Skip to content

Commit

Permalink
feat(RELEASE-981): refactor verify-access-to-resources into a task (#464
Browse files Browse the repository at this point in the history
)

This PR refactors the `verify-access-to-resources` script from being
hard-coded in the pipeline to a dedicated Tekton task.

**Changes:**
- Refactored pipelines to use the new `verify-access-to-resources` task.
- Removed the inline script from each pipeline and replaced it with a
  task reference.
- Updated version and documentation to reflect these changes.

**Task details:**
- Added a README for the new task.
- Implemented a test to ensure the task correctly verifies resource
  accessibility.

Signed-off-by: Sean Conroy <[email protected]>
  • Loading branch information
seanconroy2021 authored Jul 8, 2024
1 parent a9da700 commit dadf55b
Show file tree
Hide file tree
Showing 20 changed files with 310 additions and 400 deletions.
2 changes: 2 additions & 0 deletions pipelines/fbc-release/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Tekton release pipeline to interact with FBC Pipeline
| postCleanUp | Cleans up workspace after finishing executing the pipeline | Yes | true |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
### Changes in 3.6.0
- Removed `verify-access-to-resources` script and replaced it with a task.

### Changes in 3.5.0
- add the task `update-cr-status` at the end of the pipeline to save all pipeline results
Expand Down
62 changes: 12 additions & 50 deletions pipelines/fbc-release/fbc-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: fbc-release
labels:
app.kubernetes.io/version: "3.5.0"
app.kubernetes.io/version: "3.6.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -80,56 +80,18 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: hub/kubernetes-actions/kubernetes-actions.yaml
value: tasks/verify-access-to-resources/verify-access-to-resources.yaml
params:
- name: image
value: "quay.io/hacbs-release/cloud-builders-kubectl\
@sha256:8ab94be8b2b4f3d117f02d868b39540fddd225447abf4014f7ba4765cb39f753"
- name: script
value: |
ORIGIN_NAMESPACE=$(echo $(params.release) | cut -f1 -d/)
TARGET_NAMESPACE=$(echo $(params.releasePlanAdmission) | cut -f1 -d/)
RSC_NAMESPACE=$(echo $(params.releaseServiceConfig) | cut -f1 -d/)
RELEASE_NAME=$(echo $(params.release) | cut -f2 -d/)
RELEASEPLAN_NAME=$(echo $(params.releasePlan) | cut -f2 -d/)
RELEASEPLANADMISSION_NAME=$(echo $(params.releasePlanAdmission) | cut -f2 -d/)
RELEASESERVICECONFIG_NAME=$(echo $(params.releaseServiceConfig) | cut -f2 -d/)
SNAPSHOT_NAME=$(echo $(params.snapshot) | cut -f2 -d/)
CAN_I_READ_RELEASES=$(kubectl auth can-i get release/${RELEASE_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANS=$(kubectl auth can-i get releaseplan/${RELEASEPLAN_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANADMISSIONS=$(kubectl auth can-i get releaseplanadmission/${RELEASEPLANADMISSION_NAME}\
-n ${TARGET_NAMESPACE})
CAN_I_READ_RELEASESERVICECONFIG=$(kubectl auth can-i get releaseserviceconfig/${RELEASESERVICECONFIG_NAME}\
-n ${RSC_NAMESPACE})
CAN_I_READ_SNAPSHOTS=$(kubectl auth can-i get snapshot/${SNAPSHOT_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_CREATE_INTERNALREQUESTS=$(kubectl auth can-i create internalrequest -n ${TARGET_NAMESPACE})
echo ""
echo "CAN_I_READ_RELEASES? ${CAN_I_READ_RELEASES}"
echo "CAN_I_READ_RELEASEPLANS? ${CAN_I_READ_RELEASEPLANS}"
echo "CAN_I_READ_RELEASEPLANADMISSIONS? ${CAN_I_READ_RELEASEPLANADMISSIONS}"
echo "CAN_I_READ_RELEASESERVICECONFIG? ${CAN_I_READ_RELEASESERVICECONFIG}"
echo "CAN_I_READ_SNAPSHOTS? ${CAN_I_READ_SNAPSHOTS}"
echo ""
echo "CAN_I_CREATE_INTERNALREQUESTS? ${CAN_I_CREATE_INTERNALREQUESTS}"
echo ""
if [ "${CAN_I_READ_RELEASES}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANADMISSIONS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASESERVICECONFIG}" == "no" ] ||\
[ "${CAN_I_READ_SNAPSHOTS}" == "no" ] ||\
[ "${CAN_I_CREATE_INTERNALREQUESTS}" == "no" ] ; then
echo "Error: Cannot read or create required Release resources!"
echo ""
echo "This indicates that your workspace is not correctly setup"
echo "Please reach out to a workspace administrator"
exit 1
fi
echo "Access to Release resources verified"
- name: release
value: $(params.release)
- name: releasePlan
value: $(params.releasePlan)
- name: releasePlanAdmission
value: $(params.releasePlanAdmission)
- name: releaseServiceConfig
value: $(params.releaseServiceConfig)
- name: snapshot
value: $(params.snapshot)
- name: collect-data
taskRef:
resolver: "git"
Expand Down
3 changes: 3 additions & 0 deletions pipelines/push-binaries-to-dev-portal/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,6 @@ Tekton pipeline to release Red Hat binaries to the Red Hat Developer Portal.
| verify_ec_task_bundle | The location of the bundle containing the verify-enterprise-contract task | No | - |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 0.2.0
- Removed `verify-access-to-resources` script and replaced it with a task.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: push-binaries-to-dev-portal
labels:
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/version: "0.2.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -67,56 +67,18 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: hub/kubernetes-actions/kubernetes-actions.yaml
value: tasks/verify-access-to-resources/verify-access-to-resources.yaml
params:
- name: image
value: "quay.io/hacbs-release/cloud-builders-kubectl\
@sha256:8ab94be8b2b4f3d117f02d868b39540fddd225447abf4014f7ba4765cb39f753"
- name: script
value: |
ORIGIN_NAMESPACE=$(echo $(params.release) | cut -f1 -d/)
TARGET_NAMESPACE=$(echo $(params.releasePlanAdmission) | cut -f1 -d/)
RSC_NAMESPACE=$(echo $(params.releaseServiceConfig) | cut -f1 -d/)
RELEASE_NAME=$(echo $(params.release) | cut -f2 -d/)
RELEASEPLAN_NAME=$(echo $(params.releasePlan) | cut -f2 -d/)
RELEASEPLANADMISSION_NAME=$(echo $(params.releasePlanAdmission) | cut -f2 -d/)
RELEASESERVICECONFIG_NAME=$(echo $(params.releaseServiceConfig) | cut -f2 -d/)
SNAPSHOT_NAME=$(echo $(params.snapshot) | cut -f2 -d/)
CAN_I_READ_RELEASES=$(kubectl auth can-i get release/${RELEASE_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANS=$(kubectl auth can-i get releaseplan/${RELEASEPLAN_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANADMISSIONS=$(kubectl auth can-i get releaseplanadmission/${RELEASEPLANADMISSION_NAME}\
-n ${TARGET_NAMESPACE})
CAN_I_READ_RELEASESERVICECONFIG=$(kubectl auth can-i get releaseserviceconfig/${RELEASESERVICECONFIG_NAME}\
-n ${RSC_NAMESPACE})
CAN_I_READ_SNAPSHOTS=$(kubectl auth can-i get snapshot/${SNAPSHOT_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_CREATE_INTERNALREQUESTS=$(kubectl auth can-i create internalrequest -n ${TARGET_NAMESPACE})
echo ""
echo "CAN_I_READ_RELEASES? ${CAN_I_READ_RELEASES}"
echo "CAN_I_READ_RELEASEPLANS? ${CAN_I_READ_RELEASEPLANS}"
echo "CAN_I_READ_RELEASEPLANADMISSIONS? ${CAN_I_READ_RELEASEPLANADMISSIONS}"
echo "CAN_I_READ_RELEASESERVICECONFIG? ${CAN_I_READ_RELEASESERVICECONFIG}"
echo "CAN_I_READ_SNAPSHOTS? ${CAN_I_READ_SNAPSHOTS}"
echo ""
echo "CAN_I_CREATE_INTERNALREQUESTS? ${CAN_I_CREATE_INTERNALREQUESTS}"
echo ""
if [ "${CAN_I_READ_RELEASES}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANADMISSIONS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASESERVICECONFIG}" == "no" ] ||\
[ "${CAN_I_READ_SNAPSHOTS}" == "no" ] ||\
[ "${CAN_I_CREATE_INTERNALREQUESTS}" == "no" ] ; then
echo "Error: Cannot read or create required Release resources!"
echo ""
echo "This indicates that your workspace is not correctly setup"
echo "Please reach out to a workspace administrator"
exit 1
fi
echo "Access to Release resources verified"
- name: release
value: $(params.release)
- name: releasePlan
value: $(params.releasePlan)
- name: releasePlanAdmission
value: $(params.releasePlanAdmission)
- name: releaseServiceConfig
value: $(params.releaseServiceConfig)
- name: snapshot
value: $(params.snapshot)
- name: collect-data
taskRef:
resolver: "git"
Expand Down
3 changes: 3 additions & 0 deletions pipelines/push-to-external-registry/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ Tekton pipeline to release Snapshots to an external registry.
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 4.7.0
- Removed `verify-access-to-resources` script and replaced it with a task.

## Changes in 4.6.0
- The `push-snapshot` task now gets the `resultsDirPath` parameter from `collect-data` results

Expand Down
62 changes: 12 additions & 50 deletions pipelines/push-to-external-registry/push-to-external-registry.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: push-to-external-registry
labels:
app.kubernetes.io/version: "4.6.0"
app.kubernetes.io/version: "4.7.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -67,56 +67,18 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: hub/kubernetes-actions/kubernetes-actions.yaml
value: tasks/verify-access-to-resources/verify-access-to-resources.yaml
params:
- name: image
value: "quay.io/hacbs-release/cloud-builders-kubectl\
@sha256:8ab94be8b2b4f3d117f02d868b39540fddd225447abf4014f7ba4765cb39f753"
- name: script
value: |
ORIGIN_NAMESPACE=$(echo $(params.release) | cut -f1 -d/)
TARGET_NAMESPACE=$(echo $(params.releasePlanAdmission) | cut -f1 -d/)
RSC_NAMESPACE=$(echo $(params.releaseServiceConfig) | cut -f1 -d/)
RELEASE_NAME=$(echo $(params.release) | cut -f2 -d/)
RELEASEPLAN_NAME=$(echo $(params.releasePlan) | cut -f2 -d/)
RELEASEPLANADMISSION_NAME=$(echo $(params.releasePlanAdmission) | cut -f2 -d/)
RELEASESERVICECONFIG_NAME=$(echo $(params.releaseServiceConfig) | cut -f2 -d/)
SNAPSHOT_NAME=$(echo $(params.snapshot) | cut -f2 -d/)
CAN_I_READ_RELEASES=$(kubectl auth can-i get release/${RELEASE_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANS=$(kubectl auth can-i get releaseplan/${RELEASEPLAN_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANADMISSIONS=$(kubectl auth can-i get releaseplanadmission/${RELEASEPLANADMISSION_NAME}\
-n ${TARGET_NAMESPACE})
CAN_I_READ_RELEASESERVICECONFIG=$(kubectl auth can-i get releaseserviceconfig/${RELEASESERVICECONFIG_NAME}\
-n ${RSC_NAMESPACE})
CAN_I_READ_SNAPSHOTS=$(kubectl auth can-i get snapshot/${SNAPSHOT_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_CREATE_INTERNALREQUESTS=$(kubectl auth can-i create internalrequest -n ${TARGET_NAMESPACE})
echo ""
echo "CAN_I_READ_RELEASES? ${CAN_I_READ_RELEASES}"
echo "CAN_I_READ_RELEASEPLANS? ${CAN_I_READ_RELEASEPLANS}"
echo "CAN_I_READ_RELEASEPLANADMISSIONS? ${CAN_I_READ_RELEASEPLANADMISSIONS}"
echo "CAN_I_READ_RELEASESERVICECONFIG? ${CAN_I_READ_RELEASESERVICECONFIG}"
echo "CAN_I_READ_SNAPSHOTS? ${CAN_I_READ_SNAPSHOTS}"
echo ""
echo "CAN_I_CREATE_INTERNALREQUESTS? ${CAN_I_CREATE_INTERNALREQUESTS}"
echo ""
if [ "${CAN_I_READ_RELEASES}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANADMISSIONS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASESERVICECONFIG}" == "no" ] ||\
[ "${CAN_I_READ_SNAPSHOTS}" == "no" ] ||\
[ "${CAN_I_CREATE_INTERNALREQUESTS}" == "no" ] ; then
echo "Error: Cannot read or create required Release resources!"
echo ""
echo "This indicates that your workspace is not correctly setup"
echo "Please reach out to a workspace administrator"
exit 1
fi
echo "Access to Release resources verified"
- name: release
value: $(params.release)
- name: releasePlan
value: $(params.releasePlan)
- name: releasePlanAdmission
value: $(params.releasePlanAdmission)
- name: releaseServiceConfig
value: $(params.releaseServiceConfig)
- name: snapshot
value: $(params.snapshot)
- name: collect-data
taskRef:
resolver: "git"
Expand Down
3 changes: 3 additions & 0 deletions pipelines/release-to-github/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ Tekton release pipeline to release binaries extracted from the image built with
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 3.5.0
- Removed `verify-access-to-resources` script and replaced it with a task.

## Changes in 3.4.0
- Add the task `update-cr-status` at the end of the pipeline to save all pipeline results

Expand Down
62 changes: 12 additions & 50 deletions pipelines/release-to-github/release-to-github.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: release-to-github
labels:
app.kubernetes.io/version: "3.4.0"
app.kubernetes.io/version: "3.5.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -68,56 +68,18 @@ spec:
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: hub/kubernetes-actions/kubernetes-actions.yaml
value: tasks/verify-access-to-resources/verify-access-to-resources.yaml
params:
- name: image
value: "quay.io/hacbs-release/cloud-builders-kubectl\
@sha256:8ab94be8b2b4f3d117f02d868b39540fddd225447abf4014f7ba4765cb39f753"
- name: script
value: |
ORIGIN_NAMESPACE=$(echo $(params.release) | cut -f1 -d/)
TARGET_NAMESPACE=$(echo $(params.releasePlanAdmission) | cut -f1 -d/)
RSC_NAMESPACE=$(echo $(params.releaseServiceConfig) | cut -f1 -d/)
RELEASE_NAME=$(echo $(params.release) | cut -f2 -d/)
RELEASEPLAN_NAME=$(echo $(params.releasePlan) | cut -f2 -d/)
RELEASEPLANADMISSION_NAME=$(echo $(params.releasePlanAdmission) | cut -f2 -d/)
RELEASESERVICECONFIG_NAME=$(echo $(params.releaseServiceConfig) | cut -f2 -d/)
SNAPSHOT_NAME=$(echo $(params.snapshot) | cut -f2 -d/)
CAN_I_READ_RELEASES=$(kubectl auth can-i get release/${RELEASE_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANS=$(kubectl auth can-i get releaseplan/${RELEASEPLAN_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_READ_RELEASEPLANADMISSIONS=$(kubectl auth can-i get releaseplanadmission/${RELEASEPLANADMISSION_NAME}\
-n ${TARGET_NAMESPACE})
CAN_I_READ_RELEASESERVICECONFIG=$(kubectl auth can-i get releaseserviceconfig/${RELEASESERVICECONFIG_NAME}\
-n ${RSC_NAMESPACE})
CAN_I_READ_SNAPSHOTS=$(kubectl auth can-i get snapshot/${SNAPSHOT_NAME} -n ${ORIGIN_NAMESPACE})
CAN_I_CREATE_INTERNALREQUESTS=$(kubectl auth can-i create internalrequest -n ${TARGET_NAMESPACE})
echo ""
echo "CAN_I_READ_RELEASES? ${CAN_I_READ_RELEASES}"
echo "CAN_I_READ_RELEASEPLANS? ${CAN_I_READ_RELEASEPLANS}"
echo "CAN_I_READ_RELEASEPLANADMISSIONS? ${CAN_I_READ_RELEASEPLANADMISSIONS}"
echo "CAN_I_READ_RELEASESERVICECONFIG? ${CAN_I_READ_RELEASESERVICECONFIG}"
echo "CAN_I_READ_SNAPSHOTS? ${CAN_I_READ_SNAPSHOTS}"
echo ""
echo "CAN_I_CREATE_INTERNALREQUESTS? ${CAN_I_CREATE_INTERNALREQUESTS}"
echo ""
if [ "${CAN_I_READ_RELEASES}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASEPLANADMISSIONS}" == "no" ] ||\
[ "${CAN_I_READ_RELEASESERVICECONFIG}" == "no" ] ||\
[ "${CAN_I_READ_SNAPSHOTS}" == "no" ] ||\
[ "${CAN_I_CREATE_INTERNALREQUESTS}" == "no" ] ; then
echo "Error: Cannot read or create required Release resources!"
echo ""
echo "This indicates that your workspace is not correctly setup"
echo "Please reach out to a workspace administrator"
exit 1
fi
echo "Access to Release resources verified"
- name: release
value: $(params.release)
- name: releasePlan
value: $(params.releasePlan)
- name: releasePlanAdmission
value: $(params.releasePlanAdmission)
- name: releaseServiceConfig
value: $(params.releaseServiceConfig)
- name: snapshot
value: $(params.snapshot)
- name: collect-data
taskRef:
resolver: "git"
Expand Down
3 changes: 3 additions & 0 deletions pipelines/rh-advisories/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ the rh-push-to-registry-redhat-io pipeline.
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 0.12.0
- Removed `verify-access-to-resources` script and replaced it with a task

## Changes in 0.11.1
- The `embargo-check` task runs before the `push-snapshot` task so that embargoed content is not pushed anywhere

Expand Down
Loading

0 comments on commit dadf55b

Please sign in to comment.