Skip to content

Commit

Permalink
updating tekton pipelines
Browse files Browse the repository at this point in the history
  • Loading branch information
@maknop
maknop committed Oct 29, 2024
1 parent 8d4498b commit 3f67af7
Show file tree
Hide file tree
Showing 2 changed files with 162 additions and 274 deletions.
218 changes: 81 additions & 137 deletions .tekton/frontend-operator-pull-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,12 @@ spec:
value: 5d
- name: dockerfile
value: Dockerfile
- name: path-context
value: .
pipelineSpec:
description: |
This pipeline is ideal for building container images from a Containerfile while reducing network traffic.
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.
_Uses `buildah` to create a container image. It also optionally creates a source image and runs some build-time tests. EC will flag a violation for [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) if any tasks are added to the pipeline.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build?tab=tags)_
_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_
finally:
- name: show-sbom
params:
Expand All @@ -46,32 +44,10 @@ spec:
- name: name
value: show-sbom
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b
- name: kind
value: task
resolver: bundles
- name: show-summary
params:
- name: pipelinerun-name
value: $(context.pipelineRun.name)
- name: git-url
value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)
- name: image-url
value: $(params.output-image)
- name: build-task-status
value: $(tasks.build-image-index.status)
taskRef:
params:
- name: name
value: summary
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b
- name: kind
value: task
resolver: bundles
workspaces:
- name: workspace
workspace: workspace
params:
- description: Source Repository URL
name: git-url
Expand Down Expand Up @@ -166,14 +142,18 @@ spec:
value: $(params.git-url)
- name: revision
value: $(params.revision)
- name: ociStorage
value: $(params.output-image).git
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- init
taskRef:
params:
- name: name
value: git-clone
value: git-clone-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:2cccdf8729ad4d5adf65e8b66464f8efa1e1c87ba16d343b4a6c621a2a40f7e1
value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d1e63ec00bed1c9f0f571fa76b4da570be49a7c255c610544a461495230ba1b1
- name: kind
value: task
resolver: bundles
Expand All @@ -183,77 +163,34 @@ spec:
values:
- "true"
workspaces:
- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth
- name: prefetch-dependencies
params:
- name: input
value: $(params.prefetch-input)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:fe7234e3824d1e65d6a7aac352e7a6bbce623d90d8d7da9aceeee108ad2c61be
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:621b13ab4a01a366a2b1d8403cf06b2b7418afd926d13678c4432858514407d3
- name: kind
value: task
resolver: bundles
when:
- input: $(params.prefetch-input)
operator: notin
values:
- ""
workspaces:
- name: source
workspace: workspace
- name: git-basic-auth
workspace: git-auth
- name: netrc
workspace: netrc
- name: build-container
params:
- name: IMAGE
value: $(params.output-image)
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: $(params.hermetic)
- name: PREFETCH_INPUT
value: $(params.prefetch-input)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- $(params.build-args[*])
- name: BUILD_ARGS_FILE
value: $(params.build-args-file)
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: buildah
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:b105a3bcc57274c6cb0884d915bc71935c9334d1a3571d83e1df8641f0268f8b
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: run-unit-tests
params:
# New parameter to use the Trusted Artifact from the git-clone Task.
Expand Down Expand Up @@ -311,12 +248,53 @@ spec:
- name: kustomize-build
image: registry.access.redhat.com/ubi8/ubi:latest
workingDir: /var/workdir/source

script: set -e && dnf install -y make && ./kuttl_test.sh
script: set -e && dnf install -y make && ./ci/kuttl_test.sh
volumes:
# New volume to store a copy of the source code accessible only to this Task.
- name: workdir
emptyDir: {}
- name: build-container
params:
- name: IMAGE
value: $(params.output-image)
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: $(params.hermetic)
- name: PREFETCH_INPUT
value: $(params.prefetch-input)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: BUILD_ARGS
value:
- $(params.build-args[*])
- name: BUILD_ARGS_FILE
value: $(params.build-args-file)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- run-unit-tests
- run-e2e-tests
taskRef:
params:
- name: name
value: buildah-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:06946a3a676a9daa1efb16120ba0d81e0c3ce38c9f6242439e2169f27d5d2a2a
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- name: build-image-index
params:
- name: IMAGE
Expand All @@ -331,14 +309,13 @@ spec:
value:
- $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)
runAfter:
- run-unit-tests
- run-e2e-tests
- build-container
taskRef:
params:
- name: name
value: build-image-index
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:327d745a58c1589b0ff196ed526d12a8a0a20ae22fd1c9dd1577b850a977dc3b
value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:e4871851566d8b496966b37bcb8c5ce9748a52487f116373d96c6cd28ef684c6
- name: kind
value: task
resolver: bundles
Expand All @@ -351,14 +328,18 @@ spec:
params:
- name: BINARY_IMAGE
value: $(params.output-image)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-image-index
taskRef:
params:
- name: name
value: source-build
value: source-build-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269
value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:261f075fd5a096f7b28a999b505136b2a3a5aef390087148b3131fd3ec295db3
- name: kind
value: task
resolver: bundles
Expand All @@ -371,9 +352,6 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: deprecated-base-image-check
params:
- name: IMAGE_URL
Expand Down Expand Up @@ -444,14 +422,18 @@ spec:
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-image-index
taskRef:
params:
- name: name
value: sast-snyk-check
value: sast-snyk-check-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:60ed62a64d73596a569eb12453e4f35b13d4f7f1a32a52415cdbeaf1abda5d45
value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:7e99a122bc9e84fd9fb29062e825d3345177337d2448dcb50324f86ec5560c7a
- name: kind
value: task
resolver: bundles
Expand All @@ -460,9 +442,6 @@ spec:
operator: in
values:
- "false"
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
params:
- name: image-digest
Expand All @@ -476,7 +455,7 @@ spec:
- name: name
value: clamav-scan
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:a94b6523ba0b691dc276e37594321c2eff3594d2753014e5c920803b47627df1
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:1e29eebe916b81b7100138d62db0e03e22d03657274d37041c59cbaca5fdbf7d
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -510,62 +489,27 @@ spec:
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
runAfter:
- build-image-index
taskRef:
params:
- name: name
value: push-dockerfile
value: push-dockerfile-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:674e70f7d724aaf1dd631ba9be2998ab0305fb3e0d9ec361351cc5e57bcdd3ec
value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:442f6c7d3a4d4daa7d9c4131ae2c86e604cb35dc6f09cf8c2c336a0b88976aff
- name: kind
value: task
resolver: bundles
workspaces:
- name: workspace
workspace: workspace
- name: rpms-signature-scan
params:
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: image-digest
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
runAfter:
- build-image-index
taskRef:
params:
- name: name
value: rpms-signature-scan
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
workspaces:
- name: workspace
- name: git-auth
optional: true
- name: netrc
optional: true
taskRunTemplate: {}
workspaces:
- name: workspace
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
status: {}
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
status: {}
status: {}
Loading

0 comments on commit 3f67af7

Please sign in to comment.