check prerelease suffix changes before running tests.

.github/workflows/tests.yml

@@ -0,0 +1,91 @@
+name: tests
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+    - main
+
+jobs:
+
+  check_skip_tests_job:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.pull_request.title, '[skip tests]')"
+    outputs:
+      COMMITMSG_SKIPTESTS: ${{ steps.check_skiptests_msg.outputs.SKIPTESTS }}
+      PRERELEASESUFFIX_SKIPTESTS: ${{ steps.check_prereleasesuffixremoval.outputs.SKIPTESTS }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
+        fetch-depth: 2    # this is needed for getting the diff of the last commit
+
+    - name: Check for [skip tests] in Message
+      id: check_skiptests_msg
+      run: |
+        message=$(git log -1 --format=oneline --pretty=format:"%s")
+        echo "GIT COMMIT MESSAGE: $message"
+        if echo $message | grep "\[skip tests\]" >/dev/null
+        then
+          echo "SKIPPING TESTS"
+          echo "SKIPTESTS=1" >> $GITHUB_OUTPUT
+        #else
+        #  echo "EXECUTING TESTS"
+        #  echo "SKIPTESTS=" >> $GITHUB_OUTPUT
+        fi
+
+    - name: check if last commit contains only prerelease suffix removals 
+      id: check_prereleasesuffixremoval
+      shell: bash
+      run: |
+        echo "---- CHANGED FILES ----"
+        git diff --name-only HEAD~1
+        export CHANGED_FILES=$(git diff --name-only HEAD~1)
+        if [ "$CHANGED_FILES" == "values.yaml" ]
+        then
+          echo "only values.yaml was changed, checking changes"
+          echo "---- DIFF FROM LAST COMMIT ----"
+          git diff -w -U0 --color=always HEAD~1
+          echo "---- --------------------- ----"
+
+          git diff -w -U0 --color=never HEAD~1 > gitdiff.txt
+          export OLD_LINES=$(cat gitdiff.txt | grep -i "^- " | wc -l)
+          export NEW_LINES=$(cat gitdiff.txt | grep -i "^+ " | wc -l)
+          export NEW_LINES_WITH_EMPTY_PRS=$(cat gitdiff.txt | grep -i "^+ .*prereleasesuffix:\s*$" | wc -l)
+
+          echo "OLD LINES ($OLD_LINES)"
+          cat gitdiff.txt | grep -i "^- "
+          echo "---- -------------------- ----"
+          echo "NEW LINES ($NEW_LINES)"
+          cat gitdiff.txt | grep -i "^+ "
+          echo "---- -------------------- ----"
+          echo "NEW LINES WITH EMPTY PRERELEASESUFFIX ($NEW_LINES_WITH_EMPTY_PRS)"
+          cat gitdiff.txt | grep -i "^+ .*prereleasesuffix:\s*$" 
+          echo "---- -------------------- ----"
+          if [ "$OLD_LINES" != "$NEW_LINES" ]
+          then
+            echo "Number of old lines and new lines differs"
+          else
+            if [ "$NEW_LINES" != "$NEW_LINES_WITH_EMPTY_PRS" ]
+            then
+              echo "not all new lines are empty prereleasesuffixes"
+            else
+              echo "detected only prerelease suffix removals in changed files"
+              echo "SKIPPING TESTS"
+              echo "SKIPTESTS=1" >> $GITHUB_OUTPUT
+            fi
+          fi
+        fi 
+
+
+  run_tests_job:
+    runs-on: ubuntu-latest
+    needs: check_skip_tests_job    
+    if: "!needs.check_skip_tests_job.outputs.COMMITMSG_SKIPTESTS && !needs.check_skip_tests_job.outputs.PRERELEASESUFFIX_SKIPTESTS"
+
+    steps:
+    - name: Run the Tests
+      run: |
+        echo "The tests were all successfully executed"

values-withoutprs.yaml

@@ -0,0 +1,263 @@
+# Recursive
+# https://github.com/helm/helm/issues/2247
+# https://github.com/Noksa/helm-resolve-deps
+  # Default values for cert-manager-init.
+  # This is a YAML-formatted file.
+  # Declare variables to be passed into your templates.
+global:
+  certificate:
+    # -- Name of the certificate and webhook |
+    appName: "compcrdwebhook"
+
+oda-crds:
+  enabled: true
+
+canvas-namespaces:
+  enabled: true
+  certManagerNamespace: cert-manager
+  componentNamespace: components
+  istio:
+    # --  Add Istion instrumentation label to the components namespace
+    labelEnabledComponent: true
+
+cert-manager-init:
+  nameOverride: ""
+  fullnameOverride: ""
+  namespace: canvas
+  # The certificate has a default duration of 90d. It rotates automatically, but the the server using it doesn't handle that rotation
+  # https://github.com/tmforum-oda/oda-canvas-charts/issues/38
+  #
+  # -- Duration of the certificates generate for the webhook in hours |
+  certificateDuration: 21600h
+  #Cert manager get a lease  object on kube-system namespace to elect leader.
+  #The time to wait for a leader is 60s.
+  #The lease can survive among installations, so cainjectot can waits up to 60s to become leader
+  #If cainjector is not fully initialized we can find the following error
+  #  cert-manager-init/templates/issuer.yaml failed: Internal error occurred:
+  #  failed calling webhook "webhook.cert-manager.io": failed to call webhook:
+  #  Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
+  # In seconds
+  # -- Time to wait CertManager to be ready to prevent issuer creation errors
+  leaseWaitTimeonStartup: 80
+
+  cert-manager:
+    enabled: true
+    installCRDs: true
+    namespace: cert-manager
+
+keycloak:
+  enabled: true
+  image:
+    tag: 20.0.5-debian-11-r2
+  auth:
+    adminUser: "admin"
+    adminPassword: "adpass"
+  postgresql:
+    enabled: true
+    image:
+      tag: 15.2.0-debian-11-r31
+    auth:
+      username: "keycloak"
+      password: "keycloakdbuser"
+      database: "keycloak"
+  # -- Since keycloak 17+, default to / but the controllers work with older versions
+  httpRelativePath: "/auth/"
+  #proxy: edge
+  #tls:
+  #  enabled: true
+  #  autoGenerated: true
+  #extraEnvVars:
+  #  - name: PROXY_ADDRESS_FORWARDING
+  #    value: "true"
+  ##
+  # -- Keycloak LoadBalancer and Headless ClusterIp service port
+  service:
+    ports: &portKeycloak
+      http: 8083
+  # -- Keycloak HTTP container port
+  containerPorts: *portKeycloak
+
+  # -- Create a myrealm realm with a seccon user
+  keycloakConfigCli:
+    enabled: true
+    image:
+      tag: 5.5.0-debian-11-r35
+    backoffLimit: 1
+    command: [ "java", "-jar", "/opt/keycloak-config-cli.jar" ]
+    configuration:
+      myrealm.json: |
+        {
+          "enabled": true,
+          "realm": "myrealm",
+          "users": [
+            {
+            "username": "seccon",
+            "email": "[email protected]",
+            "enabled": true,
+            "firstName": "Security",
+            "lastName": "User"
+            }
+           ]
+        }
+
+  ingress:
+    enabled: false
+    ingressClassName: "traefik"
+    hosts:
+      - name: keycloak.local
+        path: /
+        tls: false
+
+controller:
+  deployment:
+    controllerName: oda-controller
+    compconImage: tmforumodacanvas/component-istio-controller
+    compconVersion: 0.5.3
+    compconPrereleaseSuffix:  
+    imagePullPolicy: IfNotPresent
+    istioGateway: true
+    secconImage: tmforumodacanvas/security-listener
+    secconVersion: 0.7.1
+    secconPrereleaseSuffix:
+    monitoredNamespaces: 'components'           # comma separated list of namespaces
+    ingressClass:
+      enabled: false
+      name: nginx
+    keycloak: *portKeycloak
+    dataDog:
+      enabled: true
+  #We reuse the admin user created on keycloak installation
+  credentials:
+    user: admin
+    pass: adpass
+  configmap:
+    kcrealm: myrealm
+    # -- Log level [python] (https://docs.python.org/3/library/logging.html
+    loglevel: '20'
+
+dependentapi-simple-operator:
+  enabled: true
+  image: tmforumodacanvas/dependentapi-simple-operator
+  version: 0.2.3
+  prereleaseSuffix:
+  imagePullPolicy: IfNotPresent
+  loglevel: '20'
+
+canvas-vault:
+  enabled: true
+  # changing the auth_path requires changing the encrypted token in secretsmanagement-operator
+  auth_path: "jwt-k8s-sman"
+  # if issuer is empty, it will be autodetected
+  issuer:
+  # if cacert is empty it will be autodetected
+  cacert:
+  vault:
+    #fullnameOverride: "canvas-vault-hc"
+    nameOverride: "vault-hc"
+    global:
+      namespace: "canvas-vault"
+    server:
+      image:
+        # last version with MPL license
+        tag: "1.14.8"
+
+      # Run Vault in "dev" mode. This requires no further setup, no state management,
+      # and no initialization. This is useful for experimenting with Vault without
+      # needing to unseal, store keys, et. al. All data is lost on restart - do not
+      # use dev mode for anything other than experimenting.
+      # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
+      dev:
+        enabled: true
+
+        # Set VAULT_DEV_ROOT_TOKEN_ID value
+        devRootToken: "egalegal"
+
+      # Settings for the statefulSet used to run Vault.
+      statefulSet:
+        # Set the pod and container security contexts.
+        # If not set, these will default to, and for *not* OpenShift:
+        # pod:
+        #   runAsNonRoot: true
+        #   runAsGroup: {{ .Values.server.gid | default 1000 }}
+        #   runAsUser: {{ .Values.server.uid | default 100 }}
+        #   fsGroup: {{ .Values.server.gid | default 1000 }}
+        # container:
+        #   allowPrivilegeEscalation: false
+        #
+        # If not set, these will default to, and for OpenShift:
+        # pod: {}
+        # container: {}
+        securityContext:
+          pod:
+            fsGroup: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            runAsUser: 100
+            supplementalGroups:
+            - 1000
+          container: 
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+      # Enables debug logging.
+      debug: true
+
+    injector:
+      # True if you want to enable vault agent injection.
+      # @default: global.enabled
+      enabled: false
+
+      agentImage:
+        # last version with MPL license
+        tag: "1.14.8"
+
+    csi:
+      agent:
+        image:
+          # last version with MPL license
+          tag: "1.14.8"
+
+secretsmanagement-operator:
+  image: tmforumodacanvas/secretsmanagement-operator
+  version: 0.1.0
+  prereleaseSuffix:
+  imagePullPolicy: IfNotPresent
+
+  sidecarImage: tmforumodacanvas/secretsmanagement-sidecar
+  sidecarVersion: 0.1.0
+  sidecarPrereleaseSuffix:
+  sidecarImagePullPolicy: IfNotPresent
+
+  # TODO: add TLS to canvas-vault-hc
+  vault_addr: "http://canvas-vault-hc.canvas-vault.svc.cluster.local:8200"
+  # the tempaltes can be used to generate cluster specific authenticator and key-value stores, here 'sman'.
+  auth_path: "jwt-k8s-sman"
+  secrets_mount_tpl: "kv-sman-{0}"
+  policy_name_tpl: "sman-{0}-policy"
+  login_role_tpl: "sman-{0}-role"
+  secrets_base_path_tpl: "sidecar"
+
+  # use autodetection to retreive the value for audience 
+  autodetectAudience: true
+  # as an alternative it can be retrieved manually and set directly: 
+  #   kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
+  #audience: "https://kubernetes.default.svc.cluster.local"
+  #audience: "https://container.googleapis.com/v1/projects/tmforum-oda-component-cluster/locations/europe-west3/clusters/ihc-dt"
+
+  # INFO=20, DEBUG=10
+  logLevel: 20
+
+  # plaintext token for HashiCorp Vault. 
+  # In the log files a warning will be shown with the encrypted value, which should be used instead of this 
+  hvacToken: egalegal
+  # encrpyted token (can be found in logfile)
+  # #hvacTokenEnc:
+
+oda-webhook:
+  image: tmforumodacanvas/compcrdwebhook
+  version: 0.8.2
+  prereleaseSuffix:
+  imagePullPolicy: IfNotPresent