Merge branch 'main' into bumpnats2107

.github/scripts/check-prow-build-job.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+
+# This script checks the state of the prow job "release-build-nats-manager"
+
+# Error handling.
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+echo "Checking status of POST Jobs for NATS-Manager"
+
+REF_NAME="${1:-"main"}"
+TIMEOUT_TIME="${2:-600}"
+INTERVAL_TIME="${3:-3}"
+INITIAL_WAIT_TIME="${4:-30}"
+
+# Generate job Status URL
+STATUS_URL="https://api.github.com/repos/kyma-project/nats-manager/commits/${REF_NAME}/status"
+echo "checking at ULR ${STATUS_URL}"
+
+# Dates
+START_TIME=$(date +%s)
+TODAY_DATE=$(date '+%Y-%m-%d')
+
+# Retry function
+function retry {
+
+	# Get status result
+	local statusresult=$(curl -L -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" ${STATUS_URL})
+
+	# Get overall state
+	fullstatus=$(echo $statusresult | jq '.state' | tr -d '"')
+
+	# Collect latest run related data
+	local latestrun=$(echo $statusresult | jq '.statuses[-1]')
+	local latestrun_state=$(echo $latestrun | jq '.state' | tr -d '"')
+	local latestrun_createdat=$(echo $latestrun | jq '.created_at' | tr -d '"')
+	local latestrun_targeturl=$(echo $latestrun | jq '.target_url' | tr -d '"')
+
+	# Check Today's run data
+	if [[ $latestrun_createdat == *"$TODAY_DATE"* ]]; then
+		echo $latestrun_createdat
+		echo $latestrun_state
+		echo $latestrun_targeturl
+	fi
+
+	# Show all execution for Today
+	echo $statusresult | jq --arg t $TODAY_DATE '.statuses[]|select(.created_at | contains($t))'
+
+	# Date time for time-out
+	local CURRENT_TIME=$(date +%s)
+	local elapsed_time=$((CURRENT_TIME - START_TIME))
+
+	# Check time-out
+	if [ $elapsed_time -ge $TIMEOUT_TIME ]; then
+		echo "Timeout reached. Exiting."
+		exit 1
+	fi
+
+	if [ "$fullstatus" == "success" ]; then
+		echo "Success!"
+	elif [ "$fullstatus" == "failed" ]; then
+		# Show overall state to user
+		echo "$statusresult"
+		echo "Failure! Exiting with an error."
+		exit 1
+	elif [ "$fullstatus" == "pending" ]; then
+		echo "Status is '$fullstatus'. Retrying in $INTERVAL_TIME seconds..."
+		sleep $INTERVAL_TIME
+	else
+		echo "Invalid result: $result"
+		exit 1
+	fi
+
+}
+
+# Initial wait
+sleep $INITIAL_WAIT_TIME
+# Call retry function
+retry
+while [ "$fullstatus" == "pending" ]; do
+	retry
+done

.github/scripts/check_sec-scanners-config.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+##############################
+# Check tags in sec-scanners-config.yaml
+# Image Tag, rc-tag
+##############################
+
+# Error handling:
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+# The desired tag is the release version.
+DESIRED_TAG="${1}"
+
+# Get nats-manager image tag from sec-scanners-config.yaml.
+IMAGE_TAG_TO_CHECK="${2:-europe-docker.pkg.dev/kyma-project/prod/nats-manager}"
+IMAGE_TAG=$(cat sec-scanners-config.yaml | grep "${IMAGE_TAG_TO_CHECK}" | cut -d : -f 2)
+
+# Get rc-tag from sec-scanners-config.yaml.
+RC_TAG_TO_CHECK="${3:-rc-tag}"
+RC_TAG=$(cat sec-scanners-config.yaml | grep "${RC_TAG_TO_CHECK}" | cut -d : -f 2 | xargs)
+
+# Check if the image tag and the rc-tag match the desired tag.
+if [[ "$IMAGE_TAG" != "$DESIRED_TAG" ]] || [[ "$RC_TAG" != "$DESIRED_TAG" ]]; then
+	# ERROR: Tag issue
+	echo "Tags are not correct:
+  - wanted: $DESIRED_TAG
+  - security-scanner image tag: $IMAGE_TAG
+  - rc-tag: $RC_TAG"
+	exit 1
+fi
+
+# OK; Everything is fine.
+echo "Tags are correct"
+exit 0

.github/scripts/check_tag_does_not_exist.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# Error handling:
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+# This script checks that the tag does not exist in git.
+
+TAG="$1"
+
+if [ $(git tag -l $TAG) ]; then
+	echo "Error; tag $TAG already exists"
+	exit 1
+else
+	echo "tag $TAG does not exist"
+fi

.github/scripts/check_version_format.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# Error handling:
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+# This script checks that the RELEASE_TAG does follow the pattern x.y.z where x, y and z are integers.
+
+RELEASE_TAG="$1"
+
+if [[ $RELEASE_TAG =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+	echo "Version format is valid."
+else
+	echo "Version format is invalid: ${RELEASE_TAG}"
+	echo "Version should follow pattern x.y.z, where x, y and z are integers."
+	echo "(e.g. 1.2.3)"
+	exit 1
+fi

.github/scripts/create_changelog.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+# Optional args need to be handled before 'set -o nonset'.
+PREVIOUS_RELEASE=$2 # for testability
+
+# Error handling.
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+RELEASE_TAG=$1
+
+REPOSITORY=${REPOSITORY:-kyma-project/nats-manager}
+GITHUB_URL=https://api.github.com/repos/${REPOSITORY}
+GITHUB_AUTH_HEADER="Authorization: token ${GITHUB_TOKEN}"
+CHANGELOG_FILE="CHANGELOG.md"
+
+# If the previous release was not passed, we will
+if [ "${PREVIOUS_RELEASE}" == "" ]; then
+	# The git describe --tag --abbrev=0 command is used to find the most recent tag that is reachable from a commit.
+	# The --tag option tells git describe to consider any tag found in the refs/tags namespace, enabling matching a lightweight (non-annotated) tag.
+	PREVIOUS_RELEASE=$(git describe --tags --abbrev=0)
+fi
+
+# Generate the changelog in the CHANGELOG.md.
+echo "## What has changed" >>${CHANGELOG_FILE}
+
+# Iterate over all commits since the previous release.
+git log ${PREVIOUS_RELEASE}..HEAD --pretty=tformat:"%h" --reverse | while read -r commit; do
+	# If the author of the commit is not kyma-bot, show append the commit message to the changelog.
+	COMMIT_AUTHOR=$(curl -H "${GITHUB_AUTH_HEADER}" -sS "${GITHUB_URL}/commits/${commit}" | jq -r '.author.login')
+	if [ "${COMMIT_AUTHOR}" != "kyma-bot" ]; then
+		git show -s ${commit} --format="* %s by @${COMMIT_AUTHOR}" >>${CHANGELOG_FILE}
+	fi
+done
+
+# Create a new file (with a unique name based on the process ID of the current shell).
+NEW_CONTRIB=$$.new
+
+# Find unique authors that contribute since the last release, but not before it, and to the NEW_CONTRIB file.
+join -v2 \
+	<(curl -H "${GITHUB_AUTH_HEADER}" -sS "${GITHUB_URL}/compare/$(git rev-list --max-parents=0 HEAD)...${PREVIOUS_RELEASE}" | jq -r '.commits[].author.login' | sort -u) \
+	<(curl -H "${GITHUB_AUTH_HEADER}" -sS "${GITHUB_URL}/compare/${PREVIOUS_RELEASE}...HEAD" | jq -r '.commits[].author.login' | sort -u) >${NEW_CONTRIB}
+
+# Add new contributors to the 'new contributors' section of the changelog.
+if [ -s ${NEW_CONTRIB} ]; then
+	echo -e "\n## New contributors" >>${CHANGELOG_FILE}
+	while read -r user; do
+		REF_PR=$(grep "@${user}" ${CHANGELOG_FILE} | head -1 | grep -o " (#[0-9]\+)" || true)
+		if [ -n "${REF_PR}" ]; then #reference found
+			REF_PR=" in ${REF_PR}"
+		fi
+		echo "* @${user} made first contribution${REF_PR}" >>${CHANGELOG_FILE}
+	done <${NEW_CONTRIB}
+fi
+
+# Append link to the full-changelog this changelog.
+echo -e "\n**Full changelog**: https://github.com/$REPOSITORY/compare/${PREVIOUS_RELEASE}...${RELEASE_TAG}" >>${CHANGELOG_FILE}
+
+# Cleanup the NEW_CONTRIB file.
+rm ${NEW_CONTRIB} || echo "cleaned up"

scripts/create_draft_release.sh → .github/scripts/create_draft_release.sh

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
-# This script returns the id of the draft release
+# This script creates a draft release and returns its id .
 
-# standard bash error handling
+# Error handling:
 set -o nounset  # treat unset variables as an error and exit immediately.
 set -o errexit  # exit immediately when a command fails.
 set -E          # needs to be set if we want the ERR trap
@@ -15,23 +15,26 @@ GITHUB_URL=https://api.github.com/repos/${REPOSITORY}
 GITHUB_AUTH_HEADER="Authorization: Bearer ${GITHUB_TOKEN}"
 CHANGELOG_FILE=$(cat CHANGELOG.md)
 
+# Create the json payload to create a draft release.
 JSON_PAYLOAD=$(jq -n \
-  --arg tag_name "$RELEASE_TAG" \
-  --arg name "$RELEASE_TAG" \
-  --arg body "$CHANGELOG_FILE" \
-  '{
+	--arg tag_name "$RELEASE_TAG" \
+	--arg name "$RELEASE_TAG" \
+	--arg body "$CHANGELOG_FILE" \
+	'{
     "tag_name": $tag_name,
     "name": $name,
     "body": $body,
     "draft": true
   }')
 
+# Send the payload to github to create the draft release. The response contains the id of the release.
 CURL_RESPONSE=$(curl -L \
-  -X POST \
-  -H "Accept: application/vnd.github+json" \
-  -H "${GITHUB_AUTH_HEADER}" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  ${GITHUB_URL}/releases \
-  -d "$JSON_PAYLOAD")
+	-X POST \
+	-H "Accept: application/vnd.github+json" \
+	-H "${GITHUB_AUTH_HEADER}" \
+	-H "X-GitHub-Api-Version: 2022-11-28" \
+	${GITHUB_URL}/releases \
+	-d "$JSON_PAYLOAD")
 
+# Return the draft release id.
 echo "$(echo $CURL_RESPONSE | jq -r ".id")"

scripts/publish_release.sh → .github/scripts/publish_release.sh

@@ -15,9 +15,9 @@ GITHUB_URL=https://api.github.com/repos/${REPOSITORY}
 GITHUB_AUTH_HEADER="Authorization: Bearer ${GITHUB_TOKEN}"
 
 CURL_RESPONSE=$(curl -L \
-  -X POST \
-  -H "Accept: application/vnd.github+json" \
-  -H "${GITHUB_AUTH_HEADER}" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  ${GITHUB_URL}/releases/${RELEASE_ID} \
-  -d '{"draft":false}')
+	-X POST \
+	-H "Accept: application/vnd.github+json" \
+	-H "${GITHUB_AUTH_HEADER}" \
+	-H "X-GitHub-Api-Version: 2022-11-28" \
+	${GITHUB_URL}/releases/${RELEASE_ID} \
+	-d '{"draft":false}')

.github/scripts/render_and_upload_manifests.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+# This script will render the latest manifests and it will uploaded them to the release on github.com.
+
+# Error handling.
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+RELEASE_TAG=${1}
+MODULE_NAME=${2}
+GITHUB_TOKEN=${3}
+
+# uploadFile uploads the rendered assets to the github release.
+uploadFile() {
+	filePath=${1}
+	ghAsset=${2}
+
+	response=$(curl -s -o output.txt -w "%{http_code}" \
+		--request POST --data-binary @"$filePath" \
+		-H "Authorization: token $GITHUB_TOKEN" \
+		-H "Content-Type: text/yaml" \
+		$ghAsset)
+	if [[ "$response" != "201" ]]; then
+		echo "Unable to upload the asset ($filePath): "
+		echo "HTTP Status: $response"
+		cat output.txt
+		exit 1
+	else
+		echo "$filePath uploaded"
+	fi
+}
+
+# Render the nats-manager.yaml.
+echo "RELEASE_TAG: ${RELEASE_TAG}"
+IMG="europe-docker.pkg.dev/kyma-project/prod/${MODULE_NAME}-manager:${RELEASE_TAG}" make render-manifest
+echo "Generated ${MODULE_NAME}-manager.yaml:"
+cat ${MODULE_NAME}-manager.yaml
+
+# Find the release on github.com via the release tag.
+echo -e "\n Updating github release with ${MODULE_NAME}-manager.yaml"
+echo "Finding release id for: ${RELEASE_TAG}"
+CURL_RESPONSE=$(curl -w "%{http_code}" -sL \
+	-H "Accept: application/vnd.github+json" \
+	-H "Authorization: Bearer $GITHUB_TOKEN" \
+	https://api.github.com/repos/kyma-project/${MODULE_NAME}-manager/releases)
+JSON_RESPONSE=$(sed '$ d' <<<"${CURL_RESPONSE}")
+HTTP_CODE=$(tail -n1 <<<"${CURL_RESPONSE}")
+if [[ "${HTTP_CODE}" != "200" ]]; then
+	echo "${JSON_RESPONSE}" && exit 1
+fi
+
+# Extract the release id out of the github.com response.
+RELEASE_ID=$(jq <<<${JSON_RESPONSE} --arg tag "${RELEASE_TAG}" '.[] | select(.tag_name == $ARGS.named.tag) | .id')
+if [ -z "${RELEASE_ID}" ]; then
+	echo "No release with tag = ${RELEASE_TAG}"
+	exit 1
+fi
+
+# With the id of the release we can build the URL to upload the assets.
+UPLOAD_URL="https://uploads.github.com/repos/kyma-project/${MODULE_NAME}-manager/releases/${RELEASE_ID}/assets"
+
+# Finally we will upload the manager.yaml and the default.yaml.
+uploadFile "nats-manager.yaml" "${UPLOAD_URL}?name=${MODULE_NAME}-manager.yaml"
+uploadFile "config/samples/default.yaml" "${UPLOAD_URL}?name=${MODULE_NAME}-default-cr.yaml"

.github/scripts/verify_is_on_release_branch.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# This script verifies, that the current branch name starts with 'release-'
+#
+# Error handling:
+set -o nounset  # treat unset variables as an error and exit immediately.
+set -o errexit  # exit immediately when a command fails.
+set -E          # needs to be set if we want the ERR trap
+set -o pipefail # prevents errors in a pipeline from being masked
+
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+if [[ "$CURRENT_BRANCH" == release-* ]]; then
+	echo "Branch name starts with 'release-'."
+else
+	echo "Branch name does not start with 'release-': ${CURRENT_BRANCH}"
+	exit 1
+fi