feat: Add CI builds for ocp-secrets-management-console images and bundle

[anandkuma77]

Enable automatic image builds in OpenShift CI for the secrets management console plugin project, including plugin image, operator image, and OLM bundle with image substitution.

Changes

Updated: ci-operator/config/openshift/ocp-secrets-management-console/
openshift-ocp-secrets-management-console-main.yaml

Added Image Builds

1. Plugin Image (ocp-secrets-management)

   • Dockerfile: Dockerfile (root)
   • Type: Frontend React application
   • Build: Uses node22 build root

2. Operator Image (ocp-secrets-management-operator)

   • Dockerfile: operator/images/ci/Dockerfile
   • Type: Go operator binary
   • Base: base-rhel9

Added Bundle Build with Image Substitution

operator.bundles:

• as: ocp-secrets-management-operator-bundle dockerfile_path: operator/bundle.Dockerfile skip_building_index: true

operator.substitutions:

Replaces operator image reference in CSV

• pullspec: openshift.io/ocp-secrets-management-operator:.* with: pipeline:ocp-secrets-management-operator

Replaces plugin image reference in CSV

• pullspec: openshift.io/ocp-secrets-management:.* with: pipeline:ocp-secrets-management

Why substitution matters:

• Bundle CSV contains image references (operator + plugin)
• CI builds fresh images for every PR
• Substitution replaces static refs with CI-built images
• Ensures bundle uses the exact images built in this CI run
• Critical for E2E testing and production deployment

Added Tests

1. Unit Tests

   • Plugin: yarn test
   • Operator: make test

2. Verify Tests

   • yarn lint

3. FIPS Image Scans (security compliance)

   • Scans plugin image
   • Scans operator image

4. E2E Tests (deploy via OLM on real cluster)

   • Claims temporary AWS cluster (4.21)
   • Installs operator via operator-sdk run bundle
   • Creates SecretsManagementConfig CR
   • Verifies plugin deployment
   • Verifies ConsolePlugin resource

Added Configuration

• base_images: Added base-rhel9, operator-sdk
• binary_build_commands: cd operator && make build
• releases: Added latest 4.21 candidate
• resources: 4Gi memory limit (for webpack build)

Build Flow in CI

PR Opened
  ↓
CI reads config
  ↓
Build images (parallel):
  ├─> Plugin image (Dockerfile)
  └─> Operator image (operator/images/ci/Dockerfile)
  ↓
Build bundle:
  ├─> Reads operator/bundle.Dockerfile
  ├─> Substitutes image references in CSV:
  │   - openshift.io/ocp-secrets-management:.*
  │     → pipeline:ocp-secrets-management
  │   - openshift.io/ocp-secrets-management-operator:.*
  │     → pipeline:ocp-secrets-management-operator
  └─> Creates bundle image (FROM scratch)
  ↓
Run tests (parallel):
  ├─> Unit (plugin)
  ├─> Unit (operator)
  ├─> Verify (lint)
  ├─> FIPS scan (plugin)
  ├─> FIPS scan (operator)
  └─> E2E (deploy via OLM, verify)
  ↓
All tests pass ✓
  → PR can merge

Pattern Consistency

This configuration follows the same pattern as:

• cert-manager-operator
• external-secrets-operator
• other OpenShift console plugins

Key patterns:

• Multi-stage Dockerfiles (builder → runtime)
• Image substitution in bundles
• FIPS compliance scanning
• E2E testing via OLM deployment
• operator-sdk for bundle deployment

Testing

E2E test workflow:

1. Claims temporary cluster
2. Deploys operator via: operator-sdk run bundle
3. Bundle contains substituted images (CI-built)
4. Creates SecretsManagementConfig CR
5. Verifies plugin deploys with correct image
6. Verifies ConsolePlugin resource created
7. Releases cluster

Impact

After merge:

• Every PR will build all images
• Every PR will run E2E tests on real cluster
• Every PR will be FIPS-scanned
• Post-merge builds can push to production registry
• Enables production deployment via OperatorHub

Related

Plugin project PR: feat(ci): Add operator CI Dockerfile

• Creates: operator/images/ci/Dockerfile
• Required by this CI configuration

Summary by CodeRabbit

This PR updates the OpenShift CI configuration for ocp-secrets-management-console in ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml to target OpenShift 4.21, build and publish the console plugin/operator images, generate the OLM bundle with CI-specific image references, and run additional verification including linting, FIPS scans, and an operator-driven E2E deployment.

Key changes

• Release targeting update

  • Moves CI targeting from OpenShift 4.19 to 4.21 by updating releases.latest.candidate.version and related base_images tags (including the golang and operator-sdk builders).

• Build configuration

  • Adds/updates operator and plugin image builds using updated base-rhel9.
  • Uses binary_build_commands: cd operator && make build for the operator binary build.
  • Sets 4Gi memory limits for the CI job resources.

• OLM bundle + image substitutions

  • Builds the operator bundle from operator/bundle.Dockerfile.
  • Applies image substitutions so the bundle uses the CI pipeline-built images instead of static registry pullspecs:
    • openshift.io/ocp-secrets-management-operator:.* → pipeline:ocp-secrets-management-operator
    • openshift.io/ocp-secrets-management:.* → pipeline:ocp-secrets-management

• Test pipeline enhancements

  • Keeps existing tests:
    • Plugin unit tests: yarn install && ... yarn test
    • Operator unit tests: cd operator && make test
  • Adds lint verification for the plugin:
    • yarn install && ... yarn lint
  • Adds FIPS image scans for both:
    • ocp-secrets-management (plugin)
    • ocp-secrets-management-operator (operator)

• New E2E operator flow on AWS (OpenShift 4.21)

  • Claims an AWS cluster (generic-claim) for version 4.21.
  • Installs the operator via operator-sdk run bundle.
  • Applies SecretsManagementConfig sample (operator/config/samples/...secretsmanagementconfig.yaml).
  • Waits for:
    • secrets-management-operator deployment to be Available
    • ocp-secrets-management-plugin deployment to be Available
  • Verifies runtime behavior by:
    • checking plugin pods are running
    • asserting the ConsolePlugin resource exists (oc get consoleplugin ocp-secrets-management).

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS is excluded by !ci-operator/jobs/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5f71bd83-eda3-459d-9f1c-a0f28a3a741c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The CI configuration for ocp-secrets-management-console is updated to target OpenShift 4.21 (from 4.19) across base image tags and release candidate version. The test pipeline is reworked: unit tests are removed, a verify lint step and FIPS image scans are added, and a new e2e-operator test with cluster claim and multi-step install/validate workflow is introduced. Team approvers and reviewers are expanded.

Changes

OCP 4.21 CI Configuration and Test Pipeline Update

Layer / File(s)	Summary
OCP 4.21 base images and release targeting ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml	Base image tags for base-rhel9, operator-sdk, and golang builder updated from 4.19 to 4.21; releases.latest.candidate.version set to "4.21"; operator image build wiring and bundle substitution mappings for pipeline:ocp-secrets-management-operator and pipeline:ocp-secrets-management streams configured.
Test pipeline rework with verification and e2e-operator ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml	Previous unit and operator-unit test steps replaced with verify step (runs yarn lint in src container); FIPS image scans added for console plugin and operator images; e2e-operator workflow introduced with cluster_claim pinned to 4.21 (arch, product, 3h timeout), multi-step flow covering operator bundle install via operator-sdk run bundle, SecretsManagementConfig sample application, plugin deployment/pod wait, and ConsolePlugin resource validation.
Team maintenance and approvals ci-operator/config/openshift/ocp-secrets-management-console/OWNERS	Expanded approvers and reviewers lists to include bharath-b-rh and mytreya-rh.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, rehearsals-ack

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding CI builds for ocp-secrets-management-console images and bundle. It directly aligns with the PR's primary objective of configuring OpenShift CI to automatically build images and bundles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only CI configuration YAML and OWNERS metadata files. No Ginkgo test code is present. The custom check for Ginkgo test name stability is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code; only YAML CI configuration and OWNERS file modifications. Check not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes are CI configuration files only; no Go test files with Ginkgo patterns (It, Describe, Context, When) are present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only CI configuration (YAML) and OWNERS files, not Ginkgo e2e test source code. No Ginkgo test definitions (It, Describe, Context) are added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI/CD configuration files (ci-operator config and OWNERS), not deployment manifests, operator code, or controllers. No scheduling constraints, affinity rules, topology spread const...
Ote Binary Stdout Contract	✅ Passed	PR contains only CI configuration files (YAML, OWNERS, markdown) for ocp-secrets-management-console. No Go test code that could violate OTE Binary Stdout Contract is introduced or modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests (It(), Describe(), Context(), etc.) are added in this PR. The PR only modifies CI configuration YAML files that define test orchestration steps using cluster-internal oc command...
No-Weak-Crypto	✅ Passed	PR contains only CI configuration (YAML) and OWNERS files with no cryptographic implementations, weak algorithms (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom crypto, or non-constant-time comparisons.
Container-Privileges	✅ Passed	CI configuration files contain no privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root-without-justification settings; E2E test explicitly enforces restricted securit...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs, hostnames, customer data) found in logs. While --verbose flag is used in operator-sdk command, it only exposes debug info in epheme...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml`:
- Around line 94-106: The `oc wait` command in the install step lacks a timeout
flag, which can cause the step to hang indefinitely if the deployment never
reaches the Available state. Add a `--timeout` flag to the `oc wait` command
that waits for the secrets-management-operator deployment to become available,
specifying an appropriate timeout duration (similar to the 10m timeout used in
the operator-sdk run bundle command) to ensure the step fails fast with a clear
error if the deployment does not become available within the specified
timeframe.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 900ca80b-cbb4-4277-bcdb-3cea6c42bb90

📥 Commits

Reviewing files that changed from the base of the PR and between 791c4d9 and a0f508e.

📒 Files selected for processing (1)

• ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anandkuma77, sarthakpurohit

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/ocp-secrets-management-console/OWNERS [anandkuma77,sarthakpurohit]
• ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS [anandkuma77,sarthakpurohit]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@anandkuma77: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-ocp-secrets-management-console-main-ci-bundle-ocp-secrets-management-operator-bundle	openshift/ocp-secrets-management-console	presubmit	Presubmit changed
pull-ci-openshift-ocp-secrets-management-console-main-e2e-operator	openshift/ocp-secrets-management-console	presubmit	Presubmit changed
pull-ci-openshift-ocp-secrets-management-console-main-fips-image-scan-operator	openshift/ocp-secrets-management-console	presubmit	Presubmit changed
pull-ci-openshift-ocp-secrets-management-console-main-fips-image-scan-plugin	openshift/ocp-secrets-management-console	presubmit	Presubmit changed
pull-ci-openshift-ocp-secrets-management-console-main-verify	openshift/ocp-secrets-management-console	presubmit	Presubmit changed
pull-ci-openshift-ocp-secrets-management-console-main-images	openshift/ocp-secrets-management-console	presubmit	Ci-operator config changed
pull-ci-openshift-ocp-secrets-management-console-main-operator-unit	openshift/ocp-secrets-management-console	presubmit	Ci-operator config changed
pull-ci-openshift-ocp-secrets-management-console-main-unit	openshift/ocp-secrets-management-console	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@anandkuma77: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.