- Check failures
- is-helm-v3 v1.0
- has-readme v1.0
- contains-test v1.0
- has-kubeversion v1.1
- has-kubeversion v1.0
- contains-values v1.0
- contains-values-schema v1.0
- not-contains-crds v1.0
- not-contain-csi-objects v1.0
- helm-lint v1.0
- images-are-certified v1.0
- chart-testing v1.0
- required-annotations-present v1.0
- signature-is-valid v1.0
- Report related submission failures
Requires the "api-version" attribute of chart.yaml to be set to "v2". Any other value will result in the check failing.
Requires a "README.md" file to exist in the root directory of the chart. Any other spelling or capitialisation of letters will result in the check failing.
Requires at least one file to exist in the templates/tests
subdirectory of the chart. If no such file
exists this check will fail. Note the chart-testing
check will require the directory to contain a valid test.
See also helm documentation: chart tests
Requires the "kubeVersion" attribute of chart.yaml to be set to a value. If the attribute is not set the check will fail. The value set is not checked.
Requires the kubeVersion
attribute of chart.yaml to be set to a valid semantic version. If the attribute is not a valid semantic version the check will fail.
See also helm documentation: Helm documentetaion of the kubeVersion attribute
Note: The kubeVersion filed will be used to detremine the Open Shift versions the charts supports and will be set as annotation ``````
Requires a values.schema
file to be present in the chart. If the file is not present the check will fail.
See also helm documentation: values and Best Practices for using values.
Requires a values.schema.json
file to be present in the chart. If the file is not present the check will fail.
See also helm documentation: Schema Files
Requires no RCRD's to be defined in the chart. A crd is a file with an extension of .yaml
, .yml
or .json
in a crd
subdirectory of the chart and should be removed if present.
CRD's should be defined using operators. See: Operator CRDs
Requires no csi objects in a chart. A csi object is a file in the template subdirectory, with an extension of .yaml
,
and containing an kind
attribute set to CSIDriver
. If such a file exists it should be removed.
Requires a helm lint
of the chart to not result in any ERROR
messages. If an ERROR does occur the helm lint messages
will be output. Run helm lint
on your chart for additional information. If the chart requires specification of additional
values to pass helm lint
use one of the chart-set
flags of the verifier tool for this check to pass. If additional
values are required a verifier report mut be included in the chart submission.
Requires any images referenced in a chart to be Red Hat Certified.
- The list of image references is found by running
helm template
and if this fails the error output fromhelm template
will be output. Runhelm template
on your chart for additional information. If the chart requires specification of additional attributes to passhelm template
use one of thechart-set
flags of the verifier tool for this check to pass. If additional attributes are required a verifier report must be included in the chart submission. - Each image reference found from helm template is parsed to determine the registry, repository and tag or digest value.
- registry is the string before the first "/" in the image reference but only if it includes a "." character.
- the repository is what remains in the image reference, after the registry is removed and before ":" or "@sha"
- tag is what is set after the ":" character
- digest is what is set after the "@" character in "@sha"
- If a registry is not found the pyxis swagger api is used to find the repository and from it, extract the registry
https://catalog.redhat.com/api/containers/v1/repositories?filter=repository==<repository>
- if the repository is not found the check will fail.
- The registry and repository are then used to find images:
https://catalog.redhat.com/api/containers/v1/repositories/registry/<registry>/repository/<repository>/images
- if the image specified a sha value it is compared with the
parsed_data.docker_image_digest
attribute. If a match is not found the check fails. - if the image specified a tag value it is compared with the
repositories.tags.name
attributes. If a match is not found the check fails.
- If the check fails use the point of failure to determine how to address the issue.
Requires any images referenced in a chart to be Red Hat Certified.
- The list of image references is found by running
helm template
and if this fails the error output fromhelm template
will be output. Runhelm template
on your chart for additional information. If the chart requires specification of additional attributes to passhelm template
use one of thechart-set
flags of the verifier tool for this check to pass. If additional attributes are required a verifier report must be included in the chart submission. - Each image reference found from helm template is parsed to determine the registry, repository and tag or digest value.
- registry is the string before the first "/" in the image reference but only if it includes a "." character.
- the repository is what remains in the image reference, after the registry is removed and before ":" or "@sha"
- tag is what is set after the ":" character
- digest is what is set after the "@" character in "@sha"
- If a registry is not found the pyxis swagger api is used to find the repository and from it, extract the registry
https://catalog.redhat.com/api/containers/v1/repositories?filter=repository==<repository>
- if the repository is not found the check will fail.
- The registry and repository are then used to find images:
https://catalog.redhat.com/api/containers/v1/repositories/registry/<registry>/repository/<repository>/images
- if the image specified a sha value it is compared with the
parsed_data.docker_image_digest
attribute. If a match is not found and the registry is not registry.redhat.io, the check fails. - if the image specified a tag value it is compared with the
repositories.tags.name
attributes. If a match is not found and the registry is not registry.redhat.io, the check fails. - if the registry is registry.redhat.io, the check will skip the image.
- If the check fails use the point of failure to determine how to address the issue.
For information on certifying images see: Red Hat container certification
Chart testing runs the equivalant of helm install ...
followed by helm test...
. Try to run these independantly of
the chart-verifier and make a note of any flags or overrides that must be set for them both to work. Ensure these
values are set using chart-verifier flags when generating a report.
Also note that if chart-verifier flags are required for the chart-verifier chart-testing check to pass a verifier report must be included in the chart submission.
If the check fails due to a timeout, increase the timeout values. If increased timeouts are required for the chart-verifier chart-testing check to pass a verifier report must be included in the chart submission. See: Chart testing timeouts
Run the chart verifier and set log_ouput to true to get additional information:
$ podman run --rm -i \
-e KUBECONFIG=/.kube/config \
-v "${HOME}/.kube":/.kube \
"quay.io/redhat-certification/chart-verifier" \
verify -l \
<chart-uri>
Requires the following annotation to be present in chart.yaml:
charts.openshift.io/name
The value of the annotation will be used in the Open Shift catalogue as the name of the chart.
This check requires that the public key provided to the chart verifier is from a user that has access to the signed chart. The check can fail for a variety of reasons, including:
- pgp public key file specified does not exist.
- pgp public key file is not an ascii public key file.
- create using, for example:
gpg --export -a <User-Name> > <public-key-file>
- User-Name is the user name of the secret key used to sign the chart.
- create using, for example:
- pgp public key file does not have access to the signed chart.
- ensure the public key matches the secret key used to sign the chart.
Submission will fail if any mandatory checks indicate failure or are absent from the report.
Regenerate the report running all tests and ensure they all pass.
If a check is failing and you are unsure as to why see Trouble shooting check failures
Common causes:
- The chart was updated after the report was generated.
- Note: you can modify the webCatalogOnly attribute without affecting the report sha value.
- The Report was generated against a different form of the chart compared to the chart submitted.
- For example report was generated from the chart source, but the chart tarball was used for submission.
For more information see Verifier added annotations
This annotation must contain a current or recent OpenShift version. It is generally set by the chart-testing check but this can fail if the role of the user who generated report does not have the required access.
For more information see Verifier added annotations
For a report only submission the report must include a valid url for the chart.
For more information see error-with-the-chart-url-when-submitting-report
For more information see Verifier added annotations