integrity,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-images + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-images + rerun_command: /test catalog-sync-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --target=[release:latest] + - --variant=catalog-sync + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-images,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-lint + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-lint + rerun_command: /test catalog-sync-lint + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=lint + - --variant=catalog-sync + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-lint,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-unit + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-unit + rerun_command: /test catalog-sync-unit + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=unit + - --variant=catalog-sync + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-unit,?($|\s.*) - agent: kubernetes always_run: true branches: From 6a946384fb416e2197e1f37a19d01d348bba3dd4 Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 18:54:40 +0000 Subject: [PATCH 2/8] mirror-gui: replace ci-operator catalog-sync variant with direct periodic sync+build Move the daily catalog refresh out of the Dockerfile and into a self-contained periodic Prow job that: 1. Mounts ci-pull-credentials for registry.redhat.io access 2. Runs sync-catalogs.sh in the checked-out workspace 3. Builds the image with buildah from the synced workspace 4. Pushes the single mirror-gui image with the push secret This avoids the oc-image-extract-inside-Dockerfile auth problem entirely, requires no manual cluster-side secret changes, and keeps local developer builds unchanged. - Delete the catalog-sync ci-operator variant config - Remove catalog-sync presubmit and postsubmit jobs - Rewrite the periodic job as a direct sync+buildah+push wrapper Co-authored-by: Cursor --- ...enshift-mirror-gui-main__catalog-sync.yaml | 58 ---- .../openshift-mirror-gui-main-periodics.yaml | 87 +++-- ...openshift-mirror-gui-main-postsubmits.yaml | 63 ---- .../openshift-mirror-gui-main-presubmits.yaml | 327 ------------------ 4 files changed, 50 insertions(+), 485 deletions(-) delete mode 100644 ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml diff --git a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml deleted file mode 100644 index 21d2753700780..0000000000000 --- a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml +++ /dev/null @@ -1,58 +0,0 @@ -build_root: - project_image: - dockerfile_path: .ci-operator/build-root/Dockerfile -images: - items: - - build_args: - - name: SYNC_CATALOGS - value: "true" - dockerfile_path: Dockerfile - to: mirror-gui-catalog-sync -promotion: - to: - - name: "5.0" - namespace: ocp -releases: - initial: - integration: - name: "5.0" - namespace: ocp - latest: - integration: - include_built_images: true - name: "5.0" - namespace: ocp -resources: - '*': - limits: - memory: 4Gi - requests: - cpu: 100m - memory: 200Mi -test_binary_build_commands: npm ci && npm run build -tests: -- as: lint - commands: npm run lint - container: - from: test-bin - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ -- as: unit - commands: npm run test - container: - from: test-bin - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ -- as: audit-catalog - commands: npx vitest run tests/scripts/auditFetchCatalogs.test.ts - container: - from: test-bin - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ -- as: catalog-integrity - commands: npx vitest run tests/scripts/catalogDataIntegrity.test.ts - container: - from: test-bin - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ -zz_generated_metadata: - branch: main - org: openshift - repo: mirror-gui - variant: catalog-sync diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml index be2ee64a7a605..b561acd78fac7 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml @@ -3,65 +3,78 @@ periodics: cluster: build03 cron: 0 2 * * * decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile extra_refs: - base_ref: main org: openshift repo: mirror-gui - sparse_checkout_files: - - Dockerfile labels: ci-operator.openshift.io/is-promotion: "true" - ci-operator.openshift.io/variant: catalog-sync max_concurrency: 1 name: periodic-ci-openshift-mirror-gui-main-catalog-sync-images spec: containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson - - --promote - - --report-credentials-file=/etc/report/credentials - - --target=[images] - - --variant=catalog-sync - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + - command: + - /bin/bash + - -c + - | + set -euxo pipefail + + # Install oc CLI + curl -sSfL "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz" \ + | tar -xz -C /usr/local/bin oc + oc version --client + + # Install sync-catalogs.sh dependencies (python3 and jq ship with UBI9) + dnf install -y --nodocs python3-pyyaml && dnf clean all + + cd /home/prow/go/src/github.com/openshift/mirror-gui + + # ── 1. Sync catalogs from registry.redhat.io ── + export PULL_SECRET_PATH=/etc/ci-pull-credentials/.dockerconfigjson + export CATALOG_DATA_DIR=./catalog-data + export MAX_PARALLEL_JOBS=3 + chmod +x ./sync-catalogs.sh + ./sync-catalogs.sh + + # ── 2. Build the image (catalog-data is now fresh in the workspace) ── + BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" + VCS_REF="$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" + buildah bud \ + --storage-driver=vfs \ + --build-arg "BUILD_DATE=${BUILD_DATE}" \ + --build-arg "VCS_REF=${VCS_REF}" \ + -t "${TARGET_IMAGE}" \ + . + + # ── 3. Push the image ── + buildah push \ + --storage-driver=vfs \ + --authfile=/etc/push-secret/.dockerconfigjson \ + "${TARGET_IMAGE}" + env: + - name: TARGET_IMAGE + value: quay.io/openshift-release-dev/ocp-v4.0-art-dev:mirror-gui + image: registry.access.redhat.com/ubi9/buildah:latest imagePullPolicy: Always name: "" resources: requests: - cpu: 10m + cpu: 500m + memory: 2Gi + securityContext: + privileged: true volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret + - mountPath: /etc/ci-pull-credentials + name: ci-pull-credentials readOnly: true - mountPath: /etc/push-secret name: push-secret readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true serviceAccountName: ci-operator volumes: - - name: manifest-tool-local-pusher + - name: ci-pull-credentials secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials + secretName: ci-pull-credentials - name: push-secret secret: secretName: registry-push-credentials-ci-central - - name: result-aggregator - secret: - secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml index 29630afe7e9d3..241f9a9768762 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-postsubmits.yaml @@ -1,68 +1,5 @@ postsubmits: openshift/mirror-gui: - - agent: kubernetes - always_run: true - branches: - - ^main$ - cluster: build03 - decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile - labels: - ci-operator.openshift.io/is-promotion: "true" - ci-operator.openshift.io/variant: catalog-sync - ci.openshift.io/generator: prowgen - max_concurrency: 1 - name: branch-ci-openshift-mirror-gui-main-catalog-sync-images - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson - - --promote - - --report-credentials-file=/etc/report/credentials - - --target=[images] - - --variant=catalog-sync - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/push-secret - name: push-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: push-secret - secret: - secretName: registry-push-credentials-ci-central - - name: result-aggregator - secret: - secretName: result-aggregator - agent: kubernetes always_run: true branches: diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml index 178de2928de4c..0ab2627dd61d7 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml @@ -130,333 +130,6 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )catalog-integrity,?($|\s.*) - - agent: kubernetes - always_run: false - branches: - - ^main$ - - ^main- - cluster: build06 - context: ci/prow/catalog-sync-audit-catalog - decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile - labels: - ci-operator.openshift.io/variant: catalog-sync - ci.openshift.io/generator: prowgen - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-audit-catalog - rerun_command: /test catalog-sync-audit-catalog - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --report-credentials-file=/etc/report/credentials - - --target=audit-catalog - - --variant=catalog-sync - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-audit-catalog,?($|\s.*) - - agent: kubernetes - always_run: false - branches: - - ^main$ - - ^main- - cluster: build06 - context: ci/prow/catalog-sync-catalog-integrity - decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile - labels: - ci-operator.openshift.io/variant: catalog-sync - ci.openshift.io/generator: prowgen - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-catalog-integrity - rerun_command: /test catalog-sync-catalog-integrity - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --report-credentials-file=/etc/report/credentials - - --target=catalog-integrity - - --variant=catalog-sync - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-catalog-integrity,?($|\s.*) - - agent: kubernetes - always_run: true - branches: - - ^main$ - - ^main- - cluster: build06 - context: ci/prow/catalog-sync-images - decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile - labels: - ci-operator.openshift.io/variant: catalog-sync - ci.openshift.io/generator: prowgen - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-images - rerun_command: /test catalog-sync-images - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --report-credentials-file=/etc/report/credentials - - --target=[images] - - --target=[release:latest] - - --variant=catalog-sync - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-images,?($|\s.*) - - agent: kubernetes - always_run: false - branches: - - ^main$ - - ^main- - cluster: build06 - context: ci/prow/catalog-sync-lint - decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile - labels: - ci-operator.openshift.io/variant: catalog-sync - ci.openshift.io/generator: prowgen - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-lint - rerun_command: /test catalog-sync-lint - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --report-credentials-file=/etc/report/credentials - - --target=lint - - --variant=catalog-sync - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-lint,?($|\s.*) - - agent: kubernetes - always_run: false - branches: - - ^main$ - - ^main- - cluster: build06 - context: ci/prow/catalog-sync-unit - decorate: true - decoration_config: - sparse_checkout_files: - - Dockerfile - labels: - ci-operator.openshift.io/variant: catalog-sync - ci.openshift.io/generator: prowgen - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-unit - rerun_command: /test catalog-sync-unit - skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$ - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --report-credentials-file=/etc/report/credentials - - --target=unit - - --variant=catalog-sync - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-unit,?($|\s.*) - agent: kubernetes always_run: true branches: From 8d4b1fad10c91d4eaf2eaec9402995eed5fd5383 Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 19:01:07 +0000 Subject: [PATCH 3/8] mirror-gui: add rehearsable catalog-sync-verify test step Replace the previous catalog-sync variant (which tried oc image extract inside a Dockerfile RUN step) with a ci-operator test step that: - Runs from the built mirror-gui image (has oc, python3, jq, PyYAML) - Mounts ci-pull-credentials for registry.redhat.io auth - Executes sync-catalogs.sh and validates the output - Is rehearsable via pj-rehearse to prove sync works before merge Remove the periodic job for now; it will be re-added in a follow-up PR once the sync is confirmed working. Co-authored-by: Cursor --- ...enshift-mirror-gui-main__catalog-sync.yaml | 51 +++++++ .../openshift-mirror-gui-main-periodics.yaml | 80 ----------- .../openshift-mirror-gui-main-presubmits.yaml | 125 ++++++++++++++++++ 3 files changed, 176 insertions(+), 80 deletions(-) create mode 100644 ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml delete mode 100644 ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml diff --git a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml new file mode 100644 index 0000000000000..d9276c5db35d4 --- /dev/null +++ b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml @@ -0,0 +1,51 @@ +build_root: + project_image: + dockerfile_path: .ci-operator/build-root/Dockerfile +images: + items: + - dockerfile_path: Dockerfile + to: mirror-gui +releases: + initial: + integration: + name: "5.0" + namespace: ocp + latest: + integration: + include_built_images: true + name: "5.0" + namespace: ocp +resources: + '*': + limits: + memory: 4Gi + requests: + cpu: 100m + memory: 200Mi +tests: +- as: catalog-sync-verify + commands: | + export PULL_SECRET_PATH=/var/run/secrets/ci-pull-credentials/.dockerconfigjson + export CATALOG_DATA_DIR=/tmp/catalog-data + export MAX_PARALLEL_JOBS=3 + cd /app + ./sync-catalogs.sh + echo "--- Verification ---" + cat /tmp/catalog-data/catalog-index.json + CATALOG_COUNT=$(jq '.catalogs | length' /tmp/catalog-data/catalog-index.json) + echo "Synced catalog entries: $CATALOG_COUNT" + if [ "$CATALOG_COUNT" -lt 1 ]; then + echo "ERROR: No catalogs synced" + exit 1 + fi + container: + from: mirror-gui + credentials: + - mount_path: /var/run/secrets/ci-pull-credentials + name: ci-pull-credentials + namespace: ci +zz_generated_metadata: + branch: main + org: openshift + repo: mirror-gui + variant: catalog-sync diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml deleted file mode 100644 index b561acd78fac7..0000000000000 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-periodics.yaml +++ /dev/null @@ -1,80 +0,0 @@ -periodics: -- agent: kubernetes - cluster: build03 - cron: 0 2 * * * - decorate: true - extra_refs: - - base_ref: main - org: openshift - repo: mirror-gui - labels: - ci-operator.openshift.io/is-promotion: "true" - max_concurrency: 1 - name: periodic-ci-openshift-mirror-gui-main-catalog-sync-images - spec: - containers: - - command: - - /bin/bash - - -c - - | - set -euxo pipefail - - # Install oc CLI - curl -sSfL "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz" \ - | tar -xz -C /usr/local/bin oc - oc version --client - - # Install sync-catalogs.sh dependencies (python3 and jq ship with UBI9) - dnf install -y --nodocs python3-pyyaml && dnf clean all - - cd /home/prow/go/src/github.com/openshift/mirror-gui - - # ── 1. Sync catalogs from registry.redhat.io ── - export PULL_SECRET_PATH=/etc/ci-pull-credentials/.dockerconfigjson - export CATALOG_DATA_DIR=./catalog-data - export MAX_PARALLEL_JOBS=3 - chmod +x ./sync-catalogs.sh - ./sync-catalogs.sh - - # ── 2. Build the image (catalog-data is now fresh in the workspace) ── - BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" - VCS_REF="$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" - buildah bud \ - --storage-driver=vfs \ - --build-arg "BUILD_DATE=${BUILD_DATE}" \ - --build-arg "VCS_REF=${VCS_REF}" \ - -t "${TARGET_IMAGE}" \ - . - - # ── 3. Push the image ── - buildah push \ - --storage-driver=vfs \ - --authfile=/etc/push-secret/.dockerconfigjson \ - "${TARGET_IMAGE}" - env: - - name: TARGET_IMAGE - value: quay.io/openshift-release-dev/ocp-v4.0-art-dev:mirror-gui - image: registry.access.redhat.com/ubi9/buildah:latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /etc/push-secret - name: push-secret - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: push-secret - secret: - secretName: registry-push-credentials-ci-central diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml index 0ab2627dd61d7..c90823624eab1 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml @@ -130,6 +130,131 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )catalog-integrity,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-images + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-images + rerun_command: /test catalog-sync-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --target=[release:latest] + - --variant=catalog-sync + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-images,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build06 + context: ci/prow/catalog-sync-catalog-sync-verify + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile + labels: + ci-operator.openshift.io/variant: catalog-sync + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-mirror-gui-main-catalog-sync-catalog-sync-verify + rerun_command: /test catalog-sync-catalog-sync-verify + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=catalog-sync-verify + - --variant=catalog-sync + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )catalog-sync-catalog-sync-verify,?($|\s.*) - agent: kubernetes always_run: true branches: From d346905798cee39329a18982ae4b7b731b803b80 Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 19:07:39 +0000 Subject: [PATCH 4/8] mirror-gui: fix generated presubmit job order and args Swap catalog-sync-catalog-sync-verify and catalog-sync-images to match prowgen expected order. Remove --target=[release:latest] from the catalog-sync-images presubmit (variant has no promotion). Co-authored-by: Cursor --- .../openshift-mirror-gui-main-presubmits.yaml | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml index c90823624eab1..978b60bbf0a7b 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml @@ -131,12 +131,12 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )catalog-integrity,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- cluster: build06 - context: ci/prow/catalog-sync-images + context: ci/prow/catalog-sync-catalog-sync-verify decorate: true decoration_config: sparse_checkout_files: @@ -145,22 +145,29 @@ presubmits: ci-operator.openshift.io/variant: catalog-sync ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-images - rerun_command: /test catalog-sync-images + name: pull-ci-openshift-mirror-gui-main-catalog-sync-catalog-sync-verify + rerun_command: /test catalog-sync-catalog-sync-verify spec: containers: - args: - --gcs-upload-secret=/secrets/gcs/service-account.json - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - --report-credentials-file=/etc/report/credentials - - --target=[images] - - --target=[release:latest] + - --target=catalog-sync-verify - --variant=catalog-sync command: - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest imagePullPolicy: Always name: "" + ports: + - containerPort: 8080 + name: http resources: requests: cpu: 10m @@ -188,14 +195,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-images,?($|\s.*) + trigger: (?m)^/test( | .* )catalog-sync-catalog-sync-verify,?($|\s.*) - agent: kubernetes - always_run: false + always_run: true branches: - ^main$ - ^main- cluster: build06 - context: ci/prow/catalog-sync-catalog-sync-verify + context: ci/prow/catalog-sync-images decorate: true decoration_config: sparse_checkout_files: @@ -204,29 +211,21 @@ presubmits: ci-operator.openshift.io/variant: catalog-sync ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-mirror-gui-main-catalog-sync-catalog-sync-verify - rerun_command: /test catalog-sync-catalog-sync-verify + name: pull-ci-openshift-mirror-gui-main-catalog-sync-images + rerun_command: /test catalog-sync-images spec: containers: - args: - --gcs-upload-secret=/secrets/gcs/service-account.json - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - --report-credentials-file=/etc/report/credentials - - --target=catalog-sync-verify + - --target=[images] - --variant=catalog-sync command: - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest imagePullPolicy: Always name: "" - ports: - - containerPort: 8080 - name: http resources: requests: cpu: 10m @@ -254,7 +253,7 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )catalog-sync-catalog-sync-verify,?($|\s.*) + trigger: (?m)^/test( | .* )catalog-sync-images,?($|\s.*) - agent: kubernetes always_run: true branches: From 97560c7552ee4dd9e8474a3f8769fab5b634feaf Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 19:09:20 +0000 Subject: [PATCH 5/8] mirror-gui: harden catalog-sync-verify with set -euo pipefail Add fail-fast shell options and safer jq parsing to prevent false passes when sync-catalogs.sh or catalog-index.json parsing fails. Addresses CodeRabbit review feedback. Co-authored-by: Cursor --- .../mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml index d9276c5db35d4..b4aae8ead2172 100644 --- a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml +++ b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml @@ -25,6 +25,7 @@ resources: tests: - as: catalog-sync-verify commands: | + set -euo pipefail export PULL_SECRET_PATH=/var/run/secrets/ci-pull-credentials/.dockerconfigjson export CATALOG_DATA_DIR=/tmp/catalog-data export MAX_PARALLEL_JOBS=3 @@ -32,7 +33,7 @@ tests: ./sync-catalogs.sh echo "--- Verification ---" cat /tmp/catalog-data/catalog-index.json - CATALOG_COUNT=$(jq '.catalogs | length' /tmp/catalog-data/catalog-index.json) + CATALOG_COUNT=$(jq -r 'if (.catalogs | type) == "array" then (.catalogs | length) else 0 end' /tmp/catalog-data/catalog-index.json) echo "Synced catalog entries: $CATALOG_COUNT" if [ "$CATALOG_COUNT" -lt 1 ]; then echo "ERROR: No catalogs synced" From 7df609c060761bddee0290d0d151c16779dddadb Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 19:17:14 +0000 Subject: [PATCH 6/8] mirror-gui: fix catalog-sync-verify always_run to match prowgen Co-authored-by: Cursor --- .../mirror-gui/openshift-mirror-gui-main-presubmits.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml index 978b60bbf0a7b..ed633c06c7920 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml @@ -131,7 +131,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )catalog-integrity,?($|\s.*) - agent: kubernetes - always_run: false + always_run: true branches: - ^main$ - ^main- From 46a54f14b20726c7eeb60cd83729e347bd99201d Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 19:27:41 +0000 Subject: [PATCH 7/8] mirror-gui: use steps format for catalog-sync-verify test Switch from container shorthand to the steps test format so that the credentials stanza is recognized by the config metadata normalizer. Co-authored-by: Cursor --- ...enshift-mirror-gui-main__catalog-sync.yaml | 48 +++++++++++-------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml index b4aae8ead2172..76fe08f107dcc 100644 --- a/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml +++ b/ci-operator/config/openshift/mirror-gui/openshift-mirror-gui-main__catalog-sync.yaml @@ -24,27 +24,33 @@ resources: memory: 200Mi tests: - as: catalog-sync-verify - commands: | - set -euo pipefail - export PULL_SECRET_PATH=/var/run/secrets/ci-pull-credentials/.dockerconfigjson - export CATALOG_DATA_DIR=/tmp/catalog-data - export MAX_PARALLEL_JOBS=3 - cd /app - ./sync-catalogs.sh - echo "--- Verification ---" - cat /tmp/catalog-data/catalog-index.json - CATALOG_COUNT=$(jq -r 'if (.catalogs | type) == "array" then (.catalogs | length) else 0 end' /tmp/catalog-data/catalog-index.json) - echo "Synced catalog entries: $CATALOG_COUNT" - if [ "$CATALOG_COUNT" -lt 1 ]; then - echo "ERROR: No catalogs synced" - exit 1 - fi - container: - from: mirror-gui - credentials: - - mount_path: /var/run/secrets/ci-pull-credentials - name: ci-pull-credentials - namespace: ci + steps: + test: + - as: catalog-sync-verify + commands: | + set -euo pipefail + export PULL_SECRET_PATH=/var/run/secrets/ci-pull-credentials/.dockerconfigjson + export CATALOG_DATA_DIR=/tmp/catalog-data + export MAX_PARALLEL_JOBS=3 + cd /app + ./sync-catalogs.sh + echo "--- Verification ---" + cat /tmp/catalog-data/catalog-index.json + CATALOG_COUNT=$(jq -r 'if (.catalogs | type) == "array" then (.catalogs | length) else 0 end' /tmp/catalog-data/catalog-index.json) + echo "Synced catalog entries: $CATALOG_COUNT" + if [ "$CATALOG_COUNT" -lt 1 ]; then + echo "ERROR: No catalogs synced" + exit 1 + fi + credentials: + - mount_path: /var/run/secrets/ci-pull-credentials + name: ci-pull-credentials + namespace: ci + from: mirror-gui + resources: + requests: + cpu: 100m + memory: 200Mi zz_generated_metadata: branch: main org: openshift From 7526faef1655ea06a783ce7681d8f1196d5185da Mon Sep 17 00:00:00 2001 From: ybeder Date: Thu, 14 May 2026 19:37:09 +0000 Subject: [PATCH 8/8] mirror-gui: add boskos and ci-pull-credentials to verify presubmit Prowgen requires lease-server-credentials (boskos) and secret-dir mounts for steps-based tests with credentials. Match the expected generated output exactly. Co-authored-by: Cursor --- .../openshift-mirror-gui-main-presubmits.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml index ed633c06c7920..b50598119b7fc 100644 --- a/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/mirror-gui/openshift-mirror-gui-main-presubmits.yaml @@ -152,7 +152,9 @@ presubmits: - args: - --gcs-upload-secret=/secrets/gcs/service-account.json - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials - --target=catalog-sync-verify - --variant=catalog-sync command: @@ -172,6 +174,12 @@ presubmits: requests: cpu: 10m volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true - mountPath: /secrets/gcs name: gcs-credentials readOnly: true @@ -186,6 +194,15 @@ presubmits: readOnly: true serviceAccountName: ci-operator volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials - name: manifest-tool-local-pusher secret: secretName: manifest-tool-local-pusher