QG 4 checks Release 3.2

[SebastianBezold]

QG checks

Please keep this issue open until QG 3.2 is concluded and will be managed by the Issue Creator!
We will inform you about finding and proposals in separated issues, this issue here is for the Overview of the Checks!

Product Name: BPN Discovery
Product Owner: Thomas Henn
Dev SPOC: Tunahan Cicek / Sahil Aggarwal (@agg3fe)
Helm Chart Version: 0.1.6
App Version: 0.2.3-M1
QG5 Approval: yes/no

Check of Tractus-X Release Guidelines

This QG x Check is depending on the mandatory information from our current Release Guidelines.

TRG 1 Documentation

• TRG 1.01 appropriate README.md
• TRG 1.02 appropriate INSTALL.md
• TRG 1.03 appropriate CHANGELOG.md

TRG 2 Git

• TRG 2.01 default branch is named main

• TRG 2.03 repository structure

  Checks within TRG 2.03

  • TRG 2.03 /docs directory contains detailed product related documentation for the Tractus-X product
  • TRG 2.03 /charts directory contains the Helm chart for the Tractus-X product IF available
  • TRG 2.03 AUTHORS.md file (optional) (TRG 2.03)
  • TRG 2.03 CODE_OF_CONDUCT.md file (TRG 2.03)
  • TRG 2.03 CONTRIBUTING.md file (TRG 2.03)
  • TRG 2.03 DEPENDENCIES file(s) with up to date content (Dash tool generated) (TRG 2.03)
  • TRG 2.03 LICENSE file (TRG 2.03)
  • TRG 2.03 NOTICE.md file (TRG 2.03)
  • TRG 2.03 SECURITY.md file (TRG 2.03)

• TRG 2.04 Leading product repository

  Checks within TRG 2.04

  • TRG 2.04 repository name must be productname without prefix or suffix
  • TRG 2.04 should contain the release
  • TRG 2.04 references/urls to the product's other repositories
  • TRG 2.04 might contain product helm chart(s)
  • TRG 2.04 README.md: contains the urls for the underlying applications

• TRG 2.05 .tractusx metafile in a proper format

TRG 3 Kubernetes

• TRG 3.02 PersistentVolume and PersistentVolumeClaim is used when needed

TRG 4 Container

• TRG 4.01 semantic versioning and tagging

• TRG 4.02 top level README.md file, that contains information about the used base image

• TRG 4.03 Image has USER command and Non Root Container

  Checks within TRG 4.03

  • TRG 4.03 deployment.yaml has runAsUser and allowPrivilegeEscalation: false properly set

• TRG 4.05 released image must be place DockerHub as mandatory container registry; remove GHCR references

• TRG 4.06 Notice File for DockerHub has all necessary information

  Checks within TRG 4.06

  • TRG 4.06 Link to the source of your base image (Container registry and GitHub if available)
  • TRG 4.06 Link to your product image on DockerHub
  • TRG 4.06 Link to your repository on GitHub
  • TRG 4.06 Direct link to the Dockerfile used to build your image
  • TRG 4.06 Link to LICENCE file in your repo as Project License (make clear, that this is the PROJECT licence, not an image license

TRG 5 Helm

• TRG 5.01 Helm chart must be released

  Checks within TRG 5.01

  • TRG 5.01 appropriate semantic versioning for version and appVersion has to be used in Chart.yaml
  • TRG 5.01 must not contain any environment specific values-xyz.yaml
  • TRG 5.01 values.yaml file must contain proper default values/placeholders
  • TRG 5.01 No hostname provided for ingress
  • TRG 5.01 Ingress is disabled
  • TRG 5.01 No references to any secret engine service (e.g.: Hashicorp Vault)
  • TRG 5.01 Dependencies should be prefixed with the nameOverride and/or fullnameOverride properties
  • TRG 5.01 Image tag is set to the Chart.yaml appVersion property
  • TRG 5.01 must be deployable to any environment without overwriting default values with a simple helm install command
  • TRG 5.01 dependencies have to be declared in Chart.yaml NOT requirements.yml

• TRG 5.02 Helm chart location in /charts directory and correct structure

  Checks within TRG 5.02

  • TRG 5.02 each file must contain the Apache 2.0 Licence
  • TRG 5.02 latest tag is not used in helm chart be default

  charts/ 
      chartNameA/
        Chart.yaml
        ... 
      chartNameB/
        Chart.yaml
        ...
  AUTHORS.md 
  DEPENDENCIES.md 
  LICENCE 
  README.md 

• TRG 5.04 CPU and memory limits and requests are properly set

• TRG 5.06 application must be configurable through the Helm chart

• TRG 5.07 dependencies are present in the Chart.yaml they are properly configured

• TRG 5.08 a product has a single deployable helm chart that contains all components

  Checks within TRG 5.08

  • TRG 5.08 name of the Chart should be just the product-name without prefix or suffix
  • TRG 5.08 values file should contain all available variables (even from subcharts) with default values and comments about what they do
  • TRG 5.08 helm install command should successfully install the chart to any supported Kubernetes version cluster (without overwriting default values)
  • TRG 5.08 helm test runs without errors

• TRG 5.09 Helm Test running properly

  Checks within TRG 5.09

  • TRG 5.09 A GitHub action exist which builds or uses the helm chart which gets released
  • TRG 5.09 The GitHub action can be triggered manually through Github WebUI manually running a workflow
  • TRG 5.09 Helm test verifies that the application is up and running

• TRG 5.10 Products need to support 3 versions at a time

  Checks within TRG 5.10

  • TRG 5.10 latest (K8s version 1.25)
  • TRG 5.10 latest - 1 (K8s version 1.24)
  • TRG 5.10 latest - 2 (K8s version 1.23)

• TRG 5.11 Upgradeability PRERELEASE

  Checks within TRG 5.11

  • TRG 5.11 Based on the Helm test workflow, you must provide a GitHub action which takes the latest released helm chart, does an installation of it and then execute the upgrade to the current / new version.

TRG 6 Released Helm Chart

• TRG 6.01 Released Helm Chart

TRG 7 Open Source Governance

• TRG 7.01 Legal Documentation

• TRG 7.02 License and copyright header

• TRG 7.03 IP checks for project content

• TRG 7.04 IP checks for 3rd party content

  Checks within TRG 7.04

  • TRG 7.04 DEPENDENCIES file is up-to-date and reflects the current use of the 3rd party content
  • TRG 7.04 all libraries listed there should have the status "approved"
  • TRG 7.04 no libraries with status "rejected"
  • TRG 7.04 for libraries with status "restricted", the according IP issues must be present (issue number in the source column)

• TRG 7.05 Legal information for distributions

• TRG 7.06 Legal information for end user content

• TRG 7.07 Legal notice for documentation

Hints

Information Sharing

[SebastianBezold]

Hi @tunacicek,
could you please clarify, which version is targeted for release 3.2? is it v0.2.2-M1?

[SebastianBezold]

Since the final release version is not yet clear, I'll leave this as a comment instead of an issue:
In the current main branch, the Apache-2.0 LICENSE File is missing for the Chart.
See TRG 5.02 for further details

[tunacicek]

@SebastianBezold : we will deploy a new version because of TRG 7.05 (missing legal information in jar)

[tunacicek]

@SebastianBezold : We build a new version of the bpn-discovery.
Helm Chart Version: 0.1.6
App Version: 0.2.3-M1

We fix the open points. Only helm testing is currently in progress.
Can you please review the other points.

[bs-sili]

Hi @SebastianBezold ,
we fixed the Helm Chart Test for this service. As far as I can see, there are no further open issues regarding to the TRGs. So I assume after adjusting the resource management, we can build here an image.

[SebastianBezold]

Hi @bs-sili,

where is this fix included? On the current main branch? I am not completely done with the checks for all TRGs, so there might still be issues, but i'll ping you as soon as (and if) i find any

[SebastianBezold]

Hi @tunacicek and @bs-sili,

I do have a general question regarding your versioning. I can see, that you are following semantic versioning and you increase the patch version as soon as you fix stuff. I just don't really understand, why you have an additional milestone suffix. This does not seem to change. Looking at the existing tags, it has always been "M1".

Other teams are using the release canditate notion and build versions like 1.0.0-rc1. When fixes are done, a 1.0.0-rc2 is created. Would that also be an option for you? In my opinion aligning the strategy across Tractus-X would be good.

[SebastianBezold]

I am done with all the checks. I created issues for the findings and linked it to this one here.
In my opinion, #39 definitely has to be clarified (and fixed if not yet done). The other issues could also be fixed after the release. This of course does not mean, that it would be great to have the improvements already included in the Tractus-X 3.2 release

[tunacicek]

@SebastianBezold Thanks for your review.
I added a comment for the issue #39 . Can you please check it again.

[bs-sili]

Hey @SebastianBezold,
thank you for creating the issues. We will take the #39 on priority and the other ones we gonna investigate later on.

[bs-sili]

Hi @SebastianBezold,

could you please set the checkmark for "TRG 7.05 Legal information for distributions"? As you already closed #39, this should be fine. right? Many thanks!

[SebastianBezold]

Hi @bs-sili and @tunacicek,

one last question, before I close the QG issue.
I can see that the fixes and changes are all included in the Helm Chart version 0.1.11. This Chart is referring to an AppVersion 0.2.5-M1. The Docker image can be pulled, so it seems to be build properly, but I cannot find the GitHub release for 0.2.5-M1. Could you please create the GitHub release for the mentioned tag?

I am also still wondering, why you are using a milestone suffix, if you anyways update your semantic version properly and never change the milestone or move to a next one. Will there be releases for different milestones? Are they documented somewhere? Are you creating "milestone-less" releases as soon as the Tractus-X release is created?

[tunacicek]

@SebastianBezold ,

the github release is created for the version 0.2.5-M1.
Versioning with milestone was historical. You are absolutely right. In the future (for PI10) we will do the versioning as you suggested.
That means: Without m1 (milestone) and if we have release candiate with -rcX.

Thanks for the hint.

[SebastianBezold]

Thanks @tunacicek. Closing the issue

[tunacicek]

hi @SebastianBezold ,
the newest version which includes all the fixes is:
helm version: 0.1.11
appVersion: 0.2.5-M1