From e549ce8202af5931e9b0852c4da8d26b6019ded3 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Tue, 10 Dec 2024 14:38:40 -0500 Subject: [PATCH 1/5] Remove bogus sast-snyk-check parameter The sast-snyk-check Task does not provide an `image-digest` parameter. Instead, users are expected to profide image references that include the digest via the `image-url` parameter. Signed-off-by: Luiz Carvalho --- .tekton/cli-build.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.tekton/cli-build.yaml b/.tekton/cli-build.yaml index 6c650316f..9fad26535 100644 --- a/.tekton/cli-build.yaml +++ b/.tekton/cli-build.yaml @@ -327,10 +327,8 @@ spec: - "false" - name: sast-snyk-check params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT From d9c783dec9f56b469416aa815d156a928d694366 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Tue, 10 Dec 2024 14:20:30 -0500 Subject: [PATCH 2/5] Specify type for pipeline parameters This is recommended by Tekton and fixes a violation found by tektor[1]. [1] https://github.com/lcarva/tektor Signed-off-by: Luiz Carvalho --- .tekton/cli-build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.tekton/cli-build.yaml b/.tekton/cli-build.yaml index 9fad26535..c150e53cf 100644 --- a/.tekton/cli-build.yaml +++ b/.tekton/cli-build.yaml @@ -55,6 +55,7 @@ spec: - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after + type: string - default: "false" description: Build a source image. name: build-source-image From c3984832b614617795396a7401ddf1984a0230c4 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Tue, 10 Dec 2024 12:28:51 -0500 Subject: [PATCH 3/5] Build bundle together with CLI This commit changes the build process so the Tekton bundle is built in the same build pipeline that builds the CLI image. This has the main advantage of creating a close relationship between the two images. The bundle image, for example, references the CLI image by digest. It also simplifies the build process. As such, the build pipeline for the bundle is removed. Ref: EC-911 Signed-off-by: Luiz Carvalho --- .tekton/cli-build.yaml | 35 ++++ .tekton/cli-main-ci-pull-request.yaml | 2 + .tekton/cli-main-ci-push.yaml | 2 + .tekton/task-build.yaml | 269 -------------------------- .tekton/task-main-pull-request.yaml | 49 ----- .tekton/task-main-push.yaml | 46 ----- 6 files changed, 39 insertions(+), 364 deletions(-) delete mode 100644 .tekton/task-build.yaml delete mode 100644 .tekton/task-main-pull-request.yaml delete mode 100644 .tekton/task-main-push.yaml diff --git a/.tekton/cli-build.yaml b/.tekton/cli-build.yaml index c150e53cf..72cf6c891 100644 --- a/.tekton/cli-build.yaml +++ b/.tekton/cli-build.yaml @@ -28,6 +28,15 @@ spec: - description: Fully Qualified Output Image name: output-image type: string + - description: >- + OCI repository of the CLI image to use as a reference in the Tekton bundle. When setting + this value, take into account where the CLI image will be available for usage. For certain + workflows, e.g. pull request, this should be the repo in which the CLI image is built into + because those CLI images are not promoted to another location. For merge workflows that go + through a release, for example, this should be the repository for which the CLI image will + be released to. + name: bundle-cli-ref-repo + type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context @@ -262,6 +271,32 @@ spec: operator: in values: - "true" + - name: build-tekton-bundle + params: + - name: IMAGE + value: $(params.output-image).bundle + - name: CONTEXT + value: tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml + - name: STEPS_IMAGE + value: $(params.bundle-cli-ref-repo)@$(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: tkn-bundle-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle-oci-ta:0.1@sha256:7d2ca9fbe8f3ba5636f18a36d086acf6cd37eef83032afa845032fe9dc7152e7 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL diff --git a/.tekton/cli-main-ci-pull-request.yaml b/.tekton/cli-main-ci-pull-request.yaml index d4b959082..5a4283291 100644 --- a/.tekton/cli-main-ci-pull-request.yaml +++ b/.tekton/cli-main-ci-pull-request.yaml @@ -24,6 +24,8 @@ spec: value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-ci/cli-main-ci:on-pr-{{revision}} + - name: bundle-cli-ref-repo + value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-ci/cli-main-ci - name: image-expires-after value: 5d - name: dockerfile diff --git a/.tekton/cli-main-ci-push.yaml b/.tekton/cli-main-ci-push.yaml index d567bfeeb..f9e45a4d1 100644 --- a/.tekton/cli-main-ci-push.yaml +++ b/.tekton/cli-main-ci-push.yaml @@ -23,6 +23,8 @@ spec: value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-ci/cli-main-ci:{{revision}} + - name: bundle-cli-ref-repo + value: quay.io/enterprise-contract/cli - name: image-expires-after value: '' - name: dockerfile diff --git a/.tekton/task-build.yaml b/.tekton/task-build.yaml deleted file mode 100644 index 3267d296f..000000000 --- a/.tekton/task-build.yaml +++ /dev/null @@ -1,269 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: task-build -spec: - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image. - name: build-source-image - type: string - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:d091a9e19567a4cbdc5acd57903c71ba71dc51d749a4ba7477e689608851e981 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:b7a6b67e97c6c03b552b9cd57d4a2868d63e279ee68ced2a53e713befca9e009 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image) - - name: CONTEXT - value: ./source/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: tkn-bundle - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle:0.1@sha256:7542d1701f13ee69429326f4e52db38c9c38e6e79277953eabe31cd809772b0e - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - #- Skipping build-source-image - #- Skipping deprecated-base-image-check - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - #- Skipping ecosystem-cert-preflight-checks - - name: sast-snyk-check - runAfter: - - build-container - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:df33774c66799947d012605febdc75e82498413ecc6e374774c648006b816cd1 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - workspace: workspace - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - - name: git-auth - optional: true diff --git a/.tekton/task-main-pull-request.yaml b/.tekton/task-main-pull-request.yaml deleted file mode 100644 index 9ccae467a..000000000 --- a/.tekton/task-main-pull-request.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/enterprise-contract/ec-cli?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - # Only rebuild the task bundle if there is a change to the task definition - pipelinesascode.tekton.dev/on-cel-expression: >- - event == "pull_request" && target_branch == "main" && "tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml".pathChanged() - pipelinesascode.tekton.dev/pipeline: ".tekton/task-build.yaml" - labels: - appstudio.openshift.io/application: ec-main-task-build - appstudio.openshift.io/component: task-main - pipelines.appstudio.openshift.io/type: build - name: task-main-on-pull-request - namespace: rhtap-contract-tenant -spec: - # Note that some params here are not used since the build-container - # task is tkn-bundle rather than buildah - params: - - name: dockerfile - value: Dockerfile - - name: git-url - value: '{{source_url}}' - - name: image-expires-after - value: 5d - - name: output-image - value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-task-build/task-main:on-pr-{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' - pipelineRef: - name: task-build - workspaces: - - name: workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' diff --git a/.tekton/task-main-push.yaml b/.tekton/task-main-push.yaml deleted file mode 100644 index 3413f8259..000000000 --- a/.tekton/task-main-push.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/enterprise-contract/ec-cli?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - # Only rebuild the task bundle if there is a change to the task definition - pipelinesascode.tekton.dev/on-cel-expression: >- - event == "push" && target_branch == "main" && "tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml".pathChanged() - pipelinesascode.tekton.dev/pipeline: ".tekton/task-build.yaml" - labels: - appstudio.openshift.io/application: ec-main-task-build - appstudio.openshift.io/component: task-main - pipelines.appstudio.openshift.io/type: build - name: task-main-on-push - namespace: rhtap-contract-tenant -spec: - # Note that some params here are not used since the build-container - # task is tkn-bundle rather than buildah - params: - - name: dockerfile - value: Dockerfile - - name: git-url - value: '{{source_url}}' - - name: output-image - value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-task-build/task-main:{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' - pipelineRef: - name: task-build - workspaces: - - name: workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' From ca128f3e5f98b7134fcd37189cb741ea72a8e35a Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Tue, 10 Dec 2024 12:43:34 -0500 Subject: [PATCH 4/5] Release EC images built together This commit changes the tenant release pipeline so it understands that both the CLI and the bundle images are built within the same build Pipeline. It also removes the need to use different release Pipelines for each image. Signed-off-by: Luiz Carvalho --- Makefile | 5 - hack/copy-snapshot-image.sh | 40 +++ hack/expand-snapshot.sh | 55 ++++ release/README.md | 22 +- release/cli.yaml | 244 ++++++++---------- release/src/base/kustomization.yaml | 34 --- release/src/base/release.yaml | 222 ---------------- release/src/base/tasks/apply-mapping.yaml | 22 -- release/src/base/tasks/collect-data.yaml | 27 -- release/src/base/tasks/push-snapshot.yaml | 28 -- .../tasks/verify-access-to-resources.yaml | 27 -- release/src/cli/kustomization.yaml | 25 -- release/src/cli/patch.yaml | 23 -- release/src/tekton-task/kustomization.yaml | 25 -- release/src/tekton-task/patch.yaml | 23 -- release/tekton-task.yaml | 218 ---------------- 16 files changed, 215 insertions(+), 825 deletions(-) create mode 100755 hack/copy-snapshot-image.sh create mode 100755 hack/expand-snapshot.sh delete mode 100644 release/src/base/kustomization.yaml delete mode 100644 release/src/base/release.yaml delete mode 100644 release/src/base/tasks/apply-mapping.yaml delete mode 100644 release/src/base/tasks/collect-data.yaml delete mode 100644 release/src/base/tasks/push-snapshot.yaml delete mode 100644 release/src/base/tasks/verify-access-to-resources.yaml delete mode 100644 release/src/cli/kustomization.yaml delete mode 100644 release/src/cli/patch.yaml delete mode 100644 release/src/tekton-task/kustomization.yaml delete mode 100644 release/src/tekton-task/patch.yaml delete mode 100644 release/tekton-task.yaml diff --git a/Makefile b/Makefile index 0f4122def..6f3539014 100644 --- a/Makefile +++ b/Makefile @@ -83,11 +83,6 @@ build-for-test: dist/ec_$(BUILD_IMG_ARCH) clean: ## Delete build output @rm -f dist/* -.PHONY: generate-pipelines -generate-pipelines: ## Generate release pipelines - kustomize build ./release/src/cli --output ./release/cli.yaml - kustomize build ./release/src/tekton-task --output ./release/tekton-task.yaml - ##@ Testing # Declutter the output by grepping out the files where there are no diff --git a/hack/copy-snapshot-image.sh b/hack/copy-snapshot-image.sh new file mode 100755 index 000000000..364f41c77 --- /dev/null +++ b/hack/copy-snapshot-image.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +SNAPSHOT_SPEC=$1 +TARGET_REPO=$2 + +echo "Target repo: ${TARGET_REPO}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +GIT_SHA="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].source.git.revision')" +IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" + +TAGS=( + 'latest' + "${GIT_SHA}" +) +for tag in "${TAGS[@]}"; do + echo "Pushing image with tag ${tag}" + cosign copy --force "${IMAGE_REF}" "${TARGET_REPO}:${tag}" +done diff --git a/hack/expand-snapshot.sh b/hack/expand-snapshot.sh new file mode 100755 index 000000000..3c4d1106d --- /dev/null +++ b/hack/expand-snapshot.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +# This script is meant to take an existing snapshot reference which includes just +# the EC CLI image and use that to create a new snapshot which includes the EC Tekton +# bundle image. + +set -o errexit +set -o nounset +set -o pipefail + +# Release service includes the namespace with the resource name. Let's clean that up. +SNAPSHOT_NAME="${1#*/}" +CLI_SNAPSHOT_PATH=$2 +BUNDLE_SNAPSHOT_PATH=$3 + +echo "Fetching ${SNAPSHOT_NAME} snapshot" +SNAPSHOT_SPEC="$(oc get snapshot ${SNAPSHOT_NAME} -o json | jq '.spec')" +echo "${SNAPSHOT_SPEC}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +CLI_IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" +echo "CLI image ref: ${CLI_IMAGE_REF}" + +echo "Storing EC CLI snapshot in ${CLI_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" > "${CLI_SNAPSHOT_PATH}" + +BUNDLE_IMAGE_REF="$( + cosign download attestation "${CLI_IMAGE_REF}" | jq -r '.payload | @base64d | fromjson | + .predicate.buildConfig.tasks[] | select(.name == "build-tekton-bundle") | + .results[] | select(.name == "IMAGE_REF") | .value' +)" + +echo "Bundle image ref: ${BUNDLE_IMAGE_REF}" + +echo "Creating new snapshot spec for bundle and storing in ${BUNDLE_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" | jq --arg bundle "${BUNDLE_IMAGE_REF}" \ + '.components[0].name = "tekton-bundle" | .components[0].containerImage = $bundle' | \ + tee "${BUNDLE_SNAPSHOT_PATH}" diff --git a/release/README.md b/release/README.md index 3ceef72c4..cd80c9730 100644 --- a/release/README.md +++ b/release/README.md @@ -1,19 +1,17 @@ -# Release Pipelines +# Release Pipeline -This directory contains the Tekton Pipelines used to release EC from the main branch. These -Pipelines execute in [Konflux](https://konflux-ci.dev/). - -The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src` directory. To -make changes to the Pipelines, update the corresponding files in that directory and run the -`make generate-pipelines` command (requires `kustomize`). +This directory contains the Tekton Pipeline used to release EC from the main branch. The Pipeline +executes in [Konflux](https://konflux-ci.dev/). ## Setup -The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeliens +The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeline will run. This creates a ServiceAccount with access to perform the release. -## Why are there two Pipelines? +## Why are there two verify-enterprise-contract Tasks? -Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline -parameter. Because the CLI and the Tekton Task require different EC policies, the only way to -achieve this is by using different Pipelines with different default values for the EC policy. +The CLI and the bundle images require different EC policies. The bundle image, for example, does not +include binary content, as such, it makes little sense to run scan it with an anti-virus for example. +Currently, it is not possible to use a single EC policy for different components, but there are plans +for doing so. When that becomes a reality, a single snapshot and a single execution of the +verify-enterprise-contract would be sufficient. diff --git a/release/cli.yaml b/release/cli.yaml index 15acd2178..80ae52fab 100644 --- a/release/cli.yaml +++ b/release/cli.yaml @@ -1,3 +1,4 @@ +--- # Copyright The Enterprise Contract Contributors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,160 +21,117 @@ metadata: name: release-cli spec: description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release + - default: quay.io/enterprise-contract/cli + description: Location to push the CLI image to + name: cli-repo type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan + - default: quay.io/enterprise-contract/tekton-task + description: Location to push the bundle image to + name: bundle-repo type: string - description: The namespaced name (namespace/name) of the snapshot name: snapshot type: string - - default: github.com/enterprise-contract/ec-cli//policies/cli - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - default: pipeline_intention=release description: | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." name: enterpriseContractExtraRuleData type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data + - name: clone-repository params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) + - name: url + value: https://github.com/enterprise-contract/ec-cli + - name: revision + value: main - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources + value: source taskRef: params: + # TODO: Can't use Konflux's git-clone Task because that requires a security context not provided + # to the ServiceAccount running this pipeline (securityContext.runAsUser: 0). - name: url - value: https://github.com/lcarva/release-service-bundles.git + value: https://github.com/lcarva/build-definitions.git - name: revision - value: support-tenant-releases + value: no-root-git-clone - name: pathInRepo - value: tasks/collect-data/collect-data.yaml + value: task/git-clone/0.1/git-clone.yaml resolver: git workspaces: - - name: data + - name: output workspace: release-workspace - - name: reduce-snapshot + - name: expand-snapshot params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + - name: input + value: $(params.snapshot) runAfter: - - collect-data - taskRef: + - clone-repository + taskSpec: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git + - name: input + type: string + results: + - name: cli-snapshot-spec + type: string + - name: bundle-snapshot-spec + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + steps: + - command: + - hack/expand-snapshot.sh + - $(params.input) + - $(results.cli-snapshot-spec.path) + - $(results.bundle-snapshot-spec.path) + image: quay.io/konflux-ci/appstudio-utils:latest + name: expand + workingDir: $(workspaces.source.path)/source + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace - - name: apply-mapping + - name: verify-enterprise-contract-cli params: - - name: failOnEmptyResult + - name: IMAGES + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(workspaces.data.path)/source/policies/cli/policy.yaml + - name: IGNORE_REKOR value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot + - name: EXTRA_RULE_DATA + value: $(params.enterpriseContractExtraRuleData) taskRef: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git + - name: bundle + value: quay.io/enterprise-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + resolver: bundles workspaces: - - name: config + - name: data workspace: release-workspace - - name: verify-enterprise-contract + # TODO: Consider using matrix? + - name: verify-enterprise-contract-bundle params: - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) - name: SSL_CERT_DIR value: /var/run/secrets/kubernetes.io/serviceaccount - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" + value: $(workspaces.data.path)/source/policies/tekton-task/policy.yaml - name: IGNORE_REKOR value: "true" - name: EXTRA_RULE_DATA value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping taskRef: params: - name: bundle @@ -186,33 +144,51 @@ spec: workspaces: - name: data workspace: release-workspace - - name: push-snapshot + - name: push params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 + - name: cli-snapshot-spec + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: cli-target-repo + value: $(params.cli-repo) + - name: bundle-snapshot-spec + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) + - name: bundle-target-repo + value: $(params.bundle-repo) runAfter: - - verify-enterprise-contract - taskRef: + - verify-enterprise-contract-cli + - verify-enterprise-contract-bundle + taskSpec: params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" + - name: cli-snapshot-spec + type: string + - name: cli-target-repo + type: string + - name: bundle-snapshot-spec + type: string + - name: bundle-target-repo + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + workingDir: $(workspaces.source.path)/source + steps: + - command: + - hack/copy-snapshot-image.sh + - $(params.cli-snapshot-spec) + - $(params.cli-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-cli + - command: + - hack/copy-snapshot-image.sh + - $(params.bundle-snapshot-spec) + - $(params.bundle-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-bundle + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace workspaces: - name: release-workspace diff --git a/release/src/base/kustomization.yaml b/release/src/base/kustomization.yaml deleted file mode 100644 index cb62baad4..000000000 --- a/release/src/base/kustomization.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml -patches: - - path: tasks/verify-access-to-resources.yaml - target: - kind: Pipeline - - path: tasks/collect-data.yaml - target: - kind: Pipeline - - path: tasks/apply-mapping.yaml - target: - kind: Pipeline - - path: tasks/push-snapshot.yaml - target: - kind: Pipeline diff --git a/release/src/base/release.yaml b/release/src/base/release.yaml deleted file mode 100644 index bdeae4064..000000000 --- a/release/src/base/release.yaml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# This Pipeline is a variation of: -# https://github.com/konflux-ci/release-service-catalog/blob/development/pipelines/push-to-external-registry/push-to-external-registry.yaml -# It has been modified from its original version. It has been formatted to fit Tenant Release Pipelines. -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release -spec: - description: >- - Tekton pipeline to release Snapshots to a registry. - params: - - name: release - type: string - description: - The namespaced name (namespace/name) of the Release custom resource initiating this pipeline execution - - name: releasePlan - type: string - description: The namespaced name (namespace/name) of the releasePlan - - name: snapshot - type: string - description: The namespaced name (namespace/name) of the snapshot - - name: enterpriseContractPolicy - type: string - description: JSON representation of the EnterpriseContractPolicy - default: UPDATE_ME - - name: enterpriseContractExtraRuleData - type: string - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - default: "pipeline_intention=release" - - name: enterpriseContractTimeout - type: string - description: Timeout setting for `ec validate` - default: 40m0s - workspaces: - - name: release-workspace - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-access-to-resources - - name: reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - collect-data - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - workspaces: - - name: config - workspace: release-workspace - runAfter: - - reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - - name: verify-enterprise-contract - taskRef: - resolver: "bundles" - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - params: - - name: IMAGES - value: "$(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)" - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - apply-mapping - - name: push-snapshot - retries: 5 - when: - - input: "$(tasks.apply-mapping.results.mapped)" - operator: in - values: ["true"] - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - params: - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: resultsDirPath - value: "$(tasks.collect-data.results.resultsDir)" - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-enterprise-contract - finally: - - name: cleanup - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - params: - - name: subdirectory - value: "$(context.pipelineRun.uid)" - - name: delay - value: "0" - workspaces: - - name: input - workspace: release-workspace diff --git a/release/src/base/tasks/apply-mapping.yaml b/release/src/base/tasks/apply-mapping.yaml deleted file mode 100644 index 442eedb67..000000000 --- a/release/src/base/tasks/apply-mapping.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need changes from https://github.com/konflux-ci/release-service-catalog/pull/631 to be in the -# production branch -- op: replace - path: /spec/tasks/3/taskRef/params/1/value - value: development diff --git a/release/src/base/tasks/collect-data.yaml b/release/src/base/tasks/collect-data.yaml deleted file mode 100644 index 021374782..000000000 --- a/release/src/base/tasks/collect-data.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/1/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml diff --git a/release/src/base/tasks/push-snapshot.yaml b/release/src/base/tasks/push-snapshot.yaml deleted file mode 100644 index 806e5a591..000000000 --- a/release/src/base/tasks/push-snapshot.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes to be merged and made available in the production branch: -# https://github.com/konflux-ci/release-service-catalog/pull/671 -- op: replace - path: /spec/tasks/5/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml diff --git a/release/src/base/tasks/verify-access-to-resources.yaml b/release/src/base/tasks/verify-access-to-resources.yaml deleted file mode 100644 index 80111c4a1..000000000 --- a/release/src/base/tasks/verify-access-to-resources.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/0/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml diff --git a/release/src/cli/kustomization.yaml b/release/src/cli/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/cli/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/cli/patch.yaml b/release/src/cli/patch.yaml deleted file mode 100644 index 2e1644026..000000000 --- a/release/src/cli/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/cli diff --git a/release/src/tekton-task/kustomization.yaml b/release/src/tekton-task/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/tekton-task/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/tekton-task/patch.yaml b/release/src/tekton-task/patch.yaml deleted file mode 100644 index 3328132e9..000000000 --- a/release/src/tekton-task/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/tekton-task diff --git a/release/tekton-task.yaml b/release/tekton-task.yaml deleted file mode 100644 index 58d579d49..000000000 --- a/release/tekton-task.yaml +++ /dev/null @@ -1,218 +0,0 @@ -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release-cli -spec: - description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace - params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release - type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan - type: string - - description: The namespaced name (namespace/name) of the snapshot - name: snapshot - type: string - - default: github.com/enterprise-contract/ec-cli//policies/tekton-task - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - - default: pipeline_intention=release - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - name: enterpriseContractExtraRuleData - type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: reduce-snapshot - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - runAfter: - - collect-data - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git - workspaces: - - name: config - workspace: release-workspace - - name: verify-enterprise-contract - params: - - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping - taskRef: - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - resolver: bundles - workspaces: - - name: data - workspace: release-workspace - - name: push-snapshot - params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 - runAfter: - - verify-enterprise-contract - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" - workspaces: - - name: data - workspace: release-workspace - workspaces: - - name: release-workspace From 040998e5a0e8641603eae0e6c5d9e3c556516aa6 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Fri, 17 Jan 2025 10:09:01 -0500 Subject: [PATCH 5/5] Update task definitions Signed-off-by: Luiz Carvalho --- .tekton/cli-build.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.tekton/cli-build.yaml b/.tekton/cli-build.yaml index 72cf6c891..d4f8c5e6e 100644 --- a/.tekton/cli-build.yaml +++ b/.tekton/cli-build.yaml @@ -164,7 +164,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:e6b92dfd7442b261ef539d780c635163b2b2d099b8ce9455e0baf51a0fedabec - name: kind value: task resolver: bundles @@ -205,7 +205,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:c2e4e492c5f069c02ef2555514ceff65c75d4325657fd33727de68df7cca5f69 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:877e04e662dab4f2022a68de0e57dbb2d1af08a54433bb32d64305ef63b7dbee - name: kind value: task resolver: bundles @@ -234,7 +234,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:9b31f147f06d1e7fcff39844a7e991ac07f89d91b97eea63e00f32f5f457ed2e - name: kind value: task resolver: bundles @@ -288,7 +288,7 @@ spec: - name: name value: tkn-bundle-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle-oci-ta:0.1@sha256:7d2ca9fbe8f3ba5636f18a36d086acf6cd37eef83032afa845032fe9dc7152e7 + value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle-oci-ta:0.1@sha256:b4b457d18a01348bd3d7d19b0ce05754c739efb2eb44be602c3050ed99c31a21 - name: kind value: task resolver: bundles @@ -310,7 +310,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 - name: kind value: task resolver: bundles @@ -332,7 +332,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 - name: kind value: task resolver: bundles @@ -376,7 +376,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:9172196136831a61b9039ea4498fcdc71d6adc86d9694f236bea7b2a85488cd3 - name: kind value: task resolver: bundles @@ -398,7 +398,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae - name: kind value: task resolver: bundles @@ -441,7 +441,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:a2beb43c9f2a72f55ca17e196f66bcdaf4ff9a0b722c7e063af1f38e7003faad - name: kind value: task resolver: bundles