From 6d7c9df4383de9da973d4154257b9fb625b033e2 Mon Sep 17 00:00:00 2001 From: aredenba-rh Date: Tue, 23 Jun 2026 16:31:18 -0400 Subject: [PATCH 1/2] fix(ci): do not fail Konflux push when gitops clone is denied hp-fleet-gitops is private under openshift-online; Konflux credentials only cover kartograph. Treat deploy-tag finally failures as warnings so successful image builds are not marked failed. Also fix agent-runtime configmap sed producing a double quote. Co-authored-by: Cursor --- .tekton/kartograph-agent-runtime-push.yaml | 15 ++++++++++++--- .tekton/kartograph-api-push.yaml | 13 +++++++++++-- .tekton/kartograph-dev-ui-push.yaml | 13 +++++++++++-- .tekton/kartograph-openshell-gateway-push.yaml | 13 +++++++++++-- 4 files changed, 45 insertions(+), 9 deletions(-) diff --git a/.tekton/kartograph-agent-runtime-push.yaml b/.tekton/kartograph-agent-runtime-push.yaml index b69d91eea..169e0cf4e 100644 --- a/.tekton/kartograph-agent-runtime-push.yaml +++ b/.tekton/kartograph-agent-runtime-push.yaml @@ -672,7 +672,12 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo + if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then + echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." + echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." + echo "Container image build succeeded; skipping deploy-tag automation." + exit 0 + fi cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -685,7 +690,7 @@ spec: PATCH_FILE="apps/kartograph/overlays/stage/configmap-patch.yaml" if [ -f "$PATCH_FILE" ]; then - sed -i 's|\(KARTOGRAPH_EXTRACTION_RUNTIME_STICKY_IMAGE:.*kartograph-agent-runtime:\)[^"]*|\1'"${COMMIT_SHA}"'"|' "$PATCH_FILE" + sed -i 's|\(KARTOGRAPH_EXTRACTION_RUNTIME_STICKY_IMAGE:.*kartograph-agent-runtime:\)[^"]*|\1'"${COMMIT_SHA}"'|' "$PATCH_FILE" fi git config user.email "konflux@kartograph.openshift.com" @@ -702,7 +707,11 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - git push origin "$BRANCH" + if ! git push origin "$BRANCH"; then + echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." + echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." + exit 0 + fi mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch diff --git a/.tekton/kartograph-api-push.yaml b/.tekton/kartograph-api-push.yaml index a2a111e0c..13cd41f80 100644 --- a/.tekton/kartograph-api-push.yaml +++ b/.tekton/kartograph-api-push.yaml @@ -672,7 +672,12 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo + if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then + echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." + echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." + echo "Container image build succeeded; skipping deploy-tag automation." + exit 0 + fi cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -694,7 +699,11 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - git push origin "$BRANCH" + if ! git push origin "$BRANCH"; then + echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." + echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." + exit 0 + fi mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch diff --git a/.tekton/kartograph-dev-ui-push.yaml b/.tekton/kartograph-dev-ui-push.yaml index b53ce07a3..91e68f606 100644 --- a/.tekton/kartograph-dev-ui-push.yaml +++ b/.tekton/kartograph-dev-ui-push.yaml @@ -672,7 +672,12 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo + if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then + echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." + echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." + echo "Container image build succeeded; skipping deploy-tag automation." + exit 0 + fi cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -694,7 +699,11 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - git push origin "$BRANCH" + if ! git push origin "$BRANCH"; then + echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." + echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." + exit 0 + fi mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch diff --git a/.tekton/kartograph-openshell-gateway-push.yaml b/.tekton/kartograph-openshell-gateway-push.yaml index 98d9d5219..54600a2ae 100644 --- a/.tekton/kartograph-openshell-gateway-push.yaml +++ b/.tekton/kartograph-openshell-gateway-push.yaml @@ -672,7 +672,12 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo + if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then + echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." + echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." + echo "Container image build succeeded; skipping deploy-tag automation." + exit 0 + fi cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -694,7 +699,11 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - git push origin "$BRANCH" + if ! git push origin "$BRANCH"; then + echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." + echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." + exit 0 + fi mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch From fd9b5bbac539dfe6547559c573430d729db58b86 Mon Sep 17 00:00:00 2001 From: aredenba-rh Date: Tue, 23 Jun 2026 16:51:00 -0400 Subject: [PATCH 2/2] fix(ci): wire hp-fleet-gitops credentials for deploy-tag task Use a dedicated kartograph-hp-fleet-gitops-auth secret for the finally task instead of PAC's kartograph-scoped git_auth_secret. Revert soft-fail workaround; fail clearly when the secret is missing. Keep agent-runtime configmap sed fix. Co-authored-by: Cursor --- .tekton/kartograph-agent-runtime-push.yaml | 26 +++++++++---------- .tekton/kartograph-api-push.yaml | 26 +++++++++---------- .tekton/kartograph-dev-ui-push.yaml | 26 +++++++++---------- ...h-hp-fleet-gitops-auth.secret.example.yaml | 23 ++++++++++++++++ .../kartograph-openshell-gateway-push.yaml | 26 +++++++++---------- 5 files changed, 75 insertions(+), 52 deletions(-) create mode 100644 .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml diff --git a/.tekton/kartograph-agent-runtime-push.yaml b/.tekton/kartograph-agent-runtime-push.yaml index 169e0cf4e..30672014c 100644 --- a/.tekton/kartograph-agent-runtime-push.yaml +++ b/.tekton/kartograph-agent-runtime-push.yaml @@ -615,9 +615,9 @@ spec: value: $(params.git-url) workspaces: - name: basic-auth - workspace: git-auth + workspace: hp-fleet-gitops-auth - name: netrc - workspace: netrc + workspace: hp-fleet-gitops-auth taskSpec: params: - name: COMMIT_SHA @@ -657,6 +657,12 @@ spec: export HOME=/tekton/home mkdir -p "$HOME" + if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then + echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." + echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." + exit 1 + fi + if [ -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then cp "${WORKSPACE_NETRC_PATH}/.netrc" "$HOME/.netrc" chmod 600 "$HOME/.netrc" @@ -672,12 +678,7 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then - echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." - echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." - echo "Container image build succeeded; skipping deploy-tag automation." - exit 0 - fi + git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -707,11 +708,7 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - if ! git push origin "$BRANCH"; then - echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." - echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." - exit 0 - fi + git push origin "$BRANCH" mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch @@ -786,4 +783,7 @@ spec: - name: git-auth secret: secretName: "{{ git_auth_secret }}" + - name: hp-fleet-gitops-auth + secret: + secretName: kartograph-hp-fleet-gitops-auth status: {} diff --git a/.tekton/kartograph-api-push.yaml b/.tekton/kartograph-api-push.yaml index 13cd41f80..ee35542a7 100644 --- a/.tekton/kartograph-api-push.yaml +++ b/.tekton/kartograph-api-push.yaml @@ -615,9 +615,9 @@ spec: value: $(params.git-url) workspaces: - name: basic-auth - workspace: git-auth + workspace: hp-fleet-gitops-auth - name: netrc - workspace: netrc + workspace: hp-fleet-gitops-auth taskSpec: params: - name: COMMIT_SHA @@ -657,6 +657,12 @@ spec: export HOME=/tekton/home mkdir -p "$HOME" + if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then + echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." + echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." + exit 1 + fi + if [ -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then cp "${WORKSPACE_NETRC_PATH}/.netrc" "$HOME/.netrc" chmod 600 "$HOME/.netrc" @@ -672,12 +678,7 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then - echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." - echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." - echo "Container image build succeeded; skipping deploy-tag automation." - exit 0 - fi + git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -699,11 +700,7 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - if ! git push origin "$BRANCH"; then - echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." - echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." - exit 0 - fi + git push origin "$BRANCH" mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch @@ -778,4 +775,7 @@ spec: - name: git-auth secret: secretName: "{{ git_auth_secret }}" + - name: hp-fleet-gitops-auth + secret: + secretName: kartograph-hp-fleet-gitops-auth status: {} diff --git a/.tekton/kartograph-dev-ui-push.yaml b/.tekton/kartograph-dev-ui-push.yaml index 91e68f606..d3b5d151d 100644 --- a/.tekton/kartograph-dev-ui-push.yaml +++ b/.tekton/kartograph-dev-ui-push.yaml @@ -615,9 +615,9 @@ spec: value: $(params.git-url) workspaces: - name: basic-auth - workspace: git-auth + workspace: hp-fleet-gitops-auth - name: netrc - workspace: netrc + workspace: hp-fleet-gitops-auth taskSpec: params: - name: COMMIT_SHA @@ -657,6 +657,12 @@ spec: export HOME=/tekton/home mkdir -p "$HOME" + if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then + echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." + echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." + exit 1 + fi + if [ -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then cp "${WORKSPACE_NETRC_PATH}/.netrc" "$HOME/.netrc" chmod 600 "$HOME/.netrc" @@ -672,12 +678,7 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then - echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." - echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." - echo "Container image build succeeded; skipping deploy-tag automation." - exit 0 - fi + git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -699,11 +700,7 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - if ! git push origin "$BRANCH"; then - echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." - echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." - exit 0 - fi + git push origin "$BRANCH" mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch @@ -778,4 +775,7 @@ spec: - name: git-auth secret: secretName: "{{ git_auth_secret }}" + - name: hp-fleet-gitops-auth + secret: + secretName: kartograph-hp-fleet-gitops-auth status: {} diff --git a/.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml b/.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml new file mode 100644 index 000000000..c568b46a1 --- /dev/null +++ b/.tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml @@ -0,0 +1,23 @@ +# Apply in Konflux tenant namespace (kartograph-tenant) after replacing placeholders. +# +# PAT needs repo + pull_request scope on openshift-online/hp-fleet-gitops. +# Do not commit real tokens. +# +# oc project kartograph-tenant +# oc create -f kartograph-hp-fleet-gitops-auth.secret.yaml +# +apiVersion: v1 +kind: Secret +metadata: + name: kartograph-hp-fleet-gitops-auth + namespace: kartograph-tenant +type: Opaque +stringData: + .gitconfig: | + [credential] + helper = store + .git-credentials: https://x-access-token:REPLACE_WITH_GITHUB_PAT@github.com + .netrc: | + machine github.com + login x-access-token + password REPLACE_WITH_GITHUB_PAT diff --git a/.tekton/kartograph-openshell-gateway-push.yaml b/.tekton/kartograph-openshell-gateway-push.yaml index 54600a2ae..25fecbadf 100644 --- a/.tekton/kartograph-openshell-gateway-push.yaml +++ b/.tekton/kartograph-openshell-gateway-push.yaml @@ -615,9 +615,9 @@ spec: value: $(params.git-url) workspaces: - name: basic-auth - workspace: git-auth + workspace: hp-fleet-gitops-auth - name: netrc - workspace: netrc + workspace: hp-fleet-gitops-auth taskSpec: params: - name: COMMIT_SHA @@ -657,6 +657,12 @@ spec: export HOME=/tekton/home mkdir -p "$HOME" + if [ ! -f "${WORKSPACE_BASIC_AUTH_PATH}/.git-credentials" ] && [ ! -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then + echo "ERROR: Secret kartograph-hp-fleet-gitops-auth is missing or empty." + echo "Apply .tekton/kartograph-hp-fleet-gitops-auth.secret.example.yaml in kartograph-tenant." + exit 1 + fi + if [ -f "${WORKSPACE_NETRC_PATH}/.netrc" ]; then cp "${WORKSPACE_NETRC_PATH}/.netrc" "$HOME/.netrc" chmod 600 "$HOME/.netrc" @@ -672,12 +678,7 @@ spec: SHORT_SHA="${COMMIT_SHA:0:12}" BRANCH="konflux/deploy-tag-${DEPLOY_COMPONENT}-${SHORT_SHA}" - if ! git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo; then - echo "WARNING: Could not clone openshift-online/hp-fleet-gitops (private repo)." - echo "Grant Konflux git/netrc credentials read access to hp-fleet-gitops, or update stage tags manually." - echo "Container image build succeeded; skipping deploy-tag automation." - exit 0 - fi + git clone --depth 1 --branch main "https://github.com/openshift-online/hp-fleet-gitops" /tmp/repo cd /tmp/repo FILE="apps/kartograph/overlays/stage/kustomization.yaml" @@ -699,11 +700,7 @@ spec: git checkout -b "$BRANCH" git commit -m "chore(deploy): update ${DEPLOY_COMPONENT} stage image tag to ${SHORT_SHA}" - if ! git push origin "$BRANCH"; then - echo "WARNING: Could not push deploy-tag branch to hp-fleet-gitops." - echo "Update apps/kartograph/overlays/stage/kustomization.yaml manually." - exit 0 - fi + git push origin "$BRANCH" mkdir -p /tekton/run printf '%s\n' "$BRANCH" > /tekton/run/deploy-branch @@ -778,4 +775,7 @@ spec: - name: git-auth secret: secretName: "{{ git_auth_secret }}" + - name: hp-fleet-gitops-auth + secret: + secretName: kartograph-hp-fleet-gitops-auth status: {}