feat(integration-tests): add ATP Storage S3 integration

.github/linters/.checkov.yaml

@@ -2,6 +2,12 @@
 
 quiet: true
 
+# Files under Helm templates/ are not valid YAML until `helm template` runs (they contain {{ ... }}).
+# Checkov still feeds some of them to YAML-based runners (e.g. CloudFormation), which then fail to parse.
+# Excluding template sources is the recommended approach; use the Helm chart scan (values + Chart.yaml) for policy checks.
+skip-path:
+  - ^operator/charts/[^/]+/templates/
+
 skip-check:
 # https://www.checkov.io/5.Policy%20Index/kubernetes.html
 - CKV_K8S_15 # Image Pull Policy should be Always

.github/workflows/build.yaml

@@ -26,10 +26,20 @@ on:
   workflow_dispatch:
     inputs:
       publish_docker:
-        description: "Publish images to ghcr.io/netcracker"
+        description: "Publish images to ghcr.io/<repository owner> (lowercase)"
         type: boolean
         default: false
         required: false
+      tags:
+        description: "Optional extra tags for metadata-action"
+        type: string
+        required: false
+        default: ""
+      replace_symbol:
+        description: "Replace symbol for metadata-action ref names"
+        type: string
+        required: false
+        default: "_"
 
 permissions:
   contents: read
@@ -40,7 +50,9 @@ concurrency:
 
 env:
   TAG_NAME: ${{ github.event.release.tag_name || github.head_ref || github.ref_name }}
-  PUSH: ${{ (github.event_name != 'workflow_dispatch' || inputs.publish_docker) && github.actor != 'dependabot[bot]' }}
+  # Fork PRs run on the base repo: GITHUB_TOKEN cannot push org packages; still build with push=false.
+  # Pushes on your fork (push event) publish to ghcr.io/<fork owner>/... via GITHUB_GROUP below.
+  PUSH: ${{ (github.event_name != 'workflow_dispatch' || inputs.publish_docker) && github.actor != 'dependabot[bot]' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
 
 jobs:
   prepare:
@@ -88,7 +100,7 @@ jobs:
         with:
           default-template: "{{ref-name}}"
           extra-tags: ${{ github.event.inputs.tags || '' }}
-          replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
+          replace-symbol: ${{ github.event.inputs.replace_symbol || '_' }}
 
   build:
     name: ${{ matrix.component.name }} Image Build
@@ -103,25 +115,30 @@ jobs:
         component: ${{ fromJson(needs.prepare.outputs.components) }}
     steps:
       - name: Validate
+        if: ${{ github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/') }}
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.ref }}" == refs/tags* ]]; then
-            echo -e "\033[91mManual workflow run on tags is not allowed!\033[0m"
-            exit 1
-          fi
+          echo -e "\033[91mManual workflow run on tags is not allowed!\033[0m"
+          exit 1
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: ${GITHUB_ACTOR}
           password: ${{secrets.GITHUB_TOKEN}}
       - name: Prepare Tag
         run: echo "TAG_NAME=$(echo ${TAG_NAME} | sed 's@refs/tags/@@;s@refs/heads/@@;s@/@_@g')" >> $GITHUB_ENV
+      - name: Prepare registry namespace
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: echo "GITHUB_GROUP=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV"
       - name: Get package IDs for delete
         id: get-ids-for-delete
         uses: Netcracker/get-package-ids@84bc8eb8bed50218be76e671b3a24c35a1300979
@@ -139,7 +156,7 @@ jobs:
           platforms: ${{ needs.prepare.outputs.platforms }}
           push: ${{ env.PUSH }}
           build-args: PG_VERSION=${{ matrix.component.pg_version }}
-          tags: ghcr.io/netcracker/${{ matrix.component.name }}:${{ env.TAG_NAME }}
+          tags: ghcr.io/${{ env.GITHUB_GROUP }}/${{ matrix.component.name }}:${{ env.TAG_NAME }}
           provenance: false
       - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
         with:

.github/workflows/link-checker.yaml

@@ -14,10 +14,12 @@ jobs:
   linkChecker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Restore lychee cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         id: restore-cache
         with:
           path: .lycheecache
@@ -26,10 +28,11 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1
         with:
           args: >-
             './**/*.md'
+            --root-dir ${{ github.workspace }}
             --verbose
             --no-progress
             --user-agent 'Mozilla/5.0 (X11; Linux x86_64) Chrome/134.0.0.0'

README.md

@@ -14,6 +14,22 @@ Postgres-Operator provides PostgreSQL as a service on Kubernetes and OpenShift.
 
 Please refer to the [Quick Start Guide](/docs/public/quickstart.md)
 
+### Integration tests and ATP storage
+
+Integration test settings live under `tests` in the Helm values for **patroni-core** and **patroni-services** (see [`operator/charts/patroni-core/values.yaml`](operator/charts/patroni-core/values.yaml) and [`operator/charts/patroni-services/values.yaml`](operator/charts/patroni-services/values.yaml)). The test image is based on [qubership-docker-integration-tests](https://github.com/Netcracker/qubership-docker-integration-tests). Optional `tests.atpStorage`, `tests.atpReportViewUiUrl`, and `tests.environmentName` map to the same `ATP_*` / `ENVIRONMENT_NAME` variables as in other Qubership demos (Consul `integrationTests.*`, RabbitMQ `tests.*`). The Patroni Services chart renders these into the custom resource (`operator/charts/patroni-services/templates/cr.yaml`).
+
+| Value (Helm)                 | Description |
+|------------------------------|-------------|
+| `tests.atpStorage.provider`  | S3 provider (for example `aws`, `minio`, `s3`). When set, the chart can emit ATP storage environment variables for the test pod. |
+| `tests.atpStorage.serverUrl` | S3 API endpoint URL. |
+| `tests.atpStorage.serverUiUrl` | Optional storage UI URL. |
+| `tests.atpStorage.bucket`    | Bucket name; empty usually means no S3 upload in the base image flow. |
+| `tests.atpStorage.region`    | Region (for example for AWS). |
+| `tests.atpStorage.username`  | Access key (sensitive; prefer secrets / external overrides in real environments). |
+| `tests.atpStorage.password`  | Secret key (same as username). |
+| `tests.atpReportViewUiUrl`   | Optional Allure report UI base URL. |
+| `tests.environmentName`      | Optional logical name for paths or labels. |
+
 ### Smoke tests
 
 There is no smoke tests.

docs/public/architecture.md

@@ -0,0 +1,3 @@
+# Architecture
+
+## Postgres operator

docs/public/features/query-exporter.md

@@ -29,7 +29,7 @@ However for managed databases these extensions must be enabled for database inst
 
 ## Migration from postgres-exporter
 
-Please check [new queries format](/charts/patroni-services/query-exporter/query-exporter-queries.yaml) for query-exporter.
+Please check [new queries format](/operator/charts/patroni-services/query-exporter/query-exporter-queries.yaml) for query-exporter.
 For custom queries two sections must be used in config: `metrics` and `queries`.
 
 Queries section includes map of queries. Each query now include next mandatory fields:
@@ -174,7 +174,7 @@ In this case query `pg_example` will be executed for all databases matching at l
 
 In postgres-operator new watchers are created for namespaces, listed in deployment parameters.
 These watchers react to Create, Update, Delete events for config maps with labels from `queryExporter.customQueries.labels` parameter and mandatory label
-```query-exporter: custom-queries```. Config maps should contain metrics with custom queries for Query Exporter. Metrics must correspond to the [query exporter format](/charts/patroni-services/query-exporter/query-exporter-queries.yaml) and must meet [metric naming rules](https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels)).
+```query-exporter: custom-queries```. Config maps should contain metrics with custom queries for Query Exporter. Metrics must correspond to the [query exporter format](/operator/charts/patroni-services/query-exporter/query-exporter-queries.yaml) and must meet [metric naming rules](https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels)).
 After the Create event, changes from created config map will be appended to `query-exporter-queries` config map.
 After the Modify event, changes from config map will be replaced in `query-exporter-queries` config map.
 After the Delete event, changes from config map will be deleted from `query-exporter-queries` config map.
@@ -202,7 +202,7 @@ queryExporter:
     - "pg_lock_tree_query"
     - "connection_by_role_with_limit_query"
 ```
-Names of the queries can be found in [query-exporter-queries](/charts/patroni-services/query-exporter/query-exporter-queries.yaml) configmap. All metrics for excluded query will be automatically excluded.
+Names of the queries can be found in [query-exporter-queries](/operator/charts/patroni-services/query-exporter/query-exporter-queries.yaml) configmap. All metrics for excluded query will be automatically excluded.
 
 
 # Self monitoring