Skip to content

Feature/kro rgd cicd #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 27 commits into
base: riv25
Choose a base branch
from
Open

Feature/kro rgd cicd #315

wants to merge 27 commits into from

Conversation

allamand
Copy link

Create a new backstage template and kro RGD for the CICD pipeline

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 26, 2025
View reviewed changes
.../resource-groups/cicd-pipeline/tests/integration/aws-resource-validation.integration.test.js

// Should have ECR registry entries
const registryKeys = Object.keys(dockerConfig.auths);
expect(registryKeys.some(key => key.includes('.dkr.ecr.') && key.includes('.amazonaws.com'))).toBe(true);

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High test

'
.amazonaws.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI about 12 hours ago

The fix is to parse the registry key as a URL (or at least separate out its host component) and explicitly match it against the exact allowed patterns. In this context, Docker registry keys are typically hostnames like <aws_account_id>.dkr.ecr.<region>.amazonaws.com (with or without protocol), so we can use a regular expression or direct string checks to validate the format more robustly.

  1. Replace the substring check with a regular expression that requires the key to conform to the AWS ECR registry host pattern.
  2. Ensure the regular expression matches only valid AWS ECR hosts, not arbitrary hosts containing .amazonaws.com somewhere in the name.
  3. No additional import is needed, unless robust URL parsing is desired, but for hostname patterns, a simple regex is sufficient.
  4. Only lines within the provided file need to be changed.

Change only the registry key assertion, on (and around) line 265 in aws-resource-validation.integration.test.js.

Suggested changeset 1
gitops/addons/charts/kro/resource-groups/cicd-pipeline/tests/integration/aws-resource-validation.integration.test.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/gitops/addons/charts/kro/resource-groups/cicd-pipeline/tests/integration/aws-resource-validation.integration.test.js b/gitops/addons/charts/kro/resource-groups/cicd-pipeline/tests/integration/aws-resource-validation.integration.test.js
--- a/gitops/addons/charts/kro/resource-groups/cicd-pipeline/tests/integration/aws-resource-validation.integration.test.js
+++ b/gitops/addons/charts/kro/resource-groups/cicd-pipeline/tests/integration/aws-resource-validation.integration.test.js
@@ -262,7 +262,9 @@
 
       // Should have ECR registry entries
       const registryKeys = Object.keys(dockerConfig.auths);
-      expect(registryKeys.some(key => key.includes('.dkr.ecr.') && key.includes('.amazonaws.com'))).toBe(true);
+      // Match pattern: <account-id>.dkr.ecr.<region>.amazonaws.com optionally with :port
+      const ecrRegistryRegex = /^\d{12}\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com(:\d+)?$/;
+      expect(registryKeys.some(key => ecrRegistryRegex.test(key))).toBe(true);
     });
   });
 });
\ No newline at end of file
EOF
@@ -262,7 +262,9 @@

// Should have ECR registry entries
const registryKeys = Object.keys(dockerConfig.auths);
expect(registryKeys.some(key => key.includes('.dkr.ecr.') && key.includes('.amazonaws.com'))).toBe(true);
// Match pattern: <account-id>.dkr.ecr.<region>.amazonaws.com optionally with :port
const ecrRegistryRegex = /^\d{12}\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com(:\d+)?$/;
expect(registryKeys.some(key => ecrRegistryRegex.test(key))).toBe(true);
});
});
});
Copilot is powered by AI and may make mistakes. Always verify output.
allamand and others added 25 commits September 27, 2025 01:19
@allamand
enable ack-ecr
61e47c2 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
add ack-ecr
a05519c 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
add argo events
4a7f6da 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
update cicd kro template
653eff4 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
fix: resolve Kro RGD validation issues and update GitLab integration
6b60a58 
- Fix readyWhen conditions to only reference current resource (no cross-resource refs)
- Escape shell variables to avoid CEL expression parser conflicts
- Update shell variable naming from UPPERCASE to lowercase to prevent template parsing
- Replace Gitea references with GitLab for current workshop version
- Update secret references from gitea-credentials to gitlab-credentials
- Change GITEA_TOKEN to GITLAB_TOKEN environment variable

Key fixes:
- readyWhen patterns: self-reference only, dependencies via template variables
- Shell variables: gitlab_hostname, webhook_url, api_url (lowercase)
- Validation: RGD now passes Kro CLI validation successfully

Resolves CEL expression validation errors:
- undeclared reference to 'GITLAB_HOSTNAME'
- undeclared reference to 'hooks_api_url'
- undeclared reference to 'GITEA_TOKEN'
@allamand
add kro backstage plugin
79206a5 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
add kro backstage plugin
febf795 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
addind backstage cicd-pipeline, based on nes kro cicd-pipeline RGD
bb86dcd 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
fix npm package names and version
3c7c444 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
fix addos template error
e087254 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
addind backstage cicd-pipeline, based on nes kro cicd-pipeline RGD 2
db66317 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
add kro backstage catalog
3441f3a 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
renaming default eks cluster
9b4f104 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
fix compiulation
c5aa142 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
add integration tests
27e4d78 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
Add fleet member configuration for spoke dev cluster
ab2fb3b
Add fleet member configuration for spoke prod cluster
d7ddbc8
Update Backstage Templates
edcc8fd
Update Backstage Templates
6bcd393
clean
452edd2 
Signed-off-by: Workshop User <workshopuser@example.com>
@allamand
add integration tests 2
4639967 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
@allamand
add integration tests 3
cff846a 
Signed-off-by: Sébastien Allamand <sallaman@amazon.com>
Update Backstage Templates
e3fdce7
Update Backstage Templates
e0bd78a
Fix: Add enablePermissions to kro configuration in Backstage
b77dfbf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@allamand