diff --git a/Makefile b/Makefile index 0f4122def..6f3539014 100644 --- a/Makefile +++ b/Makefile @@ -83,11 +83,6 @@ build-for-test: dist/ec_$(BUILD_IMG_ARCH) clean: ## Delete build output @rm -f dist/* -.PHONY: generate-pipelines -generate-pipelines: ## Generate release pipelines - kustomize build ./release/src/cli --output ./release/cli.yaml - kustomize build ./release/src/tekton-task --output ./release/tekton-task.yaml - ##@ Testing # Declutter the output by grepping out the files where there are no diff --git a/hack/copy-snapshot-image.sh b/hack/copy-snapshot-image.sh new file mode 100755 index 000000000..364f41c77 --- /dev/null +++ b/hack/copy-snapshot-image.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +SNAPSHOT_SPEC=$1 +TARGET_REPO=$2 + +echo "Target repo: ${TARGET_REPO}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +GIT_SHA="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].source.git.revision')" +IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" + +TAGS=( + 'latest' + "${GIT_SHA}" +) +for tag in "${TAGS[@]}"; do + echo "Pushing image with tag ${tag}" + cosign copy --force "${IMAGE_REF}" "${TARGET_REPO}:${tag}" +done diff --git a/hack/expand-snapshot.sh b/hack/expand-snapshot.sh new file mode 100755 index 000000000..3c4d1106d --- /dev/null +++ b/hack/expand-snapshot.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +# This script is meant to take an existing snapshot reference which includes just +# the EC CLI image and use that to create a new snapshot which includes the EC Tekton +# bundle image. + +set -o errexit +set -o nounset +set -o pipefail + +# Release service includes the namespace with the resource name. Let's clean that up. +SNAPSHOT_NAME="${1#*/}" +CLI_SNAPSHOT_PATH=$2 +BUNDLE_SNAPSHOT_PATH=$3 + +echo "Fetching ${SNAPSHOT_NAME} snapshot" +SNAPSHOT_SPEC="$(oc get snapshot ${SNAPSHOT_NAME} -o json | jq '.spec')" +echo "${SNAPSHOT_SPEC}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +CLI_IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" +echo "CLI image ref: ${CLI_IMAGE_REF}" + +echo "Storing EC CLI snapshot in ${CLI_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" > "${CLI_SNAPSHOT_PATH}" + +BUNDLE_IMAGE_REF="$( + cosign download attestation "${CLI_IMAGE_REF}" | jq -r '.payload | @base64d | fromjson | + .predicate.buildConfig.tasks[] | select(.name == "build-tekton-bundle") | + .results[] | select(.name == "IMAGE_REF") | .value' +)" + +echo "Bundle image ref: ${BUNDLE_IMAGE_REF}" + +echo "Creating new snapshot spec for bundle and storing in ${BUNDLE_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" | jq --arg bundle "${BUNDLE_IMAGE_REF}" \ + '.components[0].name = "tekton-bundle" | .components[0].containerImage = $bundle' | \ + tee "${BUNDLE_SNAPSHOT_PATH}" diff --git a/release/README.md b/release/README.md index 3ceef72c4..cd80c9730 100644 --- a/release/README.md +++ b/release/README.md @@ -1,19 +1,17 @@ -# Release Pipelines +# Release Pipeline -This directory contains the Tekton Pipelines used to release EC from the main branch. These -Pipelines execute in [Konflux](https://konflux-ci.dev/). - -The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src` directory. To -make changes to the Pipelines, update the corresponding files in that directory and run the -`make generate-pipelines` command (requires `kustomize`). +This directory contains the Tekton Pipeline used to release EC from the main branch. The Pipeline +executes in [Konflux](https://konflux-ci.dev/). ## Setup -The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeliens +The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeline will run. This creates a ServiceAccount with access to perform the release. -## Why are there two Pipelines? +## Why are there two verify-enterprise-contract Tasks? -Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline -parameter. Because the CLI and the Tekton Task require different EC policies, the only way to -achieve this is by using different Pipelines with different default values for the EC policy. +The CLI and the bundle images require different EC policies. The bundle image, for example, does not +include binary content, as such, it makes little sense to run scan it with an anti-virus for example. +Currently, it is not possible to use a single EC policy for different components, but there are plans +for doing so. When that becomes a reality, a single snapshot and a single execution of the +verify-enterprise-contract would be sufficient. diff --git a/release/cli.yaml b/release/cli.yaml index 15acd2178..80ae52fab 100644 --- a/release/cli.yaml +++ b/release/cli.yaml @@ -1,3 +1,4 @@ +--- # Copyright The Enterprise Contract Contributors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,160 +21,117 @@ metadata: name: release-cli spec: description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release + - default: quay.io/enterprise-contract/cli + description: Location to push the CLI image to + name: cli-repo type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan + - default: quay.io/enterprise-contract/tekton-task + description: Location to push the bundle image to + name: bundle-repo type: string - description: The namespaced name (namespace/name) of the snapshot name: snapshot type: string - - default: github.com/enterprise-contract/ec-cli//policies/cli - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - default: pipeline_intention=release description: | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." name: enterpriseContractExtraRuleData type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data + - name: clone-repository params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) + - name: url + value: https://github.com/enterprise-contract/ec-cli + - name: revision + value: main - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources + value: source taskRef: params: + # TODO: Can't use Konflux's git-clone Task because that requires a security context not provided + # to the ServiceAccount running this pipeline (securityContext.runAsUser: 0). - name: url - value: https://github.com/lcarva/release-service-bundles.git + value: https://github.com/lcarva/build-definitions.git - name: revision - value: support-tenant-releases + value: no-root-git-clone - name: pathInRepo - value: tasks/collect-data/collect-data.yaml + value: task/git-clone/0.1/git-clone.yaml resolver: git workspaces: - - name: data + - name: output workspace: release-workspace - - name: reduce-snapshot + - name: expand-snapshot params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + - name: input + value: $(params.snapshot) runAfter: - - collect-data - taskRef: + - clone-repository + taskSpec: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git + - name: input + type: string + results: + - name: cli-snapshot-spec + type: string + - name: bundle-snapshot-spec + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + steps: + - command: + - hack/expand-snapshot.sh + - $(params.input) + - $(results.cli-snapshot-spec.path) + - $(results.bundle-snapshot-spec.path) + image: quay.io/konflux-ci/appstudio-utils:latest + name: expand + workingDir: $(workspaces.source.path)/source + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace - - name: apply-mapping + - name: verify-enterprise-contract-cli params: - - name: failOnEmptyResult + - name: IMAGES + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(workspaces.data.path)/source/policies/cli/policy.yaml + - name: IGNORE_REKOR value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot + - name: EXTRA_RULE_DATA + value: $(params.enterpriseContractExtraRuleData) taskRef: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git + - name: bundle + value: quay.io/enterprise-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + resolver: bundles workspaces: - - name: config + - name: data workspace: release-workspace - - name: verify-enterprise-contract + # TODO: Consider using matrix? + - name: verify-enterprise-contract-bundle params: - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) - name: SSL_CERT_DIR value: /var/run/secrets/kubernetes.io/serviceaccount - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" + value: $(workspaces.data.path)/source/policies/tekton-task/policy.yaml - name: IGNORE_REKOR value: "true" - name: EXTRA_RULE_DATA value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping taskRef: params: - name: bundle @@ -186,33 +144,51 @@ spec: workspaces: - name: data workspace: release-workspace - - name: push-snapshot + - name: push params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 + - name: cli-snapshot-spec + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: cli-target-repo + value: $(params.cli-repo) + - name: bundle-snapshot-spec + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) + - name: bundle-target-repo + value: $(params.bundle-repo) runAfter: - - verify-enterprise-contract - taskRef: + - verify-enterprise-contract-cli + - verify-enterprise-contract-bundle + taskSpec: params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" + - name: cli-snapshot-spec + type: string + - name: cli-target-repo + type: string + - name: bundle-snapshot-spec + type: string + - name: bundle-target-repo + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + workingDir: $(workspaces.source.path)/source + steps: + - command: + - hack/copy-snapshot-image.sh + - $(params.cli-snapshot-spec) + - $(params.cli-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-cli + - command: + - hack/copy-snapshot-image.sh + - $(params.bundle-snapshot-spec) + - $(params.bundle-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-bundle + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace workspaces: - name: release-workspace diff --git a/release/src/base/kustomization.yaml b/release/src/base/kustomization.yaml deleted file mode 100644 index cb62baad4..000000000 --- a/release/src/base/kustomization.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml -patches: - - path: tasks/verify-access-to-resources.yaml - target: - kind: Pipeline - - path: tasks/collect-data.yaml - target: - kind: Pipeline - - path: tasks/apply-mapping.yaml - target: - kind: Pipeline - - path: tasks/push-snapshot.yaml - target: - kind: Pipeline diff --git a/release/src/base/release.yaml b/release/src/base/release.yaml deleted file mode 100644 index bdeae4064..000000000 --- a/release/src/base/release.yaml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# This Pipeline is a variation of: -# https://github.com/konflux-ci/release-service-catalog/blob/development/pipelines/push-to-external-registry/push-to-external-registry.yaml -# It has been modified from its original version. It has been formatted to fit Tenant Release Pipelines. -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release -spec: - description: >- - Tekton pipeline to release Snapshots to a registry. - params: - - name: release - type: string - description: - The namespaced name (namespace/name) of the Release custom resource initiating this pipeline execution - - name: releasePlan - type: string - description: The namespaced name (namespace/name) of the releasePlan - - name: snapshot - type: string - description: The namespaced name (namespace/name) of the snapshot - - name: enterpriseContractPolicy - type: string - description: JSON representation of the EnterpriseContractPolicy - default: UPDATE_ME - - name: enterpriseContractExtraRuleData - type: string - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - default: "pipeline_intention=release" - - name: enterpriseContractTimeout - type: string - description: Timeout setting for `ec validate` - default: 40m0s - workspaces: - - name: release-workspace - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-access-to-resources - - name: reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - collect-data - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - workspaces: - - name: config - workspace: release-workspace - runAfter: - - reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - - name: verify-enterprise-contract - taskRef: - resolver: "bundles" - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - params: - - name: IMAGES - value: "$(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)" - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - apply-mapping - - name: push-snapshot - retries: 5 - when: - - input: "$(tasks.apply-mapping.results.mapped)" - operator: in - values: ["true"] - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - params: - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: resultsDirPath - value: "$(tasks.collect-data.results.resultsDir)" - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-enterprise-contract - finally: - - name: cleanup - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - params: - - name: subdirectory - value: "$(context.pipelineRun.uid)" - - name: delay - value: "0" - workspaces: - - name: input - workspace: release-workspace diff --git a/release/src/base/tasks/apply-mapping.yaml b/release/src/base/tasks/apply-mapping.yaml deleted file mode 100644 index 442eedb67..000000000 --- a/release/src/base/tasks/apply-mapping.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need changes from https://github.com/konflux-ci/release-service-catalog/pull/631 to be in the -# production branch -- op: replace - path: /spec/tasks/3/taskRef/params/1/value - value: development diff --git a/release/src/base/tasks/collect-data.yaml b/release/src/base/tasks/collect-data.yaml deleted file mode 100644 index 021374782..000000000 --- a/release/src/base/tasks/collect-data.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/1/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml diff --git a/release/src/base/tasks/push-snapshot.yaml b/release/src/base/tasks/push-snapshot.yaml deleted file mode 100644 index 806e5a591..000000000 --- a/release/src/base/tasks/push-snapshot.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes to be merged and made available in the production branch: -# https://github.com/konflux-ci/release-service-catalog/pull/671 -- op: replace - path: /spec/tasks/5/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml diff --git a/release/src/base/tasks/verify-access-to-resources.yaml b/release/src/base/tasks/verify-access-to-resources.yaml deleted file mode 100644 index 80111c4a1..000000000 --- a/release/src/base/tasks/verify-access-to-resources.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/0/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml diff --git a/release/src/cli/kustomization.yaml b/release/src/cli/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/cli/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/cli/patch.yaml b/release/src/cli/patch.yaml deleted file mode 100644 index 2e1644026..000000000 --- a/release/src/cli/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/cli diff --git a/release/src/tekton-task/kustomization.yaml b/release/src/tekton-task/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/tekton-task/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/tekton-task/patch.yaml b/release/src/tekton-task/patch.yaml deleted file mode 100644 index 3328132e9..000000000 --- a/release/src/tekton-task/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/tekton-task diff --git a/release/tekton-task.yaml b/release/tekton-task.yaml deleted file mode 100644 index 58d579d49..000000000 --- a/release/tekton-task.yaml +++ /dev/null @@ -1,218 +0,0 @@ -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release-cli -spec: - description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace - params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release - type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan - type: string - - description: The namespaced name (namespace/name) of the snapshot - name: snapshot - type: string - - default: github.com/enterprise-contract/ec-cli//policies/tekton-task - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - - default: pipeline_intention=release - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - name: enterpriseContractExtraRuleData - type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: reduce-snapshot - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - runAfter: - - collect-data - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git - workspaces: - - name: config - workspace: release-workspace - - name: verify-enterprise-contract - params: - - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping - taskRef: - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - resolver: bundles - workspaces: - - name: data - workspace: release-workspace - - name: push-snapshot - params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 - runAfter: - - verify-enterprise-contract - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" - workspaces: - - name: data - workspace: release-workspace - workspaces: - - name: release-workspace