The pipelines must pull the parent index images through the internal OpenShift
registry to take advantage of the built-in credentials for Red Hat's terms-based
registry (registry.redhat.io). This saves the user from needing to provide such
credentials. The index generation task will always pull published index images
through imagestreams of the same name in the current namespace. As a result,
there is a one time configuration for each desired distribution catalog. Replace
the from
argument when configuring this for pre-production environments.
# Must be run once before certifying against the certified catalog.
oc --request-timeout 10m import-image certified-operator-index \
--from=registry.redhat.io/redhat/certified-operator-index \
--reference-policy local \
--scheduled \
--confirm \
--all
# Must be run once before certifying against the Red Hat Marketplace catalog.
oc --request-timeout 10m import-image redhat-marketplace-index \
--from=registry.redhat.io/redhat/redhat-marketplace-index \
--reference-policy local \
--scheduled \
--confirm \
--all
The CI pipeline can optionally be configured to push and pull images to/from a remote
private registry. The user must create an auth secret containing the docker config.
This secret can then be passed as a workspace named registry-credentials
when invoking
the pipeline.
oc create secret generic registry-dockerconfig-secret \
--type kubernetes.io/dockerconfigjson \
--from-file .dockerconfigjson=config.json
The pipelines requires git SSH credentials with write access to the repository if automatic digest pinning is enabled using the pin_digests param. This is disabled by default. Before executing the pipeline the user must create a secret in the same namespace as the pipeline.
To create the secret run the following commands (substituting your key):
cat << EOF > ssh-secret.yml
kind: Secret
apiVersion: v1
metadata:
name: github-ssh-credentials
data:
id_rsa: |
< PRIVATE SSH KEY >
EOF
oc create -f ssh-secret.yml
CI pipelines automatically upload a test results, logs and artifacts using Red Hat container API. This requires a partner's API key and the key needs to be created as a secret in OpenShift cluster before running a Tekton pipeline.
oc create secret generic pyxis-api-secret --from-literal pyxis_api_key=< API KEY >
The CI pipeline requires a kubeconfig with admin credentials. This can be created by logging into said cluster as an admin user.
KUBECONFIG=kubeconfig oc login -u <username> -p <password>
oc create secret generic kubeconfig --from-file=kubeconfig=kubeconfig
To automatically open the PR with submission, pipeline must authenticate to GitHub. Secret containing api token should be created.
oc create secret generic github-api-token --from-literal GITHUB_TOKEN=< GITHUB TOKEN >
The hosted pipeline requires credentials to push/pull bundle and index images from a
pre-release registry (quay.io). A registry auth secret must be created. This secret
can then be passed as a workspace named registry-credentials
when invoking
the pipeline.
oc create secret generic hosted-pipeline-registry-auth-secret \
--type kubernetes.io/dockerconfigjson \
--from-file .dockerconfigjson=config.json
The hosted pipeline communicates with internal Container API that requires cert + key. The corresponding secret needs to be created before running the pipeline.
oc create secret generic operator-pipeline-api-certs \
--from-file operator-pipeline.pem \
--from-file operator-pipeline.key
To verify publishing checklist, Hosted pipeline uses Hydra API. To authenticate with Hydra over basic auth, secret containing service account credentials should be created.
oc create secret generic hydra-credentials \
--from-literal username=<username> \
--from-literal password=<password>
To automatically merge the PR, Hosted pipeline uses GitHub API. To authenticate when using this method, secret containing bot token should be created.
oc create secret generic github-bot-token --from-literal github_bot_token=< BOT TOKEN >
Hosted preflight tests are run on the separate cluster. To provision a cluster destined for the tests, the pipeline uses a Prowjob. Thus, to start the preflight test, there needs to be a prow-specific kubeconfig.
oc create secret generic prow-kubeconfig \
--from-literal kubeconfig=<kubeconfig>
Results of the preflight tests are protected by encryption. In order to retrieve them from the preflight job, gpg decryption key should be supplied.
oc create secret generic preflight-decryption-key \
--from-literal private=<private gpg key> \
--from-literal public=<public gpg key>
OCP clusters contains the public registries for Operator Bundle Images. To publish the image to this registry, Pipeline connects to OCP cluster via kubeconfig. To create the secret which contains the OCP cluster kubeconfig:
oc create secret generic ocp-registry-kubeconfig \
--from-literal kubeconfig=<kubeconfig>
A Quay OAuth token is required to set repo visibility to public.
oc create secret generic quay-oauth-token --from-literal token=<token>
The release pipeline requires credentials to push and pull the bundle image built by
the hosted pipeline. Three registry auth secrets must be specified since different
credentials may be required for the same registry when copying and serving the image.
These secrets can then be passed as workspaces named registry-pull-credentials
,
registry-push-credentials
and registry-serve-credentials
when invoking the
pipeline.
oc create secret generic release-pipeline-registry-auth-pull-secret \
--type kubernetes.io/dockerconfigjson \
--from-file .dockerconfigjson=pull-config.json
oc create secret generic release-pipeline-registry-auth-push-secret \
--type kubernetes.io/dockerconfigjson \
--from-file .dockerconfigjson=push-config.json
oc create secret generic release-pipeline-registry-auth-serve-secret \
--type kubernetes.io/dockerconfigjson \
--from-file .dockerconfigjson=serve-config.json
For submitting the IIB build, you need kerberos keytab in a secret:
oc create secret generic kerberos-keytab \
--from-file krb5.keytab
Release pipeline uses Quay credentials to authenticate a push to an index image during the IIB build.
oc create secret generic iib-quay-credentials \
--from-literal username=<QUAY_USERNAME> \
--from-literal password=<QUAY_PASSWORD>
OCP clusters contains the public registries for Operator Bundle Images. To publish the image to this registry, Pipeline connects to OCP cluster via kubeconfig. To create the secret which contains the OCP cluster kubeconfig:
oc create secret generic ocp-registry-kubeconfig \
--from-literal kubeconfig=<kubeconfig>
Additional setup instructions for this cluster are documented here.