feat(kfluxdp-107): add sealights integration to the operator pipelines

Signed-off-by: flacatus <[email protected]>

.dockerignore

@@ -2,3 +2,4 @@
 # Ignore build and test binaries.
 bin/
 testbin/
+vendor/

.tekton/integration-service-pull-request.yaml

@@ -160,18 +160,47 @@ spec:
       workspaces:
       - name: basic-auth
         workspace: git-auth
+    - name: sealights-go-instrumentation
+      runAfter:
+        - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: sealights-go-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126
+        - name: kind
+          value: task
+        resolver: bundles
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+        - name: component
+          value: '{{ repo_name }}'
+        - name: branch
+          value: '{{ source_branch }}'
+        - name: revision
+          value: '{{ revision }}'
+        - name: repository-url
+          value: '{{ repo_url }}'
+        - name: pull-request-number
+          value: '{{ pull_request_number }}'
+        - name: target-branch
+          value: '{{ target_branch }}'
+        - name: oci-storage
+          value: $(params.output-image).sealights.git
     - name: prefetch-dependencies
       params:
       - name: input
         value: $(params.prefetch-input)
       - name: SOURCE_ARTIFACT
-        value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+        value: $(tasks.sealights-go-instrumentation.results.SOURCE_ARTIFACT)
       - name: ociStorage
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
       runAfter:
-      - clone-repository
+      - sealights-go-instrumentation
       taskRef:
         params:
         - name: name

.tekton/integration-service-push.yaml

@@ -157,6 +157,29 @@ spec:
       workspaces:
       - name: basic-auth
         workspace: git-auth
+    - name: sealights-go-instrumentation
+      runAfter:
+        - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: sealights-go-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-sealights-go-oci-ta:0.1@sha256:7b28b5db807d11391d1c222928a8f10e91760e9ba2ea184ce7414673db8b6374
+        - name: kind
+          value: task
+        resolver: bundles
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+        - name: component
+          value: '{{ repo_name }}'
+        - name: branch
+          value: '{{ source_branch }}'
+        - name: revision
+          value: '{{ revision }}'
+        - name: oci-storage
+          value: $(params.output-image).sealights.git
     - name: prefetch-dependencies
       params:
       - name: input
@@ -224,6 +247,48 @@ spec:
         operator: in
         values:
         - "true"
+    - name: build-sealights-container
+      params:
+      - name: IMAGE
+        value: $(params.output-image).sealights
+      - name: DOCKERFILE
+        value: $(params.dockerfile)
+      - name: CONTEXT
+        value: $(params.path-context)
+      - name: HERMETIC
+        value: $(params.hermetic)
+      - name: PREFETCH_INPUT
+        value: $(params.prefetch-input)
+      - name: IMAGE_EXPIRES_AFTER
+        value: $(params.image-expires-after)
+      - name: COMMIT_SHA
+        value: $(tasks.clone-repository.results.commit)
+      - name: BUILD_ARGS
+        value:
+        - $(params.build-args[*])
+      - name: BUILD_ARGS_FILE
+        value: $(params.build-args-file)
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.sealights-go-instrumentation.results.SOURCE_ARTIFACT)
+      - name: CACHI2_ARTIFACT
+        value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      runAfter:
+      - sealights-go-instrumentation
+      - prefetch-dependencies
+      taskRef:
+        params:
+        - name: name
+          value: buildah-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:937f465189482f3279b9491161fff7720d4c443f27e6d9febbf2344268383011
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
     - name: build-image-index
       params:
       - name: IMAGE

Dockerfile

@@ -1,29 +1,19 @@
 # Build the manager binary
 FROM registry.access.redhat.com/ubi9/go-toolset:9.5-1737480393 as builder
 
+USER 1001
+
 WORKDIR /opt/app-root/src
 
 # Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
+COPY --chown=1001:0 go.mod go.mod
+COPY --chown=1001:0 go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
 # Copy the go source
-COPY cmd/main.go cmd/main.go
-COPY api/ api/
-COPY internal/controller/ internal/controller/
-COPY tekton/ tekton/
-COPY helpers/ helpers/
-COPY gitops/ gitops/
-COPY pkg/ pkg/
-COPY release/ release/
-COPY status/ status/
-COPY git/ git/
-COPY loader/ loader/
-COPY cache/ cache/
-COPY cmd/ cmd/
+COPY --chown=1001:0 . .
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager cmd/main.go \

integration-tests/pipelines/konflux-e2e-tests.yaml

@@ -17,6 +17,11 @@ spec:
     - name: test-name
       description: 'The name of the test corresponding to a defined Konflux integration test.'
       default: ''
+    - name: test-stage
+      default: 'integration-service-e2e'
+      description: >-
+        "The name or identifier of the testing phase (e.g., "integration", "e2e") during which the results
+          are being captured. This helps distinguish the test results within Sealights for better reporting and traceability"
     - name: ocp-version
       description: 'The OpenShift version to use for the ephemeral cluster deployment.'
       type: string
@@ -42,7 +47,23 @@ spec:
       default: 'none'
       description: 'Container image built from any konflux git repo. Use this param only when you run Konflux e2e tests
         in another Konflux component repo. Will pass the component built image from the snapshot.'
+    - name: enable-sealights
+      description: "A flag to enable or disable the Sealights integration feature. When set to 'true', test results are sent to Sealights for analysis; otherwise, this feature is skipped."
+      default: "true"
   tasks:
+    - name: sealights-refs
+      taskRef:
+        resolver: git
+        params:
+          - name: url
+            value: https://github.com/konflux-ci/tekton-integration-catalog.git
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: tasks/sealights/sealights-get-refs/0.1/sealights-get-refs.yaml
+      params:
+        - name: SNAPSHOT
+          value: $(params.SNAPSHOT)
     - name: rosa-hcp-metadata
       taskRef:
         resolver: git
@@ -72,6 +93,7 @@ spec:
       runAfter:
         - rosa-hcp-metadata
         - test-metadata
+        - sealights-refs
       taskRef:
         resolver: git
         params:
@@ -126,6 +148,12 @@ spec:
           value: $(tasks.provision-rosa.results.ocp-login-command)
         - name: component-image
           value: $(tasks.test-metadata.results.container-image)
+        - name: sealights-bsid
+          value: $(tasks.sealights-refs.results.sealights-bsid)
+        - name: test-stage
+          value: $(params.test-stage)
+        - name: enable-sealights
+          value: $(params.enable-sealights)
   finally:
     - name: deprovision-rosa-collect-artifacts
       taskRef: