-
Notifications
You must be signed in to change notification settings - Fork 31
122 lines (117 loc) · 4.72 KB
/
install-frsca.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
---
name: CI
on:
pull_request:
types:
- opened
- synchronize
- reopened
push:
branches:
- main
workflow_dispatch: {}
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: mfinelli/setup-shfmt@031e887e39d899d773a7e9b6dd6472c2c23ff50d # v3.0.1
- name: Lint all
run: make lint
setup:
runs-on: ubuntu-latest
needs:
lint
name: Test FRSCA Installation
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "~1.21.0"
- name: Vendor Dependencies
run: |
./platform/vendor/vendor.sh
./platform/vendor/vendor-helm-all.sh
- name: Check commit is clean
run: test -z "$(git status --porcelain)" || (git status; git diff; false)
- name: Start minikube
run: |
make setup-minikube
- name: Try the cluster !
run: kubectl get pods -A
- name: Initialize FRSCA
env:
REGISTRY: "registry.registry"
run: |
make setup-frsca
- name: Run buildpacks pipeline
env:
REGISTRY: "registry.registry"
run: |
make registry-proxy >/dev/null &
./platform/wait-for-pipelinerun.sh -m example-buildpacks -n example-buildpacks-
# tail PipelineRun logs
tkn pr logs --last -f
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then
tkn pr describe --last
exit 1
fi
sleep 60
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
echo "TASK_RUNS=${TASK_RUNS[@]}"
TASK_RUN="none"; IMAGE_URL="none"
for tr in "${TASK_RUNS[@]}"; do
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')
if [ -n "${image}" ]; then
TASK_RUN="${tr}"
IMAGE_URL="${image}"
break
fi
done
if [ "${REGISTRY}" = "registry.registry" ]; then
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')"
fi
echo "TASK_RUN=${TASK_RUN}"
echo "IMAGE_URL=${IMAGE_URL}"
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]'
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
kill %?registry-proxy
- name: Run sample pipeline to test kyverno
env:
REGISTRY: "registry.registry"
run: |
make registry-proxy >/dev/null &
./platform/wait-for-pipelinerun.sh -m example-sample-pipeline -n example-sample-pipeline-
# tail PipelineRun logs
tkn pr logs --last -f
if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then
tkn pr describe --last
exit 1
fi
sleep 60
TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
echo "TASK_RUNS=${TASK_RUNS[@]}"
TASK_RUN="none"; IMAGE_URL="none"
for tr in "${TASK_RUNS[@]}"; do
image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
if [ -n "${image}" ]; then
TASK_RUN="${tr}"
IMAGE_URL="${image}"
break
fi
done
if [ "${REGISTRY}" = "registry.registry" ]; then
IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')"
fi
echo "TASK_RUN=${TASK_RUN}"
echo "IMAGE_URL=${IMAGE_URL}"
crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
kubectl wait --timeout=5m --for=condition=ready pods -l app=picalc -n prod
kill %?registry-proxy