ci: skeleton

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>

Author: viktor-kurchenko

.github/workflows/openshift-cert.yaml

@@ -0,0 +1,180 @@
+name: OpenShift Operator certification pipeline
+on:
+  push:
+  workflow_dispatch:
+    inputs:
+      aws_region:
+        description: 'AWS region'
+        default: 'eu-central-1'
+        type: choice
+        options:
+          - 'us-east-1'
+          - 'us-east-2'
+          - 'us-west-2'
+          - 'us-west-1'
+          - 'eu-west-1'
+          - 'eu-central-1'
+          - 'sa-east-1'
+          - 'ap-northeast-1'
+          - 'ap-southeast-1'
+          - 'ap-southeast-2'
+          - 'ap-northeast-2'
+      ocp_version:
+        description: 'Openshift version'
+        default: 'ocp-4-17'
+        type: choice
+        options:
+          - 'ocp-4-14'
+          - 'ocp-4-15'
+          - 'ocp-4-16'
+          - 'ocp-4-17'
+      cilium_version:
+        description: 'Cilium Version to use (ex: 1.16.4)'
+        default: "1.16.4"
+        required: true
+      is_released:
+        description: 'Is this version released ? No: `-ci` will be added to cilium_version'
+        required: false
+        type: boolean
+        default: false
+      run_tests:
+        description: 'Run tests on the deployed cluster'
+        required: false
+        type: boolean
+        default: false
+      do_not_destroy:
+        description: 'Do not destroy the cluster'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
+  statuses: write
+
+env:
+  TERRAFORM_VERSION: 1.10.3
+  TEKTON_VERSION: 0.39.0
+  OC_VERSION: 4.17.0
+  OCP_VERSION: ocp-4-17
+  PULL_SECRET_FILE: pull_secret.json
+  REGION: eu-west-3
+  AVAILABILITY_ZONES: '["eu-west-3a", "eu-west-3b", "eu-west-3c"]'
+  CLUSTER_NAME: ocp-cert
+  OWNER: ci
+  BASE_DOMAIN: ci.covalent.lol
+  WORKER_INSTANCE_TYPE: m5.xlarge
+  WORKER_COUNT: 2
+  CILIUM_ENABLED: true
+  CILIUM_OLM_REPO_BRANCH: main-ce
+  CILIUM_VERSION: v1.16.3
+  OPENSHIFT_VERSION: 4.14.2
+  INSTALL_TETRAGON: false
+  CREATE_SUBSCRIPTION: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120
+    steps:
+      - name: Checkout workflow context branch
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # 3.1.2
+        with:
+          terraform_version: "${{ env.TERRAFORM_VERSION }}"
+          terraform_wrapper: false
+
+      - name: Install Tekton CLI
+        run: |
+          curl -LO https://github.com/tektoncd/cli/releases/download/v${{ env.TEKTON_VERSION }}/tkn_${{ env.TEKTON_VERSION }}_Linux_x86_64.tar.gz
+          sudo tar xvzf tkn_${{ env.TEKTON_VERSION }}_Linux_x86_64.tar.gz -C /usr/local/bin/ tkn
+
+      - name: Checkout OpenShift CuTE repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: isovalent/cute-openshift-aws
+          token: ${{ secrets.READ_PRIVATE_REPOSITORIES }} # TODO: replace with ISOVALENT_BOT_READ_PRIVATE_REPOSITORIES
+          path: ocp
+
+      - name: Configure Git
+        run: |
+          # TODO: replace with ISOVALENT_BOT_READ_PRIVATE_REPOSITORIES
+          git config --global url."https://oauth2:${{ secrets.READ_PRIVATE_REPOSITORIES }}@github.com".insteadOf ssh://git@github.com
+          git config --global url."https://oauth2::${{ secrets.READ_PRIVATE_REPOSITORIES }}@github.com".insteadOf git@github.com
+
+          git config --global --list
+
+      - name: Install OpenShift CLI tools
+        uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1
+        with:
+          source: "mirror"
+          oc: "${{ env.OC_VERSION }}"
+
+      - name: Set up AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::478566851380:role/CuTE_CIAccessRole
+          aws-region: ${{ env.REGION }}
+          role-duration-seconds: 43200 # 12 hours
+
+      - name: Configure terraform variables
+        working-directory: ./ocp/${{ env.OCP_VERSION }}
+        run: |
+          # TODO: replace RH_PULL_SECRET secret
+          echo '${{ secrets.RH_PULL_SECRET }}' | python -m json.tool > ${{ env.PULL_SECRET_FILE }}
+
+          # Use less loaded region
+          cat > terraform.tfvars<<EOF
+          region                 = "${{ env.REGION }}"
+          availability_zones     = ${{ env.AVAILABILITY_ZONES }}
+          cluster_name           = "${{ env.CLUSTER_NAME }}"
+          owner                  = "${{ env.OWNER }}"
+          base_domain            = "${{ env.BASE_DOMAIN }}"
+          pull_secret_path       = "${{ env.PULL_SECRET_FILE }}"
+          worker_instance_type   = "${{ env.WORKER_INSTANCE_TYPE }}"
+          workers_count          = ${{ env.WORKER_COUNT }}
+          cilium_enabled         = ${{ env.CILIUM_ENABLED }}
+          cilium_olm_repo_branch = "${{ env.CILIUM_OLM_REPO_BRANCH }}"
+          cilium_version         = "${{ env.CILIUM_VERSION }}"
+          openshift_version      = "${{ env.OPENSHIFT_VERSION }}"
+          install_tetragon       = ${{ env.INSTALL_TETRAGON }}
+          create_subscription    = ${{ env.CREATE_SUBSCRIPTION }}
+          EOF
+
+          cat terraform.tfvars
+
+      - name: Provision OpenShift cluster
+        working-directory: ./ocp/${{ env.OCP_VERSION }}
+        timeout-minutes: 60
+        run: |
+          make apply AUTO_APPROVE=true
+          export KUBECONFIG=$(terraform output -json | jq .path_to_kubeconfig_file.value -r)
+
+      - name: Test OC CLI
+        working-directory: ./ocp/${{ env.OCP_VERSION }}
+        run: |
+          oc get nodes
+          cat $KUBECONFIG
+          admpass=$(echo ${KUBECONFIG/kubeconfig/kubeadmin-password})
+          echo "kubeadmin-password: $admpass"
+          echo "sleeping..."
+          sleep 180
+
+      - name: Clean
+        if: always()
+        working-directory: ./ocp/${{ env.OCP_VERSION }}
+        timeout-minutes: 60
+        run: |
+          make destroy AUTO_APPROVE=true
+
+      - name: Remove sensitive data
+        if: always()
+        working-directory: ./ocp/${{ env.OCP_VERSION }}
+        run: |
+          rm -f ${{ env.PULL_SECRET_FILE }}