From a0e1115463962b618e7f0d446a985bef72164789 Mon Sep 17 00:00:00 2001 From: Jan Bouska Date: Fri, 10 Nov 2023 16:48:25 +0100 Subject: [PATCH 1/3] Update resources to work with image SHAs (#85) --- charts/trusted-artifact-signer/Chart.yaml | 2 +- charts/trusted-artifact-signer/templates/_helpers.tpl | 11 +++++++++++ .../templates/clientserver-deployment.yaml | 2 +- .../templates/cosign-deployment.yaml | 2 +- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml index 0b03787f..457b9e10 100644 --- a/charts/trusted-artifact-signer/Chart.yaml +++ b/charts/trusted-artifact-signer/Chart.yaml @@ -33,4 +33,4 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.22 +version: 0.1.23 diff --git a/charts/trusted-artifact-signer/templates/_helpers.tpl b/charts/trusted-artifact-signer/templates/_helpers.tpl index 4038d9db..ace425cf 100644 --- a/charts/trusted-artifact-signer/templates/_helpers.tpl +++ b/charts/trusted-artifact-signer/templates/_helpers.tpl @@ -60,3 +60,14 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Create the image path for the passed in image field +*/}} +{{- define "image" -}} +{{- if eq (substr 0 7 .version) "sha256:" -}} +{{- printf "%s/%s@%s" .registry .repository .version -}} +{{- else -}} +{{- printf "%s/%s:%s" .registry .repository .version -}} +{{- end -}} +{{- end -}} diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml index aeb4b7f5..c36c7dd4 100644 --- a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml +++ b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml @@ -21,7 +21,7 @@ spec: serviceAccountName: {{ .Values.configs.clientserver.name }} containers: - name: tas-clients - image: "{{ .Values.configs.clientserver.image.registry }}/{{ .Values.configs.clientserver.image.repository }}:{{ .Values.configs.clientserver.image.version }}" + image: "{{ template "image" .Values.configs.clientserver.image }}" #image: quay.io/sallyom/tas-clients:httpd imagePullPolicy: IfNotPresent ports: diff --git a/charts/trusted-artifact-signer/templates/cosign-deployment.yaml b/charts/trusted-artifact-signer/templates/cosign-deployment.yaml index 4b798a11..8ee32fd9 100644 --- a/charts/trusted-artifact-signer/templates/cosign-deployment.yaml +++ b/charts/trusted-artifact-signer/templates/cosign-deployment.yaml @@ -21,7 +21,7 @@ spec: {{- end }} containers: - name: {{ .Values.configs.cosign_deploy.name }} - image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}" + image: "{{ template "image" .Values.configs.cosign_deploy.image }}" env: - name: OPENSHIFT_APPS_SUBDOMAIN value: {{ .Values.global.appsSubdomain }} From 4c07b4db401413b4ce297611c3218933e6fb1685 Mon Sep 17 00:00:00 2001 From: Tommy Dalton <59835082+tommyd450@users.noreply.github.com> Date: Wed, 15 Nov 2023 23:17:22 +0000 Subject: [PATCH 2/3] Nightly metrics (#81) * Added nightly cronjob template Updated templates based on the segment-backup-job repo * adding job for post-install and moving job to cronjob for nightly metrics * chore: update segment-backup-job sha Signed-off-by: Lance Ball * adding job for post-install and moving job to cronjob for nightly metrics --------- Signed-off-by: Lance Ball Co-authored-by: greg pereira Co-authored-by: Lance Ball --- charts/trusted-artifact-signer/Chart.yaml | 2 +- charts/trusted-artifact-signer/README.md | 11 ++++- .../templates/segment-backup-cronjob.yaml | 37 ++++++++++++++++ .../segment-backup-job-clusterrole.yaml | 19 +++++++++ ...segment-backup-job-clusterrolebinding.yaml | 13 ++++++ .../templates/segment-backup-job-sa.yaml | 8 ++++ .../templates/segment-backup-job.yaml | 33 +++++++++++++++ .../values.schema.json | 39 +++++++++++++++++ .../values.schema.tmpl.json | 42 ++++++++++++++++++- charts/trusted-artifact-signer/values.yaml | 12 ++++++ grafana/operator/kustomization.yaml | 1 - grafana/operator/namespace.yaml | 4 -- kind/kind-up-test.sh | 1 + tas-easy-install.sh | 32 ++++++++++++++ 14 files changed, 245 insertions(+), 9 deletions(-) create mode 100644 charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml create mode 100644 charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml create mode 100644 charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml create mode 100644 charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml create mode 100644 charts/trusted-artifact-signer/templates/segment-backup-job.yaml delete mode 100644 grafana/operator/namespace.yaml diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml index 457b9e10..fefea981 100644 --- a/charts/trusted-artifact-signer/Chart.yaml +++ b/charts/trusted-artifact-signer/Chart.yaml @@ -33,4 +33,4 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.23 +version: 0.1.24 diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md index 7c4816c9..58360915 100644 --- a/charts/trusted-artifact-signer/README.md +++ b/charts/trusted-artifact-signer/README.md @@ -3,7 +3,7 @@ A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift -![Version: 0.1.22](https://img.shields.io/badge/Version-0.1.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Overview @@ -117,6 +117,15 @@ Kubernetes: `>= 1.19.0-0` | configs.fulcio.server.secret.public_key_file | file containing signer public key | string | `""` | | configs.fulcio.server.secret.root_cert | fulcio root certificate authority (CA) | string | `""` | | configs.fulcio.server.secret.root_cert_file | file containing fulcio root certificate authority (CA) | string | `""` | +| configs.sigstore_monitoring.namespace | | string | `"sigstore-monitoring"` | +| configs.sigstore_monitoring.namespace_create | | bool | `true` | +| configs.segment_backup_job.image.registry | | string | `"quay.io"` | +| configs.segment_backup_job.image.pullPolicy | | string | `"IfNotPresent"` | +| configs.segment_backup_job.image.registry | | string | `"quay.io"` | +| configs.segment_backup_job.image.repository | | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/segment-backup-job"` | +| configs.segment_backup_job.image.version | | string | `"sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44"` | +| configs.segment_backup_job.name | | string | `"nightlyMetricsCollection"` | +| configs.segment_backup_job.namespace | | string | `"sigstore-monitoring"` | | configs.rekor.clusterMonitoring.enabled | | bool | `true` | | configs.rekor.clusterMonitoring.endpoints[0].interval | | string | `"30s"` | | configs.rekor.clusterMonitoring.endpoints[0].port | | string | `"2112-tcp"` | diff --git a/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml b/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml new file mode 100644 index 00000000..08494fe0 --- /dev/null +++ b/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml @@ -0,0 +1,37 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .Values.configs.segment_backup_job.name }} + namespace: {{ .Values.configs.segment_backup_job.namespace }} +spec: + schedule: "0 0 * * *" + concurrencyPolicy: "Replace" + startingDeadlineSeconds: 200 + suspend: false + successfulJobsHistoryLimit: 7 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + metadata: + name: {{ .Values.configs.segment_backup_job.name }} + labels: + parent: "segment-backup-job" + spec: + restartPolicy: OnFailure + serviceAccountName: segment-backup-job + containers: + - name: {{ .Values.configs.segment_backup_job.name }} + # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}" + image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}" + command: ["/bin/bash", "/opt/app-root/src/script.sh"] + env: + - name: RUN_TYPE + value: "nightly" + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml new file mode 100644 index 00000000..d791d745 --- /dev/null +++ b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: segment-backup-job +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - "route.openshift.io" + resources: + - routes + verbs: + - get + - list \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml new file mode 100644 index 00000000..1484b04e --- /dev/null +++ b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml @@ -0,0 +1,13 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: segment-backup-job +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: segment-backup-job +subjects: +- kind: ServiceAccount + name: segment-backup-job + namespace: {{ .Values.configs.segment_backup_job.namespace }} \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml new file mode 100644 index 00000000..e154b6ca --- /dev/null +++ b/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: segment-backup-job + # namespace: {{ .Values.configs.segment_backup_job.namespace }} + namespace: sigstore-monitoring +secrets: +- name: pull-secret \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml new file mode 100644 index 00000000..6c3908c9 --- /dev/null +++ b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml @@ -0,0 +1,33 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Values.configs.segment_backup_job.name }} + namespace: {{ .Values.configs.segment_backup_job.namespace }} +spec: + parallelism: 1 + completions: 1 + activeDeadlineSeconds: 600 + backoffLimit: 5 + template: + metadata: + name: {{ .Values.configs.segment_backup_job.name }} + labels: + parent: "segment-backup-job" + spec: + restartPolicy: OnFailure + serviceAccountName: segment-backup-job + containers: + - name: {{ .Values.configs.segment_backup_job.name }} + # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}" + image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}" + command: ["/bin/bash", "/opt/app-root/src/script.sh"] + env: + - name: RUN_TYPE + value: "installation" + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL \ No newline at end of file diff --git a/charts/trusted-artifact-signer/values.schema.json b/charts/trusted-artifact-signer/values.schema.json index 0db50fdc..51e17d11 100644 --- a/charts/trusted-artifact-signer/values.schema.json +++ b/charts/trusted-artifact-signer/values.schema.json @@ -3,6 +3,45 @@ "properties": { "configs": { "properties": { + "sigstore_monitoring": { + "properties": { + "namespace": { + "type": "string" + } + } + }, + "segment_backup_job":{ + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type" : "string" + }, + "image": { + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "rolebindings": { + "items": { + "type": "string" + }, + "type": "array" + } + } + }, "clientserver": { "properties": { "consoleDownload": { diff --git a/charts/trusted-artifact-signer/values.schema.tmpl.json b/charts/trusted-artifact-signer/values.schema.tmpl.json index c15e7ca0..16cf883c 100644 --- a/charts/trusted-artifact-signer/values.schema.tmpl.json +++ b/charts/trusted-artifact-signer/values.schema.tmpl.json @@ -19,6 +19,45 @@ "configs": { "type": "object", "properties": { + "sigstore_monitoring": { + "properties": { + "namespace": { + "type": "string" + } + } + }, + "segment_backup_job":{ + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type" : "string" + }, + "image": { + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "rolebindings": { + "items": { + "type": "string" + }, + "type": "array" + } + } + }, "clientserver": { "properties": { "consoleDownload": { @@ -275,8 +314,7 @@ }, "type": "object" } - }, - "type": "object" + } }, "rbac": { "properties": { diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml index e8601259..132eb789 100644 --- a/charts/trusted-artifact-signer/values.yaml +++ b/charts/trusted-artifact-signer/values.yaml @@ -5,6 +5,18 @@ global: appsSubdomain: "" configs: + sigstore_monitoring: + namespace: sigstore-monitoring + segment_backup_job: + name: segment-backup-job + namespace: sigstore-monitoring + image: + registry: quay.io + repository: redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/segment-backup-job + version: sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44 + pullPolicy: IfNotPresent + rolebindings: + - segment-backup-job clientserver: # -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary. # -- This can only be enabled if the OpenShift CRD is registered. diff --git a/grafana/operator/kustomization.yaml b/grafana/operator/kustomization.yaml index 88c0e9c4..9e85ca91 100644 --- a/grafana/operator/kustomization.yaml +++ b/grafana/operator/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml - operator.yaml diff --git a/grafana/operator/namespace.yaml b/grafana/operator/namespace.yaml deleted file mode 100644 index f499718d..00000000 --- a/grafana/operator/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: sigstore-monitoring diff --git a/kind/kind-up-test.sh b/kind/kind-up-test.sh index 429f8156..92fa00f2 100755 --- a/kind/kind-up-test.sh +++ b/kind/kind-up-test.sh @@ -21,6 +21,7 @@ then else mv /tmp/config ~/.kube/config fi +chmod go-r ~/.kube/config oc config use-context kind-kind diff --git a/tas-easy-install.sh b/tas-easy-install.sh index 842d2ba4..394c9a8f 100755 --- a/tas-easy-install.sh +++ b/tas-easy-install.sh @@ -97,6 +97,38 @@ openssl ec -in file_ca_key.pem -passin pass:"$password" -pubout -out file_ca_pub openssl req -new -x509 -days 365 -key file_ca_key.pem -passin pass:"$password" -out fulcio-root.pem -passout pass:"$password" -subj "/CN=$common_name/emailAddress=$email_address/O=$organization_name" openssl ecparam -name prime256v1 -genkey -noout -out rekor_key.pem +segment_backup_job=$(oc get job -n sigstore-monitoring --ignore-not-found=true | tail -n 1 | awk '{print $1}') +if [[ -n $segment_backup_job ]]; then + oc delete job $segment_backup_job -n sigstore-monitoring +fi + +oc new-project sigstore-monitoring > /dev/null 2>&1 + +pull_secret_exists=$(oc get secret pull-secret -n sigstore-monitoring --ignore-not-found=true) +if [[ -n $pull_secret_exists ]]; then + read -p "Secret \"pull-secret\" in namespace \"sigstore-monitoring\" already exists. Overwrite it (Y/N)?: " -n1 overwrite_pull_secret + echo "" + if [[ $overwrite_pull_secret == "Y" || $overwrite_pull_secret == 'y' ]]; then + read -p "Please enter the absolute path to the pull-secret.json file: +" pull_secret_path + file_exists=$(ls $pull_secret_path 2>/dev/null) + if [[ -n $file_exists ]]; then + oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path --dry-run=client -o yaml | oc replace -f - + else + echo "pull secret was not found based on the path provided: $pull_secret_path" + exit 0 + fi + elif [[ $overwrite_pull_secret == "N" || $overwrite_pull_secret == 'n' ]]; then + echo "Skipping overwriting pull-secret..." + else + echo "Bad input. Skipping this step, using existing pull-secret" + fi +else + read -p "Please enter the absolute path to the pull-secret.json file: +" pull_secret_path + oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path +fi + rm unenc.key popd > /dev/null From e4d92c89cac74ac5540397ae57c4ff5ad540001f Mon Sep 17 00:00:00 2001 From: red-hat-trusted-app-pipeline Date: Thu, 30 Nov 2023 20:08:15 +0000 Subject: [PATCH 3/3] Red Hat Trusted App Pipeline purge client-server --- .tekton/client-server-pull-request.yaml | 428 ------------------------ .tekton/client-server-push.yaml | 425 ----------------------- 2 files changed, 853 deletions(-) delete mode 100644 .tekton/client-server-pull-request.yaml delete mode 100644 .tekton/client-server-push.yaml diff --git a/.tekton/client-server-pull-request.yaml b/.tekton/client-server-pull-request.yaml deleted file mode 100644 index 3ebfd8e8..00000000 --- a/.tekton/client-server-pull-request.yaml +++ /dev/null @@ -1,428 +0,0 @@ -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/securesign/sigstore-ocp?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "main" - creationTimestamp: null - labels: - appstudio.openshift.io/application: rhtas-stack-1-0-beta - appstudio.openshift.io/component: client-server - pipelines.appstudio.openshift.io/type: build - name: client-server-on-pull-request - namespace: rhtas-tenant -spec: - params: - - name: dockerfile - value: images/Dockerfile-clientserver - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - value: 5d - - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/client-server:on-pr-{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: prefetch-input - value: '' - - name: build-source-image - value: "true" - pipelineSpec: - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:243b13105967b251c1facd55159165809a9fa797215af613997ac6a16798db73 - - name: kind - value: task - resolver: bundles - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "true" - description: Skip optional checks, set false if you want to run optional checks - name: skip-optional - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image - name: build-source-image - type: string - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - - name: skip-optional - value: $(params.skip-optional) - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: pipelinerun-uid - value: $(context.pipelineRun.uid) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:d9e1ab10d72953e7a85dab69b8b96f5b41580a6d4026f77b6a5ba6f3ed227cc3 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:ca366af4f096e94dad40a327a09328a5e4bed4d0292a213165861e9e19bf380e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.prefetch-input) - operator: notin - values: - - "{}" - workspaces: - - name: source - workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e38365a7acbe4a6135fa72096513e24795dc7a8ed8f6be5fa0c7bf0f30484ac6 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(params.output-image) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e751a76622743cf51b35ba230768be9886535b7cf51491c2b8513979e7a577d8 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: - - name: workspace - workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:3a5d3f611240eb5b7b12799c2be22a71803df80dbc12cce2e1e2a252ab543423 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: source - workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:f23d0cca3c02a78fb2b2760d0fba28a3196fa7bcc106da35f45ef95d1f8e7065 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:f6a5a24cb8faa590d4f3adc204a197fd89da1bcea365963af9ac66838c030816 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:f57c69cfedf37a46dd61285b5b9b4805ff196facaad2d7cdeded496c77d31bec - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:b7d194547892219c663c4414d3bbb18e0c1798353e3922e4dc2b63ef9169adb9 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:0ca48e1dffde39efe97b3252386f529241d6b276fe812a88774a9f37fc45f742 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - - name: git-auth - optional: true - workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' -status: {} diff --git a/.tekton/client-server-push.yaml b/.tekton/client-server-push.yaml deleted file mode 100644 index c9dae8d2..00000000 --- a/.tekton/client-server-push.yaml +++ /dev/null @@ -1,425 +0,0 @@ -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/securesign/sigstore-ocp?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "main" - creationTimestamp: null - labels: - appstudio.openshift.io/application: rhtas-stack-1-0-beta - appstudio.openshift.io/component: client-server - pipelines.appstudio.openshift.io/type: build - name: client-server-on-push - namespace: rhtas-tenant -spec: - params: - - name: dockerfile - value: images/Dockerfile-clientserver - - name: git-url - value: '{{repo_url}}' - - name: output-image - value: quay.io/redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/client-server:{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: prefetch-input - value: '' - - name: build-source-image - value: 'true' - pipelineSpec: - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:243b13105967b251c1facd55159165809a9fa797215af613997ac6a16798db73 - - name: kind - value: task - resolver: bundles - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "true" - description: Skip optional checks, set false if you want to run optional checks - name: skip-optional - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image. - name: build-source-image - type: string - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - - name: skip-optional - value: $(params.skip-optional) - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: pipelinerun-uid - value: $(context.pipelineRun.uid) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:d9e1ab10d72953e7a85dab69b8b96f5b41580a6d4026f77b6a5ba6f3ed227cc3 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:ca366af4f096e94dad40a327a09328a5e4bed4d0292a213165861e9e19bf380e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.prefetch-input) - operator: notin - values: - - "{}" - workspaces: - - name: source - workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e38365a7acbe4a6135fa72096513e24795dc7a8ed8f6be5fa0c7bf0f30484ac6 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(params.output-image) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e751a76622743cf51b35ba230768be9886535b7cf51491c2b8513979e7a577d8 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: - - name: workspace - workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:3a5d3f611240eb5b7b12799c2be22a71803df80dbc12cce2e1e2a252ab543423 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: source - workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:f23d0cca3c02a78fb2b2760d0fba28a3196fa7bcc106da35f45ef95d1f8e7065 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:f6a5a24cb8faa590d4f3adc204a197fd89da1bcea365963af9ac66838c030816 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:f57c69cfedf37a46dd61285b5b9b4805ff196facaad2d7cdeded496c77d31bec - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:b7d194547892219c663c4414d3bbb18e0c1798353e3922e4dc2b63ef9169adb9 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:0ca48e1dffde39efe97b3252386f529241d6b276fe812a88774a9f37fc45f742 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - - name: git-auth - optional: true - workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' -status: {}