// Use when CI checks fail unexpectedly, when preparing code for CI, or when encountering non-obvious build and pipeline behavior. Covers vendoring, hermetic builds, security scans, code generation checks, coverage, and webhook validation gotchas.
| name | ci-cd-quirks |
| description | Use when CI checks fail unexpectedly, when preparing code for CI, or when encountering non-obvious build and pipeline behavior. Covers vendoring, hermetic builds, security scans, code generation checks, coverage, and webhook validation gotchas. |
Integration-service CI runs on Konflux (Tekton-based) for builds and GitHub Actions for linting/testing. Several non-obvious requirements catch developers off guard.
| When you changed... | Run this | Why |
|---|---|---|
Any go.mod / go.sum | go mod tidy && go mod vendor | Vendor dir is committed; CI fails on drift |
Types in api/v1beta2/ | make generate manifests | DeepCopy and CRD/RBAC manifests must be in sync |
Any .go file | make fmt | CI fails on uncommitted gofmt changes |
+kubebuilder:rbac markers | make manifests | RBAC ClusterRole must reflect markers |
Go vendoring prunes non-Go files. After go mod vendor, CRD YAML files from dependencies are gone. make download-crds re-downloads them for tests. CI runs this automatically, but if you updated deps and didn't vendor, CI fails.
CI greps config/ for RBAC wildcards (*) and fails if found. Never use wildcard verbs or resource names in +kubebuilder:rbac markers.
CI runs make generate manifests and diffs the result. Any uncommitted generated files = failure. Always commit generated output.
go mod tidy DriftCI runs go mod tidy and checks for changes. If your go.mod/go.sum differ after tidy, CI fails.
.tekton/integration-service-pull-request.yaml)ENABLE_COVERAGE=true — binary built with -cover -covermode=atomic -tags=coverageon-pr-{{revision}}.tekton/integration-service-push.yaml)build-instrumented-image task (with coverage){{revision}}manager (controller) and snapshotgc (garbage collector)/managerENABLE_COVERAGE build arg switches between instrumented and production builds| Rule | What happens if violated |
|---|---|
| ITS name must be DNS-1035 | Webhook rejects with validation error (lowercase alphanumeric + hyphen, <63 chars) |
SNAPSHOT param in ITS | Cannot be set manually — auto-injected by the service. Webhook rejects. |
Git resolver: url vs repo+org | Must use one or the other, not both. Webhook rejects conflicting params. |
| Snapshot validator | Has failurePolicy: Ignore — validation failures pass through silently (by design) |
unit-tests**/zz_generated*, e2e-tests/**, vendor| Problem | Root cause |
|---|---|
| CI fails with "uncommitted changes" | Didn't run make fmt, make generate manifests, or go mod tidy |
| Build fails on missing deps | Didn't run go mod vendor after dependency change |
| RBAC check fails | Used wildcard * in kubebuilder RBAC marker |
| Coverage dropped | New code paths not covered by tests (check cover.out) |
| Webhook rejects valid-looking ITS | Name contains uppercase, underscore, or is >63 chars |
Use when debugging integration-service running on a cluster. Covers pod logs, health probes, metrics, webhooks, network policies, environment variables, snapshot GC, and common failure modes.
Use when setting up a local development environment, deploying integration-service to a cluster, installing CRDs, or tearing down a Kind cluster. Covers make targets, kustomize deployment, and full Konflux stack setup.
Use when preparing a pull request for review, before pushing, or when reviewing someone else's PR. Checklist of CI checks, commit conventions, code generation, testing, and documentation requirements.
Use when building, configuring, or running e2e tests for integration-service against a real cluster (Kind or OpenShift). Covers environment variables, test framework, Ginkgo flags, CI pipeline, and test repos.
Use when running, writing, or troubleshooting unit tests for integration-service. Covers make test, envtest setup, suite patterns, mock loader, CRD discovery, coverage, and common test failures.