Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QG 4 checks Release 3.2 #108

Closed
77 tasks done
SebastianBezold opened this issue Aug 10, 2023 · 25 comments
Closed
77 tasks done

QG 4 checks Release 3.2 #108

SebastianBezold opened this issue Aug 10, 2023 · 25 comments
Assignees
Labels
documentation Improvements or additions to documentation
Milestone

Comments

@SebastianBezold
Copy link
Contributor

SebastianBezold commented Aug 10, 2023

QG checks

Please keep this issue open until QG 3.2 is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Product Name: Digital Product Pass
Helm Chart Version:
App Version:
QG5 Approval: yes/no

Check of Tractus-X Release Guidelines

This QG x Check is depending on the mandatory information from our current Release Guidelines.

TRG 1 Documentation

TRG 2 Git

  • TRG 2.01 default branch is named main

  • TRG 2.03 repository structure

    Checks within TRG 2.03
    • TRG 2.03 /docs directory contains detailed product related documentation for the Tractus-X product
    • TRG 2.03 /charts directory contains the Helm chart for the Tractus-X product IF available
    • TRG 2.03 AUTHORS.md file (optional) (TRG 2.03)
    • TRG 2.03 CODE_OF_CONDUCT.md file (TRG 2.03)
    • TRG 2.03 CONTRIBUTING.md file (TRG 2.03)
    • TRG 2.03 DEPENDENCIES file(s) with up to date content (Dash tool generated) (TRG 2.03)
    • TRG 2.03 LICENSE file (TRG 2.03)
    • TRG 2.03 NOTICE.md file (TRG 2.03)
    • TRG 2.03 SECURITY.md file (TRG 2.03)
  • TRG 2.04 Leading product repository

    Checks within TRG 2.04
    • TRG 2.04 repository name must be productname without prefix or suffix
    • TRG 2.04 should contain the release
    • TRG 2.04 references/urls to the product's other repositories
    • TRG 2.04 might contain product helm chart(s)
    • TRG 2.04 README.md: contains the urls for the underlying applications
  • TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

  • TRG 3.02 PersistentVolume and PersistentVolumeClaim is used when needed

TRG 4 Container

  • TRG 4.01 semantic versioning and tagging

  • TRG 4.02 top level README.md file, that contains information about the used base image

  • TRG 4.03 Image has USER command and Non Root Container

    Checks within TRG 4.03
    • TRG 4.03 deployment.yaml has runAsUser and allowPrivilegeEscalation: false properly set
  • TRG 4.05 released image must be place DockerHub as mandatory container registry; remove GHCR references

  • TRG 4.06 Notice File for DockerHub has all necessary information

    Checks within TRG 4.06
    • TRG 4.06 Link to the source of your base image (Container registry and GitHub if available)
    • TRG 4.06 Link to your product image on DockerHub
    • TRG 4.06 Link to your repository on GitHub
    • TRG 4.06 Direct link to the Dockerfile used to build your image
    • TRG 4.06 Link to LICENCE file in your repo as Project License (make clear, that this is the PROJECT licence, not an image license

TRG 5 Helm

  • TRG 5.01 Helm chart must be released

    Checks within TRG 5.01
    • TRG 5.01 appropriate semantic versioning for version and appVersion has to be used in Chart.yaml
    • TRG 5.01 must not contain any environment specific values-xyz.yaml
    • TRG 5.01 values.yaml file must contain proper default values/placeholders
    • TRG 5.01 No hostname provided for ingress
    • TRG 5.01 Ingress is disabled
    • TRG 5.01 No references to any secret engine service (e.g.: Hashicorp Vault)
    • TRG 5.01 Dependencies should be prefixed with the nameOverride and/or fullnameOverride properties
    • TRG 5.01 Image tag is set to the Chart.yaml appVersion property
    • TRG 5.01 must be deployable to any environment without overwriting default values with a simple helm install command
    • TRG 5.01 dependencies have to be declared in Chart.yaml NOT requirements.yml
  • TRG 5.02 Helm chart location in /charts directory and correct structure

    Checks within TRG 5.02
    • TRG 5.02 each file must contain the Apache 2.0 Licence
    • TRG 5.02 latest tag is not used in helm chart be default
    charts/ 
        chartNameA/
          Chart.yaml
          ... 
        chartNameB/
          Chart.yaml
          ...
    AUTHORS.md 
    DEPENDENCIES.md 
    LICENCE 
    README.md 
  • TRG 5.04 CPU and memory limits and requests are properly set

  • TRG 5.06 application must be configurable through the Helm chart

  • TRG 5.07 dependencies are present in the Chart.yaml they are properly configured

  • TRG 5.08 a product has a single deployable helm chart that contains all components

    Checks within TRG 5.08
    • TRG 5.08 name of the Chart should be just the product-name without prefix or suffix
    • TRG 5.08 values file should contain all available variables (even from subcharts) with default values and comments about what they do
    • TRG 5.08 helm install command should successfully install the chart to any supported Kubernetes version cluster (without overwriting default values)
    • TRG 5.08 helm test runs without errors
  • TRG 5.09 Helm Test running properly

    Checks within TRG 5.09
    • TRG 5.09 A GitHub action exist which builds or uses the helm chart which gets released
    • TRG 5.09 The GitHub action can be triggered manually through Github WebUI manually running a workflow
    • TRG 5.09 Helm test verifies that the application is up and running
  • TRG 5.10 Products need to support 3 versions at a time

    Checks within TRG 5.10
    • TRG 5.10 latest (K8s version 1.25)
    • TRG 5.10 latest - 1 (K8s version 1.24)
    • TRG 5.10 latest - 2 (K8s version 1.23)
  • TRG 5.11 Upgradeability PRERELEASE

    Checks within TRG 5.11
    • TRG 5.11 Based on the Helm test workflow, you must provide a GitHub action which takes the latest released helm chart, does an installation of it and then execute the upgrade to the current / new version.

TRG 6 Released Helm Chart

TRG 7 Open Source Governance

  • TRG 7.01 Legal Documentation

  • TRG 7.02 License and copyright header

  • TRG 7.03 IP checks for project content

  • TRG 7.04 IP checks for 3rd party content

    Checks within TRG 7.04
    • TRG 7.04 DEPENDENCIES file is up-to-date and reflects the current use of the 3rd party content
    • TRG 7.04 all libraries listed there should have the status "approved"
    • TRG 7.04 no libraries with status "rejected"
    • TRG 7.04 for libraries with status "restricted", the according IP issues must be present (issue number in the source column)
  • TRG 7.05 Legal information for distributions

  • TRG 7.06 Legal information for end user content

  • TRG 7.07 Legal notice for documentation

Hints

Information Sharing

@SebastianBezold SebastianBezold added the documentation Improvements or additions to documentation label Aug 10, 2023
@SebastianBezold SebastianBezold self-assigned this Aug 10, 2023
@SebastianBezold
Copy link
Contributor Author

Hi @matbmoser and @saudkhan116,
i don't have any info from release management regarding the digital-product-pass version, that should be included in the 3.2 releaese. Is it the 1.0.0-alpha? Will you release it as 1.0.0 if the release guideline checks are passed?

@matbmoser
Copy link
Contributor

matbmoser commented Aug 11, 2023

Hi @SebastianBezold, We will release a release candidate for v1.0.0 today in order to run the security checks. It contain all the Quality Gates requirements as documented in GitHub. The release v1.0.0-alpha does not contains the complete requirements. Because of this we did not contacted with you yet.

Once the v1.0.0 is released it will be ready for the Quality Gates with the all the TRG requirements fullfilled.

@matbmoser
Copy link
Contributor

@SebastianBezold the released was not created before in the feature freaze because of some architecture requirements that were pending to be tested.

@matbmoser
Copy link
Contributor

matbmoser commented Aug 11, 2023

#33 We have this already created and checked here 👍🏻 Probably there is some things missing so its fine that we create a second list to check again :)

@SebastianBezold
Copy link
Contributor Author

Hi @matbmoser,
ok thanks for the input. I created the issue, since we where triggered by Release management.
So v1.0.0-rc1 is the "ready" version?

@matbmoser
Copy link
Contributor

matbmoser commented Aug 14, 2023

No, you can run the checks over v1.0.0-rc2 the last one had some bugs and security vulnerabilities
https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v1.0.0-rc2

@matbmoser
Copy link
Contributor

After the E2E Tests worked and all the security requirements are completed a version v1.0.0 will be created, and will be the one ready for QG4. From a this perspective this version v1.0.0-rc2 should contain all the TRG requirements, and all that is in this version will be included in the v1.0.0

@matbmoser
Copy link
Contributor

@SebastianBezold v1.0.0 is released after passing our internal E2E tests! https://github.com/eclipse-tractusx/digital-product-pass/releases/tag/v1.0.0

@SebastianBezold
Copy link
Contributor Author

Hi @matbmoser,
I think I don't want to create an issue for it, but maybe for consideration:
There is an avp key in your Charts values. Not sure, if in DPP context, AVP does make sense, but if you use it as Argo CD Vault Plugin I would rename it.
This is too heavily tied to a specific deployment tooling

@matbmoser
Copy link
Contributor

Hi @matbmoser, I think I don't want to create an issue for it, but maybe for consideration: There is an avp key in your Charts values. Not sure, if in DPP context, AVP does make sense, but if you use it as Argo CD Vault Plugin I would rename it. This is too heavily tied to a specific deployment tooling

Ok, thank you for making this visible, we will refactor it for the next release.

@matbmoser matbmoser pinned this issue Aug 15, 2023
@matbmoser matbmoser added this to the v1.0.0 milestone Aug 15, 2023
@SebastianBezold
Copy link
Contributor Author

Hi @matbmoser, I linked the issue #122 here, because I don't really understand the Chart testing workflow here. Could you or anyone else from the team please take a look and clarify?

@matbmoser
Copy link
Contributor

matbmoser commented Aug 15, 2023

Ok we fixed the problem just by changing default condition to false in the chart values file, now everything is up and running in the release v1.0.0, link to the helm test: https://github.com/eclipse-tractusx/digital-product-pass/actions/runs/5868393507/job/15911121793

security:
check:
enabled: false
bpn: false
edc: false

@SebastianBezold
Copy link
Contributor Author

Current status: I want to test the changes made in v1.0.0-rc4, but the Docker images don't seem to be release yet

@saudkhan116
Copy link
Contributor

saudkhan116 commented Aug 17, 2023

Hi @SebastianBezold,
as far as I know, the license dash tool server has some issue and is currently down. So, we are not able to publish docker images for the latest release version v1.0.0. Yesterday, the release version v1.0.0 was updated.

Could you please confirm if the server is working again?

Thanks

@SebastianBezold
Copy link
Contributor Author

@saudkhan116,
did you dependencies change for the -rc4 changes, or what do you need dash for in regards to docker build?
Does the update of v1.0.0 include the changes done for -rc4?

@saudkhan116
Copy link
Contributor

saudkhan116 commented Aug 17, 2023

We didn't change any dependencies, there was a hotfix #125 yesterday that got merged into the v1.0.0 . Due to this, we need to run the dash tool to scan the dependencies check again and afterwards publish the images. Yes, you are right, there is no direct connection between dash tool and docker build.

@saudkhan116
Copy link
Contributor

saudkhan116 commented Aug 17, 2023

@SebastianBezold the new docker images are now published here:

The PR #126 follow v1.0.0

@SebastianBezold
Copy link
Contributor Author

Hi @saudkhan116 and @matbmoser,

almost all the checks are passed. Thanks for the fixes!
There is just one last thing, which is legal notice in documentation TRG 7.07. I linked it to the specific section.
TL;DR on what is missing.
The docs, that you have in the /docs folder should also contain a notice to the License they are put under (In your case most likely Apache-2.0. This section should be readable by the end user. This means no comment like in the source code files but plain markdown.
It would be enough, if the "Entrypoint" to the documentation does contain that notice. In case you have different types of docs (i.e. Arc42, User Guide, Admin Guide, etc.) then every "Entrypoint" to this docs should have the Notice.

If you add these Notices, then I'll conclude the QG checks, you also do not need to build a new version for that change. main is fine here

@SebastianBezold
Copy link
Contributor Author

Sorry small update @matbmoser and @saudkhan116, I was wrong here.
Since the files are rendered separately when viewing, we actually need the ## Notice section in every file

@saudkhan116
Copy link
Contributor

Sorry small update @matbmoser and @saudkhan116, I was wrong here. Since the files are rendered separately when viewing, we actually need the ## Notice section in every file

Hi @SebastianBezold, thank you for your feedback. We will have look into the TRG 7.07

@matbmoser
Copy link
Contributor

Reopened the issue #60 which was closed due to not enough clarification.

@saudkhan116
Copy link
Contributor

Hi @SebastianBezold, the requested TRG requirement is implemented in PR #127. Please have a review.
Thanks!

@SebastianBezold
Copy link
Contributor Author

Hi @saudkhan116, thanks a lot! I guess you can close #60 with the merge of #127 as well.
CC-BY-4.0 is definitely needed for KIT docs on the adoption view. For all other products, you can choose to put more docs under CC-BY, but it's not mandatory.

With this done, the QG 4 checks from my side are done :) congrats 👍 🚀

@saudkhan116
Copy link
Contributor

Thank you very much @SebastianBezold 👍💯

@matbmoser
Copy link
Contributor

Hi @saudkhan116, thanks a lot! I guess you can close #60 with the merge of #127 as well. CC-BY-4.0 is definitely needed for KIT docs on the adoption view. For all other products, you can choose to put more docs under CC-BY, but it's not mandatory.

With this done, the QG 4 checks from my side are done :) congrats 👍 🚀

Thank you Sebastian for the review! 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

3 participants