Skip to content

[WIP] release: add files to create snapshots and releases from the CLI #1077

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: devel
Choose a base branch
from
Open

[WIP] release: add files to create snapshots and releases from the CLI #1077

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fed94db
release: add files to create snapshots and releases from the CLI
littlejawa Sep 22, 2025
f2d0cd8
release: update snapshot.yaml with references of latest successful im…
dbkreling Sep 22, 2025
e987481
release: update digest for operator and bundle to the latest build
dbkreling Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 138 additions & 0 deletions release/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
# OSC Release procedure

## Rationale

See [the documentation][doc_snapshots] about snapshots.

Konflux Snapshots are used to represent a related set of images, that can be used
for testing and releasing.

Snapshots are created automatically whenever something is rebuilt.
When a component is modified, its image is updated, and added to a new snapshot.
The snapshot is then completed with the latest build for the other images for our
application.

Automated snapshot creation makes no difference between `on-pull-request` and
`on-push` builds.
This results in snapshots that contains a mix of merged and unmerged code.
This is fine to test images from PRs (pre-merge), as no PR will rebuild all the
images. But when we try to make a release, if an unrelated PR comes up, its image
can get mixed in the snapshot that we are working on.

The only way to get a releasable snapshot from the automated snapshot creation is
to finely control what gets built to ensure that snapshot and bundle are synchronized.
In any case, when we make a release (stage or prod), the Enterprise Contract for
the release will check that the snapshot and the bundle are in sync, and will error
out if they are not.

This is cumbersome, and could lead to unneeded rebuilds to make sure the latest
image for each component is the one we have in the snapshot (this is what we did
in 1.10.2).

Instead of counting on automated snapshots, we can [create our own snapshots manually][doc_manual_snapshots].

This folder contains a Snapshot definition, listing all the images we want.
We will use the existing nudge PRs for our images to update it at the same time
as the bundle and test catalog are updated, making sure the bundle and snapshot
are synchronized.

Based on this snapshot definition, we can make a controlled release without
wondering what snapshot we should use.

## Process

### Prerequisite

This process requires to use the CLI to interact with our Konflux instance.
You need to `oc login` to our instance of Konflux, and use our team's namespace
on it.

```bash
$ oc login --web https://api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443/
...
$ oc project ose-osc-tenant
Now using project "ose-osc-tenant" on server "https://api.stone-prd-rh01.pg1f.p1.openshiftapps.com:6443".
```

Another pre-requisite is to have a working build of the operator, including a bundle
that lists all the expected images.

**This operator build needs to be tested and validated by the team.**

### Push the Snapshot

1) verify that the `snapshot.yaml` file contains the same image references as
the tested operator's bundle.
2) run:

```bash
$ oc create -f snapshot.yaml
...
```

3) in the Konflux console, or with the CLI, you can verify that the snapshot
is listed appropriately under the name "osc-release-snapshot-[number]".

Note: snapshots need to have a unique name. They are deleted after some time, but
if you do multiple pushes in a short time, you will need to rename it.
This is why we append a number at the end of its name.
Modify this number to make sure the snapshot is unique in our instance.
You don't need to commit the name change to our repo.

### Make a stage release

This folder contains a `stage-release.yaml` file that references our snapshot
by its name. You can use it to trigger a stage release for the snapshot you
just pushed.

1) make sure `stage-release.yaml` is using the right snapshot name, as set in
`snapshot.yaml`
2) run:

```bash
$ oc create -f stage-release.yaml
...
```

Note: as for the snapshot, the release need to be uniquely named. Make sure you
edit that name if you need to make multiple stage releases.

### Make a prod release

Stage and prod releases are made exactly in the same way.
We could just edit `stage-release.yaml` and modify the `releasePlan` reference from
"stage" to "prod", and just push the same file again.
Now to avoid errors like "pushing a prod release when we thought we're making a stage one",
we are keeping two separate files for stage and prod releases.

1) make sure `prod-release.yaml` is using the right snapshot name, as set in
`snapshot.yaml`
2) make sure `prod-release.yaml` has all the expected issues and CVEs listed for
your release.
3) Fill the `synopsis` in `prod-release.yaml` to make sure the right version is
referenced in our advisory. Optionally set the other fields too to override
the defaults that come from our ReleasePlan.
4) Double check everything.
5) run:

```bash
$ oc create -f prod-release.yaml
...
```

## Why not use the UI console to make the release?

All of the above can also be done from the Konflux console if you feel more
confortable with it. The only caveat is listing the CVEs for the prod release,
as the console UI have [a bug (at the time of writing)][konflux_bug] that generates
wrongly formatted structures when we try to list multiple components for the same
CVE.

We started using the CLI because of this bug when we did 1.10.2.
If we don't have CVEs to list, or when the bug is fixed in Konflux, we can
consider reusing the console.

---
[doc_snapshots]: https://konflux.pages.redhat.com/docs/users/testing/integration/snapshots/index.html
[doc_manual_snapshots]: https://konflux.pages.redhat.com/docs/users/testing/integration/snapshots/working-with-snapshots.html
[konflux_bug]: https://issues.redhat.com/browse/KFLUXSPRT-5045
44 changes: 44 additions & 0 deletions release/prod-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: appstudio.redhat.com/v1alpha1
kind: Release
metadata:
labels:
release.appstudio.openshift.io/author: jrope
name: osc-prod-release-v1-10-2-take3
namespace: ose-osc-tenant
spec:
releasePlan: osc-prod-release-plan-v1-10
snapshot: openshift-sandboxed-containers-v1-10-7gp4c
data:
releaseNotes:
cves:
- component: osc-podvm-builder-v1-10
key: CVE-2025-6020
- component: osc-podvm-payload-v1-10
key: CVE-2025-6020
- component: osc-caa-v1-10
key: CVE-2025-6020
- component: osc-monitor-v1-10
key: CVE-2025-6020
- component: osc-monitor-v1-10
key: CVE-2025-8941
- component: osc-podvm-payload-v1-10
key: CVE-2025-8941
- component: osc-podvm-builder-v1-10
key: CVE-2025-8941
- component: osc-caa-v1-10
key: CVE-2025-8941
- component: osc-caa-v1-10
key: CVE-2025-5914
- component: osc-caa-webhook-v1-10
key: CVE-2025-5914
- component: osc-monitor-v1-10
key: CVE-2025-5914
- component: osc-must-gather-v1-10
key: CVE-2025-5914
- component: osc-operator-v1-10
key: CVE-2025-5914
- component: osc-podvm-builder-v1-10
key: CVE-2025-5914
- component: osc-podvm-payload-v1-10
key: CVE-2025-5914

70 changes: 70 additions & 0 deletions release/snapshot.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
apiVersion: appstudio.redhat.com/v1alpha1
kind: Snapshot
metadata:
name: osc-release-snapshot-1.10.3-1
namespace: ose-osc-tenant
spec:
application: openshift-sandboxed-containers-v1-10
components:
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-monitor-v1-10@sha256:ce49124dc965c77cd93e9fa34b0392194761cc949543cf39d3a0ce7d33a64572
name: osc-monitor-v1-10
source:
git:
dockerfileUrl: Dockerfile.monitor
revision: 4560d2b96839bcc8035a60348ecfe0b3a7c8a77d
url: https://github.com/openshift/kata-containers
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-operator-bundle-v1-10@sha256:417ee37b223c39a06e8534fbe8b9f11e54e481df17977e4d4d62c62ccf8e63a4
name: osc-operator-bundle-v1-10
source:
git:
revision: a894d05350ba200e176db6b09d49568eedb49b80
url: https://github.com/openshift/sandboxed-containers-operator
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-podvm-builder-v1-10@sha256:21e810dd9d030c3835fadfc4c434e36a26ab57d9451dc955fc1625b48fac3815
name: osc-podvm-builder-v1-10
source:
git:
context: config/peerpods/podvm
dockerfileUrl: Dockerfile.podvm-builder
revision: d36004f697731521faa9b1bc6acd94f9ca99dcd4
url: https://github.com/openshift/sandboxed-containers-operator
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-podvm-payload-v1-10@sha256:c9790aaa961f6976c14fc9cbef448fc48fcdfacf94f3af25fa2b1e31c72c8d9f
name: osc-podvm-payload-v1-10
source:
git:
dockerfileUrl: podvm-payload/Dockerfile
revision: bdca2073285730b4fc5e8028b6ac4dd9a0256d13
url: https://github.com/openshift/cloud-api-adaptor
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-caa-v1-10@sha256:7d1fa1e85af0d34c23e75868b1388eff17abe633c04a8dc55fbefcc470195c05
name: osc-caa-v1-10
source:
git:
context: src
dockerfileUrl: cloud-api-adaptor/Dockerfile.openshift
revision: bdca2073285730b4fc5e8028b6ac4dd9a0256d13
url: https://github.com/openshift/cloud-api-adaptor
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-dm-verity-image-v1-10@sha256:9b32c441a08792374a8b681ed5733d8df77857ea96200630080fdd96012f8b55
name: osc-dm-verity-image-v1-10
source:
git:
revision: 3962471832c450387a0659432d057ce88443f16a
url: https://github.com/confidential-devhub/coco-podvm-scripts
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-operator-v1-10@sha256:1ffb432d9a8833854fa5e5262dcbf42530dfbaadfddf6978f7bc7804b84d2e3f
name: osc-operator-v1-10
source:
git:
revision: d317b15b575172392731b2c00876846ebc45922d
url: https://github.com/openshift/sandboxed-containers-operator
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-caa-webhook-v1-10@sha256:6802f00a939f24ecd6dad150433db5ea3fd72d171f0c410cb894d3af910fc7fd
name: osc-caa-webhook-v1-10
source:
git:
context: src/webhook
revision: bdca2073285730b4fc5e8028b6ac4dd9a0256d13
url: https://github.com/openshift/cloud-api-adaptor
- containerImage: quay.io/redhat-user-workloads/ose-osc-tenant/osc-must-gather-v1-10@sha256:a9dceee04f0a107c3c2a32838187c3bef7d54c7ad10ff75849e488009ed927e8
name: osc-must-gather-v1-10
source:
git:
context: must-gather
revision: d36004f697731521faa9b1bc6acd94f9ca99dcd4
url: https://github.com/openshift/sandboxed-containers-operator
10 changes: 10 additions & 0 deletions release/stage-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: appstudio.redhat.com/v1alpha1
kind: Release
metadata:
labels:
release.appstudio.openshift.io/author: jrope
name: osc-stage-release-v1-10-3-build1
namespace: ose-osc-tenant
spec:
releasePlan: osc-prod-release-plan-v1-10
snapshot: osc-release-snapshot-1