From 5bb94e30d0c04673cb08eb7089c0502be7d3acf5 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Tue, 10 Dec 2024 12:43:34 -0500 Subject: [PATCH] Release EC images built together This commit changes the tenant release pipeline so it understands that both the CLI and the bundle images are built within the same build Pipeline. It also removes the need to use different release Pipelines for each image. Signed-off-by: Luiz Carvalho --- Makefile | 5 - hack/copy-snapshot-image.sh | 40 +++ hack/expand-snapshot.sh | 55 ++++ release/README.md | 22 +- release/cli.yaml | 244 ++++++++---------- release/src/base/kustomization.yaml | 34 --- release/src/base/release.yaml | 222 ---------------- release/src/base/tasks/apply-mapping.yaml | 22 -- release/src/base/tasks/collect-data.yaml | 27 -- release/src/base/tasks/push-snapshot.yaml | 28 -- .../tasks/verify-access-to-resources.yaml | 27 -- release/src/cli/kustomization.yaml | 25 -- release/src/cli/patch.yaml | 23 -- release/src/tekton-task/kustomization.yaml | 25 -- release/src/tekton-task/patch.yaml | 23 -- release/tekton-task.yaml | 218 ---------------- 16 files changed, 215 insertions(+), 825 deletions(-) create mode 100755 hack/copy-snapshot-image.sh create mode 100755 hack/expand-snapshot.sh delete mode 100644 release/src/base/kustomization.yaml delete mode 100644 release/src/base/release.yaml delete mode 100644 release/src/base/tasks/apply-mapping.yaml delete mode 100644 release/src/base/tasks/collect-data.yaml delete mode 100644 release/src/base/tasks/push-snapshot.yaml delete mode 100644 release/src/base/tasks/verify-access-to-resources.yaml delete mode 100644 release/src/cli/kustomization.yaml delete mode 100644 release/src/cli/patch.yaml delete mode 100644 release/src/tekton-task/kustomization.yaml delete mode 100644 release/src/tekton-task/patch.yaml delete mode 100644 release/tekton-task.yaml diff --git a/Makefile b/Makefile index 0f4122def..6f3539014 100644 --- a/Makefile +++ b/Makefile @@ -83,11 +83,6 @@ build-for-test: dist/ec_$(BUILD_IMG_ARCH) clean: ## Delete build output @rm -f dist/* -.PHONY: generate-pipelines -generate-pipelines: ## Generate release pipelines - kustomize build ./release/src/cli --output ./release/cli.yaml - kustomize build ./release/src/tekton-task --output ./release/tekton-task.yaml - ##@ Testing # Declutter the output by grepping out the files where there are no diff --git a/hack/copy-snapshot-image.sh b/hack/copy-snapshot-image.sh new file mode 100755 index 000000000..364f41c77 --- /dev/null +++ b/hack/copy-snapshot-image.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +SNAPSHOT_SPEC=$1 +TARGET_REPO=$2 + +echo "Target repo: ${TARGET_REPO}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +GIT_SHA="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].source.git.revision')" +IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" + +TAGS=( + 'latest' + "${GIT_SHA}" +) +for tag in "${TAGS[@]}"; do + echo "Pushing image with tag ${tag}" + cosign copy --force "${IMAGE_REF}" "${TARGET_REPO}:${tag}" +done diff --git a/hack/expand-snapshot.sh b/hack/expand-snapshot.sh new file mode 100755 index 000000000..3c4d1106d --- /dev/null +++ b/hack/expand-snapshot.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +# This script is meant to take an existing snapshot reference which includes just +# the EC CLI image and use that to create a new snapshot which includes the EC Tekton +# bundle image. + +set -o errexit +set -o nounset +set -o pipefail + +# Release service includes the namespace with the resource name. Let's clean that up. +SNAPSHOT_NAME="${1#*/}" +CLI_SNAPSHOT_PATH=$2 +BUNDLE_SNAPSHOT_PATH=$3 + +echo "Fetching ${SNAPSHOT_NAME} snapshot" +SNAPSHOT_SPEC="$(oc get snapshot ${SNAPSHOT_NAME} -o json | jq '.spec')" +echo "${SNAPSHOT_SPEC}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +CLI_IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" +echo "CLI image ref: ${CLI_IMAGE_REF}" + +echo "Storing EC CLI snapshot in ${CLI_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" > "${CLI_SNAPSHOT_PATH}" + +BUNDLE_IMAGE_REF="$( + cosign download attestation "${CLI_IMAGE_REF}" | jq -r '.payload | @base64d | fromjson | + .predicate.buildConfig.tasks[] | select(.name == "build-tekton-bundle") | + .results[] | select(.name == "IMAGE_REF") | .value' +)" + +echo "Bundle image ref: ${BUNDLE_IMAGE_REF}" + +echo "Creating new snapshot spec for bundle and storing in ${BUNDLE_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" | jq --arg bundle "${BUNDLE_IMAGE_REF}" \ + '.components[0].name = "tekton-bundle" | .components[0].containerImage = $bundle' | \ + tee "${BUNDLE_SNAPSHOT_PATH}" diff --git a/release/README.md b/release/README.md index 3ceef72c4..cd80c9730 100644 --- a/release/README.md +++ b/release/README.md @@ -1,19 +1,17 @@ -# Release Pipelines +# Release Pipeline -This directory contains the Tekton Pipelines used to release EC from the main branch. These -Pipelines execute in [Konflux](https://konflux-ci.dev/). - -The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src` directory. To -make changes to the Pipelines, update the corresponding files in that directory and run the -`make generate-pipelines` command (requires `kustomize`). +This directory contains the Tekton Pipeline used to release EC from the main branch. The Pipeline +executes in [Konflux](https://konflux-ci.dev/). ## Setup -The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeliens +The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeline will run. This creates a ServiceAccount with access to perform the release. -## Why are there two Pipelines? +## Why are there two verify-enterprise-contract Tasks? -Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline -parameter. Because the CLI and the Tekton Task require different EC policies, the only way to -achieve this is by using different Pipelines with different default values for the EC policy. +The CLI and the bundle images require different EC policies. The bundle image, for example, does not +include binary content, as such, it makes little sense to run scan it with an anti-virus for example. +Currently, it is not possible to use a single EC policy for different components, but there are plans +for doing so. When that becomes a reality, a single snapshot and a single execution of the +verify-enterprise-contract would be sufficient. diff --git a/release/cli.yaml b/release/cli.yaml index 15acd2178..80ae52fab 100644 --- a/release/cli.yaml +++ b/release/cli.yaml @@ -1,3 +1,4 @@ +--- # Copyright The Enterprise Contract Contributors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,160 +21,117 @@ metadata: name: release-cli spec: description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release + - default: quay.io/enterprise-contract/cli + description: Location to push the CLI image to + name: cli-repo type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan + - default: quay.io/enterprise-contract/tekton-task + description: Location to push the bundle image to + name: bundle-repo type: string - description: The namespaced name (namespace/name) of the snapshot name: snapshot type: string - - default: github.com/enterprise-contract/ec-cli//policies/cli - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - default: pipeline_intention=release description: | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." name: enterpriseContractExtraRuleData type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data + - name: clone-repository params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) + - name: url + value: https://github.com/enterprise-contract/ec-cli + - name: revision + value: main - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources + value: source taskRef: params: + # TODO: Can't use Konflux's git-clone Task because that requires a security context not provided + # to the ServiceAccount running this pipeline (securityContext.runAsUser: 0). - name: url - value: https://github.com/lcarva/release-service-bundles.git + value: https://github.com/lcarva/build-definitions.git - name: revision - value: support-tenant-releases + value: no-root-git-clone - name: pathInRepo - value: tasks/collect-data/collect-data.yaml + value: task/git-clone/0.1/git-clone.yaml resolver: git workspaces: - - name: data + - name: output workspace: release-workspace - - name: reduce-snapshot + - name: expand-snapshot params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + - name: input + value: $(params.snapshot) runAfter: - - collect-data - taskRef: + - clone-repository + taskSpec: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git + - name: input + type: string + results: + - name: cli-snapshot-spec + type: string + - name: bundle-snapshot-spec + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + steps: + - command: + - hack/expand-snapshot.sh + - $(params.input) + - $(results.cli-snapshot-spec.path) + - $(results.bundle-snapshot-spec.path) + image: quay.io/konflux-ci/appstudio-utils:latest + name: expand + workingDir: $(workspaces.source.path)/source + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace - - name: apply-mapping + - name: verify-enterprise-contract-cli params: - - name: failOnEmptyResult + - name: IMAGES + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(workspaces.data.path)/source/policies/cli/policy.yaml + - name: IGNORE_REKOR value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot + - name: EXTRA_RULE_DATA + value: $(params.enterpriseContractExtraRuleData) taskRef: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git + - name: bundle + value: quay.io/enterprise-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + resolver: bundles workspaces: - - name: config + - name: data workspace: release-workspace - - name: verify-enterprise-contract + # TODO: Consider using matrix? + - name: verify-enterprise-contract-bundle params: - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) - name: SSL_CERT_DIR value: /var/run/secrets/kubernetes.io/serviceaccount - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" + value: $(workspaces.data.path)/source/policies/tekton-task/policy.yaml - name: IGNORE_REKOR value: "true" - name: EXTRA_RULE_DATA value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping taskRef: params: - name: bundle @@ -186,33 +144,51 @@ spec: workspaces: - name: data workspace: release-workspace - - name: push-snapshot + - name: push params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 + - name: cli-snapshot-spec + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: cli-target-repo + value: $(params.cli-repo) + - name: bundle-snapshot-spec + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) + - name: bundle-target-repo + value: $(params.bundle-repo) runAfter: - - verify-enterprise-contract - taskRef: + - verify-enterprise-contract-cli + - verify-enterprise-contract-bundle + taskSpec: params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" + - name: cli-snapshot-spec + type: string + - name: cli-target-repo + type: string + - name: bundle-snapshot-spec + type: string + - name: bundle-target-repo + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + workingDir: $(workspaces.source.path)/source + steps: + - command: + - hack/copy-snapshot-image.sh + - $(params.cli-snapshot-spec) + - $(params.cli-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-cli + - command: + - hack/copy-snapshot-image.sh + - $(params.bundle-snapshot-spec) + - $(params.bundle-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-bundle + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace workspaces: - name: release-workspace diff --git a/release/src/base/kustomization.yaml b/release/src/base/kustomization.yaml deleted file mode 100644 index cb62baad4..000000000 --- a/release/src/base/kustomization.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml -patches: - - path: tasks/verify-access-to-resources.yaml - target: - kind: Pipeline - - path: tasks/collect-data.yaml - target: - kind: Pipeline - - path: tasks/apply-mapping.yaml - target: - kind: Pipeline - - path: tasks/push-snapshot.yaml - target: - kind: Pipeline diff --git a/release/src/base/release.yaml b/release/src/base/release.yaml deleted file mode 100644 index bdeae4064..000000000 --- a/release/src/base/release.yaml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# This Pipeline is a variation of: -# https://github.com/konflux-ci/release-service-catalog/blob/development/pipelines/push-to-external-registry/push-to-external-registry.yaml -# It has been modified from its original version. It has been formatted to fit Tenant Release Pipelines. -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release -spec: - description: >- - Tekton pipeline to release Snapshots to a registry. - params: - - name: release - type: string - description: - The namespaced name (namespace/name) of the Release custom resource initiating this pipeline execution - - name: releasePlan - type: string - description: The namespaced name (namespace/name) of the releasePlan - - name: snapshot - type: string - description: The namespaced name (namespace/name) of the snapshot - - name: enterpriseContractPolicy - type: string - description: JSON representation of the EnterpriseContractPolicy - default: UPDATE_ME - - name: enterpriseContractExtraRuleData - type: string - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - default: "pipeline_intention=release" - - name: enterpriseContractTimeout - type: string - description: Timeout setting for `ec validate` - default: 40m0s - workspaces: - - name: release-workspace - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-access-to-resources - - name: reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - collect-data - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - workspaces: - - name: config - workspace: release-workspace - runAfter: - - reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - - name: verify-enterprise-contract - taskRef: - resolver: "bundles" - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - params: - - name: IMAGES - value: "$(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)" - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - apply-mapping - - name: push-snapshot - retries: 5 - when: - - input: "$(tasks.apply-mapping.results.mapped)" - operator: in - values: ["true"] - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - params: - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: resultsDirPath - value: "$(tasks.collect-data.results.resultsDir)" - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-enterprise-contract - finally: - - name: cleanup - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - params: - - name: subdirectory - value: "$(context.pipelineRun.uid)" - - name: delay - value: "0" - workspaces: - - name: input - workspace: release-workspace diff --git a/release/src/base/tasks/apply-mapping.yaml b/release/src/base/tasks/apply-mapping.yaml deleted file mode 100644 index 442eedb67..000000000 --- a/release/src/base/tasks/apply-mapping.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need changes from https://github.com/konflux-ci/release-service-catalog/pull/631 to be in the -# production branch -- op: replace - path: /spec/tasks/3/taskRef/params/1/value - value: development diff --git a/release/src/base/tasks/collect-data.yaml b/release/src/base/tasks/collect-data.yaml deleted file mode 100644 index 021374782..000000000 --- a/release/src/base/tasks/collect-data.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/1/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml diff --git a/release/src/base/tasks/push-snapshot.yaml b/release/src/base/tasks/push-snapshot.yaml deleted file mode 100644 index 806e5a591..000000000 --- a/release/src/base/tasks/push-snapshot.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes to be merged and made available in the production branch: -# https://github.com/konflux-ci/release-service-catalog/pull/671 -- op: replace - path: /spec/tasks/5/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml diff --git a/release/src/base/tasks/verify-access-to-resources.yaml b/release/src/base/tasks/verify-access-to-resources.yaml deleted file mode 100644 index 80111c4a1..000000000 --- a/release/src/base/tasks/verify-access-to-resources.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/0/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml diff --git a/release/src/cli/kustomization.yaml b/release/src/cli/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/cli/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/cli/patch.yaml b/release/src/cli/patch.yaml deleted file mode 100644 index 2e1644026..000000000 --- a/release/src/cli/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/cli diff --git a/release/src/tekton-task/kustomization.yaml b/release/src/tekton-task/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/tekton-task/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/tekton-task/patch.yaml b/release/src/tekton-task/patch.yaml deleted file mode 100644 index 3328132e9..000000000 --- a/release/src/tekton-task/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/tekton-task diff --git a/release/tekton-task.yaml b/release/tekton-task.yaml deleted file mode 100644 index 58d579d49..000000000 --- a/release/tekton-task.yaml +++ /dev/null @@ -1,218 +0,0 @@ -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release-cli -spec: - description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace - params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release - type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan - type: string - - description: The namespaced name (namespace/name) of the snapshot - name: snapshot - type: string - - default: github.com/enterprise-contract/ec-cli//policies/tekton-task - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - - default: pipeline_intention=release - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - name: enterpriseContractExtraRuleData - type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: reduce-snapshot - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - runAfter: - - collect-data - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git - workspaces: - - name: config - workspace: release-workspace - - name: verify-enterprise-contract - params: - - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping - taskRef: - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - resolver: bundles - workspaces: - - name: data - workspace: release-workspace - - name: push-snapshot - params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 - runAfter: - - verify-enterprise-contract - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" - workspaces: - - name: data - workspace: release-workspace - workspaces: - - name: release-workspace