From a5d63c6324a20dfc4f4671dfe6e64dd5b8178548 Mon Sep 17 00:00:00 2001 From: Happy Bhati Date: Fri, 10 Mar 2023 16:31:00 -0500 Subject: [PATCH] feat(HACBS-1798): add bundle resolver This commit contain implementation of tekton bundle resolver pipelineRef.bundle and taskRef.bundle are being deprecated new format is added to all catalog. For release-service change for the same refer HACBS-1780 Signed-off-by: Happy Bhati --- catalog/pipeline/deploy-release/0.2/README.md | 15 ++ .../deploy-release/0.2/deploy-release.yaml | 41 ++++ .../samples/sample_release_PipelineRun.yaml | 21 ++ .../deploy-release/0.2/tests/run.yaml | 21 ++ catalog/pipeline/fbc-release/0.8/README.md | 55 +++++ .../pipeline/fbc-release/0.8/fbc-release.yaml | 138 +++++++++++++ .../samples/sample_release_PipelineRun.yaml | 39 ++++ .../pipeline/fbc-release/0.8/tests/run.yaml | 39 ++++ .../push-to-external-registry/0.5/README.md | 40 ++++ .../0.5/push-to-external-registry.yaml | 193 ++++++++++++++++++ ...push-to-external-registry_PipelineRun.yaml | 35 ++++ .../0.5/tests/run.yaml | 35 ++++ catalog/pipeline/release/0.10/README.md | 84 ++++++++ catalog/pipeline/release/0.10/release.yaml | 148 ++++++++++++++ .../samples/sample_release_PipelineRun.yaml | 29 +++ catalog/pipeline/release/0.10/tests/run.yaml | 29 +++ catalog/task/apply-mapping/0.4/README.md | 53 +++++ .../task/apply-mapping/0.4/apply-mapping.yaml | 67 ++++++ .../samples/sample_apply-mapping_TaskRun.yaml | 19 ++ catalog/task/apply-mapping/0.4/tests/run.yaml | 19 ++ catalog/task/cleanup-workspace/0.3/README.md | 35 ++++ .../0.3/cleanup-workspace.yaml | 39 ++++ .../sample_cleanup-workspace_TaskRun.yaml | 19 ++ .../task/cleanup-workspace/0.3/tests/run.yaml | 19 ++ .../create-internal-request/0.5/README.md | 36 ++++ .../0.5/create-internal-request.yaml | 120 +++++++++++ ...ample_create-internal-request_TaskRun.yaml | 35 ++++ .../0.5/tests/run.yaml | 35 ++++ catalog/task/create-pyxis-image/0.4/README.md | 32 +++ .../0.4/create-pyxis-image.yaml | 85 ++++++++ .../sample_create-pyxis-image_TaskRun.yaml | 23 +++ .../create-pyxis-image/0.4/tests/run.yaml | 23 +++ catalog/task/prepare-validation/0.4/README.md | 41 ++++ .../0.4/prepare-validation.yaml | 31 +++ .../sample_prepare-validation_TaskRun.yaml | 19 ++ .../prepare-validation/0.4/tests/run.yaml | 19 ++ catalog/task/push-sbom-to-pyxis/0.2/README.md | 28 +++ .../0.2/push-sbom-to-pyxis.yaml | 35 ++++ .../sample_push-sbom-to-pyxis_TaskRun.yaml | 19 ++ .../push-sbom-to-pyxis/0.2/tests/run.yaml | 19 ++ catalog/task/push-snapshot/0.6/README.md | 42 ++++ .../task/push-snapshot/0.6/push-snapshot.yaml | 97 +++++++++ .../samples/sample_push-snapshot_TaskRun.yaml | 21 ++ catalog/task/push-snapshot/0.6/tests/run.yaml | 21 ++ catalog/task/sign-index-image/0.2/README.md | 20 ++ .../0.2/samples/sign-index-image_TaskRun.yaml | 29 +++ .../0.2/sign-index-image.yaml | 117 +++++++++++ .../task/sign-index-image/0.2/tests/run.yaml | 29 +++ catalog/task/skopeo-copy/0.2/README.md | 18 ++ .../samples/sample_skopeo-copy_TaskRun.yaml | 27 +++ catalog/task/skopeo-copy/0.2/skopeo-copy.yaml | 54 +++++ catalog/task/skopeo-copy/0.2/tests/run.yaml | 27 +++ 52 files changed, 2334 insertions(+) create mode 100644 catalog/pipeline/deploy-release/0.2/README.md create mode 100644 catalog/pipeline/deploy-release/0.2/deploy-release.yaml create mode 100644 catalog/pipeline/deploy-release/0.2/samples/sample_release_PipelineRun.yaml create mode 100644 catalog/pipeline/deploy-release/0.2/tests/run.yaml create mode 100644 catalog/pipeline/fbc-release/0.8/README.md create mode 100644 catalog/pipeline/fbc-release/0.8/fbc-release.yaml create mode 100644 catalog/pipeline/fbc-release/0.8/samples/sample_release_PipelineRun.yaml create mode 100644 catalog/pipeline/fbc-release/0.8/tests/run.yaml create mode 100644 catalog/pipeline/push-to-external-registry/0.5/README.md create mode 100644 catalog/pipeline/push-to-external-registry/0.5/push-to-external-registry.yaml create mode 100644 catalog/pipeline/push-to-external-registry/0.5/samples/sample_push-to-external-registry_PipelineRun.yaml create mode 100644 catalog/pipeline/push-to-external-registry/0.5/tests/run.yaml create mode 100644 catalog/pipeline/release/0.10/README.md create mode 100644 catalog/pipeline/release/0.10/release.yaml create mode 100644 catalog/pipeline/release/0.10/samples/sample_release_PipelineRun.yaml create mode 100644 catalog/pipeline/release/0.10/tests/run.yaml create mode 100644 catalog/task/apply-mapping/0.4/README.md create mode 100644 catalog/task/apply-mapping/0.4/apply-mapping.yaml create mode 100644 catalog/task/apply-mapping/0.4/samples/sample_apply-mapping_TaskRun.yaml create mode 100644 catalog/task/apply-mapping/0.4/tests/run.yaml create mode 100644 catalog/task/cleanup-workspace/0.3/README.md create mode 100644 catalog/task/cleanup-workspace/0.3/cleanup-workspace.yaml create mode 100644 catalog/task/cleanup-workspace/0.3/samples/sample_cleanup-workspace_TaskRun.yaml create mode 100644 catalog/task/cleanup-workspace/0.3/tests/run.yaml create mode 100644 catalog/task/create-internal-request/0.5/README.md create mode 100644 catalog/task/create-internal-request/0.5/create-internal-request.yaml create mode 100644 catalog/task/create-internal-request/0.5/samples/sample_create-internal-request_TaskRun.yaml create mode 100644 catalog/task/create-internal-request/0.5/tests/run.yaml create mode 100644 catalog/task/create-pyxis-image/0.4/README.md create mode 100644 catalog/task/create-pyxis-image/0.4/create-pyxis-image.yaml create mode 100644 catalog/task/create-pyxis-image/0.4/samples/sample_create-pyxis-image_TaskRun.yaml create mode 100644 catalog/task/create-pyxis-image/0.4/tests/run.yaml create mode 100644 catalog/task/prepare-validation/0.4/README.md create mode 100644 catalog/task/prepare-validation/0.4/prepare-validation.yaml create mode 100644 catalog/task/prepare-validation/0.4/samples/sample_prepare-validation_TaskRun.yaml create mode 100644 catalog/task/prepare-validation/0.4/tests/run.yaml create mode 100644 catalog/task/push-sbom-to-pyxis/0.2/README.md create mode 100644 catalog/task/push-sbom-to-pyxis/0.2/push-sbom-to-pyxis.yaml create mode 100644 catalog/task/push-sbom-to-pyxis/0.2/sample/sample_push-sbom-to-pyxis_TaskRun.yaml create mode 100644 catalog/task/push-sbom-to-pyxis/0.2/tests/run.yaml create mode 100644 catalog/task/push-snapshot/0.6/README.md create mode 100644 catalog/task/push-snapshot/0.6/push-snapshot.yaml create mode 100644 catalog/task/push-snapshot/0.6/samples/sample_push-snapshot_TaskRun.yaml create mode 100644 catalog/task/push-snapshot/0.6/tests/run.yaml create mode 100644 catalog/task/sign-index-image/0.2/README.md create mode 100644 catalog/task/sign-index-image/0.2/samples/sign-index-image_TaskRun.yaml create mode 100644 catalog/task/sign-index-image/0.2/sign-index-image.yaml create mode 100644 catalog/task/sign-index-image/0.2/tests/run.yaml create mode 100644 catalog/task/skopeo-copy/0.2/README.md create mode 100644 catalog/task/skopeo-copy/0.2/samples/sample_skopeo-copy_TaskRun.yaml create mode 100644 catalog/task/skopeo-copy/0.2/skopeo-copy.yaml create mode 100644 catalog/task/skopeo-copy/0.2/tests/run.yaml diff --git a/catalog/pipeline/deploy-release/0.2/README.md b/catalog/pipeline/deploy-release/0.2/README.md new file mode 100644 index 000000000..67ff23e2e --- /dev/null +++ b/catalog/pipeline/deploy-release/0.2/README.md @@ -0,0 +1,15 @@ +# Release Pipeline + +Tekton pipeline to verify Snapshot prior to Deployment + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| snapshot | The Snapshot in JSON format | No | - | +| enterpriseContractPolicy | JSON representation of the policy to be applied when validating the enterprise contract | No | - | + +## Changes since 0.1 + +The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, +bundles resolver is used with new format. \ No newline at end of file diff --git a/catalog/pipeline/deploy-release/0.2/deploy-release.yaml b/catalog/pipeline/deploy-release/0.2/deploy-release.yaml new file mode 100644 index 000000000..2b1f4ed0e --- /dev/null +++ b/catalog/pipeline/deploy-release/0.2/deploy-release.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: deploy-release + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton pipeline to verify Snapshot prior to Deployment + params: + - name: snapshot + type: string + description: The Snapshot in JSON format + - name: enterpriseContractPolicy + type: string + description: JSON representation of the EnterpriseContractPolicy + tasks: + - name: verify-enterprise-contract + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + params: + - name: IMAGES + value: $(params.snapshot) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(params.enterpriseContractPolicy) + - name: STRICT + value: "1" diff --git a/catalog/pipeline/deploy-release/0.2/samples/sample_release_PipelineRun.yaml b/catalog/pipeline/deploy-release/0.2/samples/sample_release_PipelineRun.yaml new file mode 100644 index 000000000..84a459e60 --- /dev/null +++ b/catalog/pipeline/deploy-release/0.2/samples/sample_release_PipelineRun.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: release-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-deploy-release:0.2 + - name: kind + value: pipeline + - name: name + value: deploy-release diff --git a/catalog/pipeline/deploy-release/0.2/tests/run.yaml b/catalog/pipeline/deploy-release/0.2/tests/run.yaml new file mode 100644 index 000000000..84a459e60 --- /dev/null +++ b/catalog/pipeline/deploy-release/0.2/tests/run.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: release-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-deploy-release:0.2 + - name: kind + value: pipeline + - name: name + value: deploy-release diff --git a/catalog/pipeline/fbc-release/0.8/README.md b/catalog/pipeline/fbc-release/0.8/README.md new file mode 100644 index 000000000..5d4212502 --- /dev/null +++ b/catalog/pipeline/fbc-release/0.8/README.md @@ -0,0 +1,55 @@ +# FBC Release Pipeline + +FBC Release Pipeline + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| snapshot | The Snapshot in JSON format | No | - | +| enterpriseContractPolicy | JSON representation of the EnterpriseContractPolicy | No | - | +| fromIndex | Index image (catalog of catalogs) the FBC fragment will be added to | No | - | +| overWriteFromIndex | Boolean indicating if the fromIndex should be overwritten | Yes | "false" | +| binaryImage | OCP binary image to be baked into the index image | Yes | "" | +| buildTags | List of additional tags the internal index image copy should be tagged with | Yes | "[]" | +| addArches | List of arches the index image should be built for | Yes | "[]" | +| requester | Name of the user that requested the signing, for auditing purposes | No | - | +| signingConfigMapName | The ConfigMap Name required by the Pipeline | No | - | +| requestUpdateTimeout | Max seconds to wait until the status is updated | Yes | - | +| buildTimeoutSeconds | Max seconds to wait until the build finishes | Yes | - | + +## Changelog + +## Changes since 0.4 +The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, +bundles resolver is used with new format. + +### Changes since 0.6 +- adds sign-index-image task +- refactor task and change its reference name from `create-internal-request` + to `add-fbc-contribution-to-index-image` +- adds `requester` and `signingConfigMapName` parameters +- removes `resolvedIndexImage` result + +### Changes since 0.5 +- updates `create-internal-request` task version to 0.3 + +### Changes since 0.4 +- updates `create-internal-request` task version to 0.2 +- adds `resolvedIndexImage` result + +### Changes since 0.3 +- removes param `fbcFragment` +- adds param `buildTimeoutSeconds` + +### Changes since 0.2 +- renames the pipeline to `fbc-release` +- forces the pipeline to run after `verify-enterprise-contract` + +### Changes since 0.1 +- adds param `requestUpdateTimeout` +- adds task result values to the pipeline results + - `requestMessage` gets `$(tasks.create-internal-request.results.requestMessage)` + - `requestReason` gets `$(tasks.create-internal-request.results.requestReason)` + - `requestResults` gets `$(tasks.create-internal-request.results.requestResults)` +- changes `verify-enterprise-contract` task version diff --git a/catalog/pipeline/fbc-release/0.8/fbc-release.yaml b/catalog/pipeline/fbc-release/0.8/fbc-release.yaml new file mode 100644 index 000000000..e4e18fc43 --- /dev/null +++ b/catalog/pipeline/fbc-release/0.8/fbc-release.yaml @@ -0,0 +1,138 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: fbc-release + labels: + app.kubernetes.io/version: "0.8" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton release pipeline to interact with FBC Pipeline + params: + - name: snapshot + type: string + description: The Snapshot in JSON format + - name: enterpriseContractPolicy + type: string + description: JSON representation of the EnterpriseContractPolicy + - name: fromIndex + type: string + description: The source Index image (catalog of catalogs) FBC fragment + - name: targetIndex + type: string + description: Index image (catalog of catalogs) the FBC fragment will be added to + - name: overwriteFromIndex + type: string + description: Boolean indicating if the fromIndex should be overwritten + - name: binaryImage + type: string + default: "" + description: OCP binary image to be baked into the index image + - name: buildTags + type: string + default: "[]" + description: List of additional tags the internal index image copy should be tagged with + - name: addArches + type: string + default: "[]" + description: List arches to be added to be built + - name: requester + type: string + description: Name of the user that requested the signing, for auditing purposes + - name: signingConfigMapName + type: string + default: "hacbs-signing-pipeline-config" + description: The ConfigMap to be used by the signing Pipeline + - name: requestUpdateTimeout + type: string + description: Max seconds to wait until the status is updated + - name: buildTimeoutSeconds + type: string + description: Max seconds to wait until the build finishes + results: + - name: requestMessage + value: $(tasks.add-fbc-contribution-to-index-image.results.requestMessage) + - name: requestReason + value: $(tasks.add-fbc-contribution-to-index-image.results.requestReason) + - name: requestResults + value: $(tasks.add-fbc-contribution-to-index-image.results.requestResults) + tasks: + - name: verify-enterprise-contract + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + params: + - name: IMAGES + value: $(params.snapshot) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(params.enterpriseContractPolicy) + - name: STRICT + value: "1" + - name: add-fbc-contribution-to-index-image + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-create-internal-request:0.4 + - name: kind + value: task + - name: name + value: create-internal-request + params: + - name: pipelineRunName + value: $(context.pipelineRun.name) + - name: fbcFragment + value: $(params.snapshot) + - name: fromIndex + value: $(params.fromIndex) + - name: overwriteFromIndex + value: $(params.overwriteFromIndex) + - name: binaryImage + value: $(params.binaryImage) + - name: buildTags + value: $(params.buildTags) + - name: addArches + value: $(params.addArches) + - name: requestUpdateTimeout + value: $(params.requestUpdateTimeout) + - name: buildTimeoutSeconds + value: $(params.buildTimeoutSeconds) + runAfter: + - verify-enterprise-contract + - name: sign-index-image + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-sign-index-image:0.1 + - name: kind + value: task + - name: name + value: sign-index-image + params: + - name: pipelineRunName + value: $(context.pipelineRun.name) + - name: requestJsonResults + value: $(tasks.add-fbc-contribution-to-index-image.results.requestResults) + - name: targetIndex + value: $(params.targetIndex) + - name: requester + value: $(params.requester) + - name: configMapName + value: $(params.signingConfigMapName) + - name: requestUpdateTimeout + value: $(params.requestUpdateTimeout) diff --git a/catalog/pipeline/fbc-release/0.8/samples/sample_release_PipelineRun.yaml b/catalog/pipeline/fbc-release/0.8/samples/sample_release_PipelineRun.yaml new file mode 100644 index 000000000..1586b17ab --- /dev/null +++ b/catalog/pipeline/fbc-release/0.8/samples/sample_release_PipelineRun.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: fbc-release-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + - name: fromIndex + value: "" + - name: overwriteFromIndex + value: "" + - name: binaryImage + value: "" + - name: buildTags + value: "" + - name: addArches + value: "" + - name: requester + value: "" + - name: signingConfigMapName + value: "" + - name: requestUpdateTimeout + value: "" + - name: buildTimeoutSeconds + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-fbc-release:0.8 + - name: kind + value: pipeline + - name: name + value: fbc-release diff --git a/catalog/pipeline/fbc-release/0.8/tests/run.yaml b/catalog/pipeline/fbc-release/0.8/tests/run.yaml new file mode 100644 index 000000000..1586b17ab --- /dev/null +++ b/catalog/pipeline/fbc-release/0.8/tests/run.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: fbc-release-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + - name: fromIndex + value: "" + - name: overwriteFromIndex + value: "" + - name: binaryImage + value: "" + - name: buildTags + value: "" + - name: addArches + value: "" + - name: requester + value: "" + - name: signingConfigMapName + value: "" + - name: requestUpdateTimeout + value: "" + - name: buildTimeoutSeconds + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-fbc-release:0.8 + - name: kind + value: pipeline + - name: name + value: fbc-release diff --git a/catalog/pipeline/push-to-external-registry/0.5/README.md b/catalog/pipeline/push-to-external-registry/0.5/README.md new file mode 100644 index 000000000..3ea36b66d --- /dev/null +++ b/catalog/pipeline/push-to-external-registry/0.5/README.md @@ -0,0 +1,40 @@ +# Push to External Registry Pipeline + +Tekton pipeline to push images to an external registry. + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| snapshot | The Snapshot in JSON format | No | - | +| enterpriseContractPolicy | JSON representation of the policy to be applied when validating the enterprise contract | No | - | +| extraConfigGitUrl |URL to the remote Git repository containing the extra config | No | - | +| extraConfigGitRevision | Revision to fetch from the remote Git repository containing the extra config | No | - | +| extraConfigPath | Path to the extra config file within the repository | No | - | +| tag | The default tag to use when mapping file does not contain a tag | No | - | +| addShaTag | When pushing the snapshot components, also push a tag with the image sha | Yes | true | +| addTimestampTag | When pushing the snapshot components, also push a tag with the current timestamp | Yes | false | +| pyxisServerType | The Pyxis server type to use. Options are 'production' and 'stage' | No | - | +| pyxisSecret | The kubernetes secret to use to authenticate to Pyxis | No | - | +| postCleanUp | Cleans up workspace after finishing executing the pipeline | Yes | true | + +## Changes since 0.4 + +The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, +bundles resolver is used with new format. + +## Changes since 0.3 + +* Upgrade push-snapshot task to version 0.5 + * addShaTag parameter is now supported and passed as a pipeline parameter to the task + * addTimestampTag parameter is now supported and passed as a pipeline parameter to the task + +## Changes since 0.2 + +* push-snapshot now supports tag parameter + +## Changes since 0.1 + +* Upgrade create-pyxis-image task to version 0.2 + * correct incorrect snapshot param + diff --git a/catalog/pipeline/push-to-external-registry/0.5/push-to-external-registry.yaml b/catalog/pipeline/push-to-external-registry/0.5/push-to-external-registry.yaml new file mode 100644 index 000000000..dc44ec370 --- /dev/null +++ b/catalog/pipeline/push-to-external-registry/0.5/push-to-external-registry.yaml @@ -0,0 +1,193 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: push-to-external-registry + labels: + app.kubernetes.io/version: "0.5" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton pipeline to release HACBS Snapshot to Quay + params: + - name: snapshot + type: string + description: The Snapshot in JSON format + - name: enterpriseContractPolicy + type: string + description: JSON representation of the EnterpriseContractPolicy + - name: extraConfigGitUrl + type: string + description: URL to the remote Git repository containing the extra config + default: "" + - name: extraConfigGitRevision + type: string + description: Revision to fetch from the remote Git repository containing the extra config + default: "" + - name: extraConfigPath + type: string + description: Path to the extra config file within the repository + default: "" + - name: tag + type: string + description: The default tag to use when mapping file does not contain a tag + - name: addShaTag + type: string + description: When pushing the snapshot components, also push a tag with the image sha + default: "true" + - name: addTimestampTag + type: string + description: When pushing the snapshot components, also push a tag with the current timestamp + default: "false" + - name: pyxisServerType + type: string + description: The Pyxis server type to use. Options are 'production' and 'stage' + - name: pyxisSecret + type: string + description: The kubernetes secret to use to authenticate to Pyxis + - name: postCleanUp + type: string + description: Cleans up workspace after finishing executing the pipeline + default: "true" + workspaces: + - name: release-workspace + tasks: + - name: clone-config-file + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/redhat-appstudio/appstudio-tasks:583d33c8ddf0de2ea8e1a73d94a1ca4a6e6ed380-1 + - name: kind + value: task + - name: name + value: git-clone + when: + - input: $(params.extraConfigGitUrl) + operator: notin + values: [""] + params: + - name: url + value: $(params.extraConfigGitUrl) + - name: revision + value: $(params.extraConfigGitRevision) + - name: subdirectory + value: "$(context.pipelineRun.uid)" + workspaces: + - name: output + workspace: release-workspace + - name: apply-mapping + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-apply-mapping:0.3 + - name: kind + value: task + - name: name + value: apply-mapping + params: + - name: snapshot + value: $(params.snapshot) + - name: extraConfigPath + value: "$(context.pipelineRun.uid)/$(params.extraConfigPath)" + when: + - input: $(tasks.clone-config-file.results.commit) + operator: notin + values: [""] + workspaces: + - name: config + workspace: release-workspace + - name: verify-enterprise-contract + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + params: + - name: IMAGES + value: $(tasks.apply-mapping.results.snapshot) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(params.enterpriseContractPolicy) + - name: STRICT + value: "1" + - name: push-snapshot + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-push-snapshot:0.5 + - name: kind + value: task + - name: name + value: push-snapshot + params: + - name: mappedSnapshot + value: $(tasks.apply-mapping.results.snapshot) + - name: tag + value: $(params.tag) + - name: addShaTag + value: $(params.addShaTag) + - name: addTimestampTag + value: $(params.addTimestampTag) + runAfter: + - verify-enterprise-contract + - name: create-pyxis-image + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-create-pyxis-image:0.3 + - name: kind + value: task + - name: name + value: create-pyxis-image + params: + - name: server + value: $(params.pyxisServerType) + - name: pyxisSecret + value: $(params.pyxisSecret) + - name: tag + value: $(params.tag) + - name: mappedSnapshot + value: $(tasks.apply-mapping.results.snapshot) + runAfter: + - push-snapshot + finally: + - name: cleanup + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-cleanup-workspace:0.2 + - name: kind + value: task + - name: name + value: cleanup-workspace + when: + - input: $(params.postCleanUp) + operator: in + values: ["true"] + - input: $(params.extraConfigGitUrl) + operator: notin + values: [""] + params: + - name: subdirectory + value: "$(context.pipelineRun.uid)" + workspaces: + - name: input + workspace: release-workspace diff --git a/catalog/pipeline/push-to-external-registry/0.5/samples/sample_push-to-external-registry_PipelineRun.yaml b/catalog/pipeline/push-to-external-registry/0.5/samples/sample_push-to-external-registry_PipelineRun.yaml new file mode 100644 index 000000000..07ed05e8b --- /dev/null +++ b/catalog/pipeline/push-to-external-registry/0.5/samples/sample_push-to-external-registry_PipelineRun.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: push-to-external-registry-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + - name: extraConfigGitUrl + value: "" + - name: extraConfigGitRevision + value: "" + - name: extraConfigPath + value: "" + - name: pyxisServerType + value: "" + - name: pyxisSecret + value: "" + - name: tag + value: "" + - name: postCleanUp + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-push-to-external-registry:0.5 + - name: kind + value: pipeline + - name: name + value: push-to-external-registry diff --git a/catalog/pipeline/push-to-external-registry/0.5/tests/run.yaml b/catalog/pipeline/push-to-external-registry/0.5/tests/run.yaml new file mode 100644 index 000000000..07ed05e8b --- /dev/null +++ b/catalog/pipeline/push-to-external-registry/0.5/tests/run.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: push-to-external-registry-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + - name: extraConfigGitUrl + value: "" + - name: extraConfigGitRevision + value: "" + - name: extraConfigPath + value: "" + - name: pyxisServerType + value: "" + - name: pyxisSecret + value: "" + - name: tag + value: "" + - name: postCleanUp + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-push-to-external-registry:0.5 + - name: kind + value: pipeline + - name: name + value: push-to-external-registry diff --git a/catalog/pipeline/release/0.10/README.md b/catalog/pipeline/release/0.10/README.md new file mode 100644 index 000000000..38bbf8c6e --- /dev/null +++ b/catalog/pipeline/release/0.10/README.md @@ -0,0 +1,84 @@ +# Release Pipeline + +Tekton pipeline to release Stonesoup Snapshot to Quay. + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| snapshot | The Snapshot in JSON format | No | - | +| enterpriseContractPolicy | JSON representation of the policy to be applied when validating the enterprise contract | No | - | +| extraConfigGitUrl |URL to the remote Git repository containing the extra config | No | - | +| extraConfigGitRevision | Revision to fetch from the remote Git repository containing the extra config | No | - | +| extraConfigPath | Path to the extra config file within the repository | No | - | +| postCleanUp | Cleans up workspace after finishing executing the pipeline | Yes | true | + +## Changes since 0.9 + +The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, +bundles resolver is used with new format. + +## Changes since 0.8 + +Update tag of ec-task-bundle task + +## Changes since 0.7 + +Pipeline name was changed: +* metadata.name = `release` + +## Changes since 0.6 + +Pipeline definition was changed: +* Task `verify-enterprise-contract` now uses the param `STRICT: 1` + +## Changes since 0.5 + +Pipeline definition was changed: +* Taskref renamed from `verify-enterprise-contract-v2` to `verify-enterprise-contract` +* Taskref `verify-enterprise-contract` points to new bundle location. + +## Changes since 0.4 + + Pipeline definition was changed: + * Task `apply-mapping` was replaced with `task-apply-mapping` + * Task `cleanup-workspace` was replaced with `task-cleanup-workspace` + +## Changes since 0.3 (milestone-8) + + Pipeline definition was changed: + * Parameter `applicationSnapshot` was changed to `snapshot` + * Task `apply-mapping` was changed + * Task parameter `applicationSnapshot` value was changed + * old: $(params.applicationSnapshot) + * new: $(params.snapshot) + * Task `prepare-validation` was changed + * Task parameter `applicationSnapshot` value was changed + * old: $(params.applicationSnapshot) + * new: $(params.snapshot) + * Task `push-application-snapshot` was changed + * Task parameter `mappedApplicationSnapshot` value was changed + * old: $(params.mappedApplicationSnapshot) + * new: $(params.mappedSnapshot) + +## Changes since 0.2 (milestone-6) + +* Pipeline definition was changed: + * Parameter `policy` was changed to `enterpriseContractPolicy` + * Task `verify-enterprise-contract` was changed + * Task parameter `POLICY_CONFIGURATION` value was changed + * old: $(params.policy) + * new: $(params.enterpriseContractPolicy) + +## Changes since 0.1 (milestone-5) + +* Enterprise Contract task was changed: + * Task `prepare-validation` was removed + * Task `verify-enterprise-contract` was replaced + * old: quay.io/hacbs-release/verify-enterprise-contract:main + * new: quay.io/hacbs-release/verify-enterprise-contract-v2:main + * Task Parameter `snapshot` was removed + * Task parameter `IMAGES` was added + * Task Parameter `STRICT` was added + * Task Parameter `IMAGE_REF` was removed + * Task Parameter `REKOR_HOST` was removed diff --git a/catalog/pipeline/release/0.10/release.yaml b/catalog/pipeline/release/0.10/release.yaml new file mode 100644 index 000000000..6fa104a37 --- /dev/null +++ b/catalog/pipeline/release/0.10/release.yaml @@ -0,0 +1,148 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: release + labels: + app.kubernetes.io/version: "0.10" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton pipeline to release HACBS Snapshot to Quay + params: + - name: snapshot + type: string + description: The Snapshot in JSON format + - name: enterpriseContractPolicy + type: string + description: JSON representation of the EnterpriseContractPolicy + - name: extraConfigGitUrl + type: string + description: URL to the remote Git repository containing the extra config + default: "" + - name: extraConfigGitRevision + type: string + description: Revision to fetch from the remote Git repository containing the extra config + default: "" + - name: extraConfigPath + type: string + description: Path to the extra config file within the repository + default: "" + - name: postCleanUp + type: string + description: Cleans up workspace after finishing executing the pipeline + default: "true" + workspaces: + - name: release-workspace + tasks: + - name: clone-config-file + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/redhat-appstudio/appstudio-tasks:583d33c8ddf0de2ea8e1a73d94a1ca4a6e6ed380-1 + - name: kind + value: task + - name: name + value: git-clone + when: + - input: $(params.extraConfigGitUrl) + operator: notin + values: [""] + params: + - name: url + value: $(params.extraConfigGitUrl) + - name: revision + value: $(params.extraConfigGitRevision) + - name: subdirectory + value: "$(context.pipelineRun.uid)" + workspaces: + - name: output + workspace: release-workspace + - name: apply-mapping + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-apply-mapping:main + - name: kind + value: task + - name: name + value: apply-mapping + params: + - name: snapshot + value: $(params.snapshot) + - name: extraConfigPath + value: "$(context.pipelineRun.uid)/$(params.extraConfigPath)" + when: + - input: $(tasks.clone-config-file.results.commit) + operator: notin + values: [""] + workspaces: + - name: config + workspace: release-workspace + - name: verify-enterprise-contract + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-contract/ec-task-bundle:7f2e25e9fc6c64c95238628b0b2bdbd1aeb79454 + - name: kind + value: task + - name: name + value: verify-enterprise-contract + params: + - name: IMAGES + value: $(tasks.apply-mapping.results.snapshot) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(params.enterpriseContractPolicy) + - name: STRICT + value: "1" + - name: push-snapshot + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-push-snapshot:main + - name: kind + value: task + - name: name + value: push-snapshot + params: + - name: mappedSnapshot + value: $(tasks.apply-mapping.results.snapshot) + runAfter: + - verify-enterprise-contract + finally: + - name: cleanup + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-cleanup-workspace:main + - name: kind + value: task + - name: name + value: cleanup-workspace + when: + - input: $(params.postCleanUp) + operator: in + values: ["true"] + - input: $(params.extraConfigGitUrl) + operator: notin + values: [""] + params: + - name: subdirectory + value: "$(context.pipelineRun.uid)" + workspaces: + - name: input + workspace: release-workspace diff --git a/catalog/pipeline/release/0.10/samples/sample_release_PipelineRun.yaml b/catalog/pipeline/release/0.10/samples/sample_release_PipelineRun.yaml new file mode 100644 index 000000000..2c822f4f5 --- /dev/null +++ b/catalog/pipeline/release/0.10/samples/sample_release_PipelineRun.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: release-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + - name: extraConfigGitUrl + value: "" + - name: extraConfigGitRevision + value: "" + - name: extraConfigPath + value: "" + - name: postCleanUp + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-release:0.10 + - name: kind + value: pipeline + - name: name + value: release diff --git a/catalog/pipeline/release/0.10/tests/run.yaml b/catalog/pipeline/release/0.10/tests/run.yaml new file mode 100644 index 000000000..10ae974f1 --- /dev/null +++ b/catalog/pipeline/release/0.10/tests/run.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: release-run-empty-params +spec: + params: + - name: snapshot + value: "" + - name: enterpriseContractPolicy + value: "" + - name: extraConfigGitUrl + value: "" + - name: extraConfigGitRevision + value: "" + - name: extraConfigPath + value: "" + - name: postCleanUp + value: "" + pipelineRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/pipeline-release:0.10 + - name: kind + value: pipeline + - name: name + value: release diff --git a/catalog/task/apply-mapping/0.4/README.md b/catalog/task/apply-mapping/0.4/README.md new file mode 100644 index 000000000..43723a314 --- /dev/null +++ b/catalog/task/apply-mapping/0.4/README.md @@ -0,0 +1,53 @@ +# apply-mapping + +Tekton task to apply a mapping to an Snapshot. + +The purpose of this task is to merge a mapping with the components contained in an Snapshot. +The mapping is expected to be present in the passed `extraConfigPath`. If the file is not found or +the file contains no `mapping` key, the original Snapshot is returned. If there is a +`mapping` key, it is merged with the `components` key in the Snapshot based on component name. + +A `mapped` result is also returned from this task containing a simple true/false value that is +meant to inform whether a mapped Snapshot is being returned or the original one. + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| snapshot | The Snapshot in JSON format to apply the mapping to | No | - | +| extraConfigPath | The path to the config file containing the mapping | Yes | - | + +## Example usage + +This is an example usage of the `apply-mapping` task: + +``` +--- +tasks: + - name: apply-mapping + taskRef: + name: apply-mapping + params: + - name: snapshot + value: '{"components":[{"name":"component1","containerImage":"quay.io/repo/component1:digest"}}]}' + - name: extraConfigPath + value: "path/to/file" + workspaces: + - name: config + workspace: config_workspace +``` +## Changes since 0.3 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. + +## Changes since 0.2 + + * Base image was changed from `release-utils` to `release-base-image` + +## Changes since 0.1 (milestone-8) + + * Task `apply-mapping` was changed + * Task parameter `applicationSnapshot` value was changed + * old: $(params.applicationSnapshot) + * new: $(params.snapshot) diff --git a/catalog/task/apply-mapping/0.4/apply-mapping.yaml b/catalog/task/apply-mapping/0.4/apply-mapping.yaml new file mode 100644 index 000000000..451271287 --- /dev/null +++ b/catalog/task/apply-mapping/0.4/apply-mapping.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: apply-mapping + labels: + app.kubernetes.io/version: "0.4" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton task to apply a mapping to a Snapshot + params: + - name: snapshot + type: string + description: The Snapshot in JSON format to apply the mapping to + - name: extraConfigPath + type: string + description: The path to the config file containing the mapping + default: "" + workspaces: + - name: config + description: The workspace where the extra config file containing the mapping resides + results: + - name: snapshot + description: | + The Snapshot in JSON format with the mapping applied. If there is no mapping key in the + extraConfigPath, this result will be the same as the original snapshot parameter. + - name: mapped + description: A true/false value depicting whether or not the snapshot was mapped. + steps: + - name: apply-mapping + image: + quay.io/hacbs-release/release-base-image@sha256:9e7fd1a3ccf0d2c8077f565c78e50862a7cc4792d548b5c01c8b09077e6d23a7 + env: + - name: "SNAPSHOT" + value: '$(params.snapshot)' + script: | + #!/usr/bin/env sh + set -eux + + CONFIG_FILE="$(workspaces.config.path)/$(params.extraConfigPath)" + if [ ! -f "${CONFIG_FILE}" ] ; then + echo "No valid config file was provided." + echo "${SNAPSHOT}" | tee $(results.snapshot.path) + echo "false" | tee $(results.mapped.path) + exit 0 + fi + if [[ $(yq '.mapping' "${CONFIG_FILE}") == "null" ]] ; then + echo "Config file contains no mapping key." + echo "${SNAPSHOT}" | tee $(results.snapshot.path) + echo "false" | tee $(results.mapped.path) + exit 0 + fi + + # Create JSON representation of the config so we can use jq + CONFIG_JSON=$(yq -o=json -I=0 '.' "${CONFIG_FILE}") + + # Merge the mapping key in the config file with the components key in the snapshot based on component name + # Save the output as a compact json in snapshot task result + jq -c -s '.[0] as $snapshot | .[0].components + .[1].mapping.components | group_by(.name) + | [.[] | select(length > 1)] | map(reduce .[] as $x ({}; . * $x)) as $mergedComponents + | $snapshot | .components = $mergedComponents' \ + <<< "${SNAPSHOT}${CONFIG_JSON}" | tee $(results.snapshot.path) + + echo "true" | tee $(results.mapped.path) diff --git a/catalog/task/apply-mapping/0.4/samples/sample_apply-mapping_TaskRun.yaml b/catalog/task/apply-mapping/0.4/samples/sample_apply-mapping_TaskRun.yaml new file mode 100644 index 000000000..24d4a82b3 --- /dev/null +++ b/catalog/task/apply-mapping/0.4/samples/sample_apply-mapping_TaskRun.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: apply-mapping-run-empty-params +spec: + params: + - name: subdirectory + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-apply-mapping:0.4 + - name: kind + value: task + - name: name + value: apply-mapping diff --git a/catalog/task/apply-mapping/0.4/tests/run.yaml b/catalog/task/apply-mapping/0.4/tests/run.yaml new file mode 100644 index 000000000..24d4a82b3 --- /dev/null +++ b/catalog/task/apply-mapping/0.4/tests/run.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: apply-mapping-run-empty-params +spec: + params: + - name: subdirectory + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-apply-mapping:0.4 + - name: kind + value: task + - name: name + value: apply-mapping diff --git a/catalog/task/cleanup-workspace/0.3/README.md b/catalog/task/cleanup-workspace/0.3/README.md new file mode 100644 index 000000000..3bf550e6a --- /dev/null +++ b/catalog/task/cleanup-workspace/0.3/README.md @@ -0,0 +1,35 @@ +# cleanup-workspace + +Tekton task to delete a given directory in a passed workspace. + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| subdirectory | The directory to remove within the workspace | No | - | + +## Example usage + +This is an example usage of the `cleanup-workpace` task: + +``` +--- +tasks: + - name: cleanup-workspace + taskRef: + name: cleanup-workspace + params: + - name: subdirectory + value: "some/directory" + workspaces: + - name: input + workspace: input_workspace +``` +## Changes since 0.2 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. + +## Changes since 0.1 + + * Base image was changed from `release-utils` to `release-base-image` diff --git a/catalog/task/cleanup-workspace/0.3/cleanup-workspace.yaml b/catalog/task/cleanup-workspace/0.3/cleanup-workspace.yaml new file mode 100644 index 000000000..dba25e2d5 --- /dev/null +++ b/catalog/task/cleanup-workspace/0.3/cleanup-workspace.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: cleanup-workspace + labels: + app.kubernetes.io/version: "0.3" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton task to delete a given directory in a passed workspace + params: + - name: subdirectory + type: string + description: The directory to remove within the workspace + workspaces: + - name: input + description: Workspace where the directory to cleanup exists + steps: + - name: cleanup + image: + quay.io/hacbs-release/release-base-image@sha256:9e7fd1a3ccf0d2c8077f565c78e50862a7cc4792d548b5c01c8b09077e6d23a7 + script: | + #!/usr/bin/env sh + set -eux + + if [ -z "$(params.subdirectory)" ] ; then + echo "The empty string is not a valid subdirectory" + exit 0 + fi + + CLEANUP_DIR="$(workspaces.input.path)/$(params.subdirectory)" + + if [ -d "${CLEANUP_DIR}" ] ; then + # Delete a directory and its contents + rm -rf "${CLEANUP_DIR}"/ + fi diff --git a/catalog/task/cleanup-workspace/0.3/samples/sample_cleanup-workspace_TaskRun.yaml b/catalog/task/cleanup-workspace/0.3/samples/sample_cleanup-workspace_TaskRun.yaml new file mode 100644 index 000000000..16cc51112 --- /dev/null +++ b/catalog/task/cleanup-workspace/0.3/samples/sample_cleanup-workspace_TaskRun.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: cleanup-workspace-run-empty-params +spec: + params: + - name: subdirectory + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-cleanup-workspace:0.3 + - name: kind + value: task + - name: name + value: cleanup-workspace diff --git a/catalog/task/cleanup-workspace/0.3/tests/run.yaml b/catalog/task/cleanup-workspace/0.3/tests/run.yaml new file mode 100644 index 000000000..16cc51112 --- /dev/null +++ b/catalog/task/cleanup-workspace/0.3/tests/run.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: cleanup-workspace-run-empty-params +spec: + params: + - name: subdirectory + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-cleanup-workspace:0.3 + - name: kind + value: task + - name: name + value: cleanup-workspace diff --git a/catalog/task/create-internal-request/0.5/README.md b/catalog/task/create-internal-request/0.5/README.md new file mode 100644 index 000000000..27ba6cd62 --- /dev/null +++ b/catalog/task/create-internal-request/0.5/README.md @@ -0,0 +1,36 @@ +# create-internal-request + +Creates an InternalRequest resource to call IIB service + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| pipelineRunName | The name of the Parent PipelineRun for this task | No | `ir-$(context.pipelineRun.name)` | +| binaryImage | OCP `binaryImage` to be baked into the `fromIndex` image | Yes | | +| fbcFragment | `fbcFragment` built by HACBS | No | | +| fromIndex | `fromIndex` image (catalog of catalogs) the fbcFragment will be added to | Yes | | +| overwriteFromIndex | Boolean indicating if the `fromIndex` should be overwritten | Yes | | +| buildTags | List of additional `buildTags` the internal `fromIndex` image copy should be tagged with | Yes | | +| buildArches | List of `buildArches` the `fromIndex` should be built for | Yes | | +| requestUpdateTimeout | Max seconds to wait until the status is updated | Yes | 360 | +| buildTimeoutSeconds | Max seconds to wait until the build finishes | Yes | 300 | + +## Changelog + +### Changes since 0.4 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. + +### changes since 0.3 +- removes the additional logging +- removes `resolvedIndexImage` and `resolvedFromIndexImage` results + as now the FBC-Release Pipeline uses `requestResults` to read required values. + +### changes since 0.2 +- adds additional logging messages + +### changes since 0.1 +- adds `resolvedIndexImage` result +- adds params `requestUpdateTimeout` and `buildTimeoutSeconds` diff --git a/catalog/task/create-internal-request/0.5/create-internal-request.yaml b/catalog/task/create-internal-request/0.5/create-internal-request.yaml new file mode 100644 index 000000000..b56750bb4 --- /dev/null +++ b/catalog/task/create-internal-request/0.5/create-internal-request.yaml @@ -0,0 +1,120 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: create-internal-request + labels: + app.kubernetes.io/version: "0.5" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Creates an InternalRequest resource to call IIB service + params: + - name: pipelineRunName + type: string + description: The name of the Parent PipelineRun of this task + - name: binaryImage + type: string + description: FBC Image to be added to index image + - name: fbcFragment + type: string + description: FBC fragment built by HACBS + - name: fromIndex + type: string + description: Index image (catalog of catalogs) the FBC fragment will be added to + - name: overwriteFromIndex + type: string + description: Boolean indicating if the fromIndex should be overwritten + - name: buildTags + type: string + description: List of additional tags the internal index image copy should be tagged with + - name: addArches + type: string + description: List of arches the index image should be built for + - name: requestUpdateTimeout + type: string + default: "360" + description: Max seconds waiting for the status update + - name: buildTimeoutSeconds + type: string + default: "300" + description: Max seconds waiting for the status update + results: + - name: requestMessage + description: Internal Request message + - name: requestReason + description: Internal Request reason + - name: requestResults + description: Internal Request results + steps: + - name: create-internal-request + image: + quay.io/hacbs-release/release-base-image@sha256:9e7fd1a3ccf0d2c8077f565c78e50862a7cc4792d548b5c01c8b09077e6d23a7 + script: | + #!/usr/bin/env sh + PATH=/bin:/usr/bin:/usr/local/bin + export PATH + + resourceRequest="/tmp/$$" + fbcComponentJson="/tmp/fbc-component-$$.json" + + cat > ${fbcComponentJson} < ${resourceRequest} < ${TASKRUN} <- + Tekton task that pushes metadata to Pyxis for all container images contained in a snapshot + params: + - name: server + type: string + description: The server type to use. Options are 'production' and 'stage' + default: production + - name: pyxisSecret + type: string + description: The kubernetes secret to use to authenticate to Pyxis + - name: certified + type: string + description: If set to true, the images will be marked as certified in their Pyxis entries + default: "false" + - name: tag + type: string + description: Default tag to use if mapping entry does not contain a tag + - name: isLatest + type: string + description: If set to true, the images will have a latest tag added with their Pyxis entries + default: "false" + - name: mappedSnapshot + type: string + description: The mapped snapshot in JSON format + results: + - name: containerImageIDs + description: IDs of the created entries in Pyxis, each on its own line + steps: + - name: create-pyxis-image + image: + quay.io/hacbs-release/release-utils@sha256:5298e31e7e7a97cab005750096abe8dbfca3f422cf049fd87de76a117072a9b5 + env: + - name: pyxisCert + valueFrom: + secretKeyRef: + name: $(params.pyxisSecret) + key: cert + - name: pyxisKey + valueFrom: + secretKeyRef: + name: $(params.pyxisSecret) + key: key + script: | + #!/usr/bin/env sh + set -o pipefail + + if [[ "$(params.server)" == "production" ]] + then + PYXIS_URL="https://pyxis.api.redhat.com/" + elif [[ "$(params.server)" == "stage" ]] + then + PYXIS_URL="https://pyxis.preprod.api.redhat.com/" + else + echo "Invalid server parameter. Only 'production' and 'stage' are allowed." + exit 1 + fi + + echo "${pyxisCert}" > /tmp/crt + echo "${pyxisKey}" > /tmp/key + + for containerImage in $(jq -r '.components[].repository' <<< '$(params.mappedSnapshot)') ; do + + skopeo inspect --no-tags "docker://${containerImage}" > /tmp/skopeo-inspect.json + + PYXIS_CERT_PATH=/tmp/crt PYXIS_KEY_PATH=/tmp/key create_container_image \ + --pyxis-url $PYXIS_URL \ + --certified $(params.certified) \ + --tag $(params.tag) \ + --is-latest $(params.isLatest) \ + --verbose \ + --skopeo-result /tmp/skopeo-inspect.json | tee /tmp/output + + grep 'The image id is' /tmp/output | awk '{print $NF}' >> $(results.containerImageIDs.path) + done diff --git a/catalog/task/create-pyxis-image/0.4/samples/sample_create-pyxis-image_TaskRun.yaml b/catalog/task/create-pyxis-image/0.4/samples/sample_create-pyxis-image_TaskRun.yaml new file mode 100644 index 000000000..c99622889 --- /dev/null +++ b/catalog/task/create-pyxis-image/0.4/samples/sample_create-pyxis-image_TaskRun.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: create-pyxis-image-run-empty-params +spec: + params: + - name: pyxisSecret + value: "" + - name: tag + value: "" + - name: mappedSnapshot + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-create-pyxis-image:0.4 + - name: kind + value: task + - name: name + value: create-pyxis-image diff --git a/catalog/task/create-pyxis-image/0.4/tests/run.yaml b/catalog/task/create-pyxis-image/0.4/tests/run.yaml new file mode 100644 index 000000000..c99622889 --- /dev/null +++ b/catalog/task/create-pyxis-image/0.4/tests/run.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: create-pyxis-image-run-empty-params +spec: + params: + - name: pyxisSecret + value: "" + - name: tag + value: "" + - name: mappedSnapshot + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-create-pyxis-image:0.4 + - name: kind + value: task + - name: name + value: create-pyxis-image diff --git a/catalog/task/prepare-validation/0.4/README.md b/catalog/task/prepare-validation/0.4/README.md new file mode 100644 index 000000000..f6da91e4c --- /dev/null +++ b/catalog/task/prepare-validation/0.4/README.md @@ -0,0 +1,41 @@ +# prepare-validation + +Tekton task to extract a pull spec from a Snapshot. + +The purpose of this task is to extract just a single component's pullSpec from a passed Snapshot. + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| snapshot | The Snapshot in JSON format to apply the mapping to | No | - | + +## Example usage + +This is an example usage of the `prepare-validation` task: + +``` +--- +tasks: + - name: prepare-validation + taskRef: + name: prepare-validation + params: + - name: snapshot + value: '{"components":[{"name":"component1","containerImage":"quay.io/repo/component1:digest"}}]}' +``` +## Changes since 0.3 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. + +## Changes since 0.2 + + * Base image was changed from `release-utils` to `release-base-image` + +## Changes since 0.1 (milestone-8) + + * Task `prepare-validation` was changed + * Task parameter `applicationSnapshot` value was changed + * old: $(params.applicationSnapshot) + * new: $(params.snapshot) diff --git a/catalog/task/prepare-validation/0.4/prepare-validation.yaml b/catalog/task/prepare-validation/0.4/prepare-validation.yaml new file mode 100644 index 000000000..785e292b3 --- /dev/null +++ b/catalog/task/prepare-validation/0.4/prepare-validation.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: prepare-validation + labels: + app.kubernetes.io/version: "0.4" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton task to extract a pull spec from a Snapshot + params: + - name: snapshot + type: string + description: The Snapshot in JSON format to apply the mapping to + results: + - name: snapshot + description: | + The pullSpec of the first component in the passed Snapshot. + steps: + - name: prepare-validation + image: + quay.io/hacbs-release/release-base-image@sha256:9e7fd1a3ccf0d2c8077f565c78e50862a7cc4792d548b5c01c8b09077e6d23a7 + script: | + #!/usr/bin/env sh + set -eux + + jq -jr '.components[0].containerImage' <<< '$(params.snapshot)' \ + | tee $(results.snapshot.path) diff --git a/catalog/task/prepare-validation/0.4/samples/sample_prepare-validation_TaskRun.yaml b/catalog/task/prepare-validation/0.4/samples/sample_prepare-validation_TaskRun.yaml new file mode 100644 index 000000000..fa5ca4441 --- /dev/null +++ b/catalog/task/prepare-validation/0.4/samples/sample_prepare-validation_TaskRun.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: prepare-validation-run-empty-params +spec: + params: + - name: snapshot + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-prepare-validation:0.4 + - name: kind + value: task + - name: name + value: prepare-validation diff --git a/catalog/task/prepare-validation/0.4/tests/run.yaml b/catalog/task/prepare-validation/0.4/tests/run.yaml new file mode 100644 index 000000000..fa5ca4441 --- /dev/null +++ b/catalog/task/prepare-validation/0.4/tests/run.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: prepare-validation-run-empty-params +spec: + params: + - name: snapshot + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-prepare-validation:0.4 + - name: kind + value: task + - name: name + value: prepare-validation diff --git a/catalog/task/push-sbom-to-pyxis/0.2/README.md b/catalog/task/push-sbom-to-pyxis/0.2/README.md new file mode 100644 index 000000000..5b2950ff7 --- /dev/null +++ b/catalog/task/push-sbom-to-pyxis/0.2/README.md @@ -0,0 +1,28 @@ +# push-sbom-to-pyxis + +Tekton task that extracts sbom from a pull spec and pushes it to Pyxis. + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| imageURL | Image URL | No | - | + +## Example usage + +This is an example usage of the `push-sbom-to-pyxis` task: + +``` +--- +tasks: + - name: push-sbom-to-pyxis + taskRef: + name: push-sbom-to-pyxis + params: + - name: imageURL + value: 'quay.io/my-org/my-repo:latest' +``` +## Changes since 0.1 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. diff --git a/catalog/task/push-sbom-to-pyxis/0.2/push-sbom-to-pyxis.yaml b/catalog/task/push-sbom-to-pyxis/0.2/push-sbom-to-pyxis.yaml new file mode 100644 index 000000000..d42604925 --- /dev/null +++ b/catalog/task/push-sbom-to-pyxis/0.2/push-sbom-to-pyxis.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: push-sbom-to-pyxis + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton task that extracts sbom from a pull spec and pushes it to Pyxis. + params: + - name: imageURL + description: URL of the main binary image. + type: string + volumes: + - name: workdir + emptyDir: {} + steps: + - name: download-sbom-for-image + # Image taken from https://github.com/sigstore/cosign + # and copied to Quay + image: + quay.io/redhat-appstudio/cosign:v1.13.1 + args: + - download + - sbom + - --output-file + - /workdir/sbom-cyclonedx.json + - "$(params.imageURL)" + volumeMounts: + - mountPath: /workdir + name: workdir diff --git a/catalog/task/push-sbom-to-pyxis/0.2/sample/sample_push-sbom-to-pyxis_TaskRun.yaml b/catalog/task/push-sbom-to-pyxis/0.2/sample/sample_push-sbom-to-pyxis_TaskRun.yaml new file mode 100644 index 000000000..e433fea2e --- /dev/null +++ b/catalog/task/push-sbom-to-pyxis/0.2/sample/sample_push-sbom-to-pyxis_TaskRun.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: push-sbom-to-pyxis-run-empty-params +spec: + params: + - name: imageURL + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-push-sbom-to-pyxis:0.2 + - name: kind + value: task + - name: name + value: push-sbom-to-pyxis diff --git a/catalog/task/push-sbom-to-pyxis/0.2/tests/run.yaml b/catalog/task/push-sbom-to-pyxis/0.2/tests/run.yaml new file mode 100644 index 000000000..e433fea2e --- /dev/null +++ b/catalog/task/push-sbom-to-pyxis/0.2/tests/run.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: push-sbom-to-pyxis-run-empty-params +spec: + params: + - name: imageURL + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-push-sbom-to-pyxis:0.2 + - name: kind + value: task + - name: name + value: push-sbom-to-pyxis diff --git a/catalog/task/push-snapshot/0.6/README.md b/catalog/task/push-snapshot/0.6/README.md new file mode 100644 index 000000000..08b14f99f --- /dev/null +++ b/catalog/task/push-snapshot/0.6/README.md @@ -0,0 +1,42 @@ +# push-snapshot + +Tekton task to push snapshot images to an image registry using `skopeo copy`. + +## Parameters + +| Name | Description | Optional | Default value | +|-----------------|-------------------------------------------------------------------------------------------------|----------|---------------| +| mappedSnapshot | JSON string representing the Snapshot | No | - | +| tag | Default tag to use if mapping entry does not contain a tag | Yes | latest | +| retries | Retry copy N times | Yes | 0 | +| addShaTag | Also push a tag with the sha for each image in the Snapshot | Yes | true | +| addTimestampTag | Also push a tag with the current timestamp for each image in the Snapshot | Yes | false | + +## Changes since 0.5 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. + +## Changes since 0.4 + +* Parameter `addShaTag` was added. This parameter specifies whether or not to additionally push a tag with the + sha for each image in the snapshot +* Parameter `addTimestampTag` was added. This parameter specifies whether or not to additionally push a tag with the + current timestamp for each image in the snapshot + +## Changes since 0.3 + +* Default tag to use will default to `tag` parameter + +## Changes since 0.2 + +* Base image was changed from `release-utils` to `release-base-image` + +## Changes since 0.1 (milestone-8) + +* Task `samples/sample_push-application-snapshot_TaskRun.yaml` was renamed to `samples/sample_push-snapshot_TaskRun.yaml` +* Task `push-application-snapshot` was renamed to `push-snapshot` +* Task `push-snapshot` was changed + * Task parameter `mappedApplicationSnapshot` value was changed + * old: $(params.mappedApplicationSnapshot) + * new: $(params.mappedSnapshot) diff --git a/catalog/task/push-snapshot/0.6/push-snapshot.yaml b/catalog/task/push-snapshot/0.6/push-snapshot.yaml new file mode 100644 index 000000000..13cbe9e6b --- /dev/null +++ b/catalog/task/push-snapshot/0.6/push-snapshot.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: push-snapshot + labels: + app.kubernetes.io/version: "0.6" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton task to push snapshot images to an image registry using `skopeo copy` + params: + - name: mappedSnapshot + description: JSON string representing the Snapshot + type: string + - name: tag + description: Default tag to use if mapping entry does not contain a tag + type: string + default: "latest" + - name: retries + description: Retry copy N times. + type: string + default: "0" + - name: addShaTag + description: Also push a tag with the sha for each image in the Snapshot + type: string + default: "true" + - name: addTimestampTag + description: Also push a tag with the current timestamp for each image in the Snapshot + type: string + default: "false" + steps: + - name: push-snapshot + image: + quay.io/hacbs-release/release-base-image@sha256:9e7fd1a3ccf0d2c8077f565c78e50862a7cc4792d548b5c01c8b09077e6d23a7 + script: | + #!/usr/bin/env bash + set -eux + + push_image () { # Expected arguments are [name, containerImage, repository, tag] from data array + printf '* Pushing component: %s to %s:%s\n' "$1" "$3" "$4" + skopeo copy \ + --all \ + --preserve-digests \ + --dest-precompute-digests \ + --retry-times="$(params.retries)" \ + "docker://$2" \ + "docker://$3:$4" + } + + application=$(jq -r '.application' <<<'$(params.mappedSnapshot)') + printf 'Beginning "%s" for "%s"\n\n' "$(context.task.name)" "$application" + while read line; + do + # Create array with component values + typeset -A data + while IFS== read -r key value; do + data["$key"]="$value" + done < <(jq -r '. | to_entries | .[] | .key + "=" + .value' <<<"$line") + # take tag if present in mapping file, otherwise take ReleaseStrategy default + data[tag]="${data[tag]:=$(params.tag)}" + typeset -p data + + source_digest=$(skopeo inspect \ + --format '{{.Digest}}' \ + "docker://${data[containerImage]}" 2>/dev/null) + # note: Inspection might fail on empty repos, hence `|| true` + destination_digest=$( + skopeo inspect \ + --format '{{.Digest}}' \ + "docker://${data[repository]}:${data[tag]}" 2>/dev/null || true) + if [[ "$destination_digest" != "$source_digest" || -z "$destination_digest" ]] + then + push_image "${data[name]}" "${data[containerImage]}" "${data[repository]}" "${data[tag]}" + if [ $(params.addTimestampTag) = true ] ; then + timestamp=$(date +"%Y-%m-%dT%H:%M:%SZ" | sed 's/:/-/g') + push_image "${data[name]}" "${data[containerImage]}" "${data[repository]}" "$timestamp" + fi + if [ $(params.addShaTag) = true ] ; then + if [[ "${data[containerImage]}" == *"@sha256"* && \ + $(echo "${data[containerImage]}" | tr -cd ':' | wc -c) -eq 1 ]] + then + sha=$(echo "${data[containerImage]}" | cut -d ':' -f 2) + push_image "${data[name]}" "${data[containerImage]}" "${data[repository]}" "$sha" + else + printf 'Asked to create sha based tag, but no sha found in %s\n' "${data[containerImage]}" + exit 1 + fi + fi + else + printf '* Component push skipped (source digest exists at destination): %s (%s)\n' \ + "${data[name]}" "$source_digest" + fi + done < <(jq -rc '.components[]' <<<'$(params.mappedSnapshot)') + printf 'Completed "%s" for "%s"\n\n' "$(context.task.name)" "$application" diff --git a/catalog/task/push-snapshot/0.6/samples/sample_push-snapshot_TaskRun.yaml b/catalog/task/push-snapshot/0.6/samples/sample_push-snapshot_TaskRun.yaml new file mode 100644 index 000000000..982ab93c9 --- /dev/null +++ b/catalog/task/push-snapshot/0.6/samples/sample_push-snapshot_TaskRun.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: push-snapshot-run-empty-params +spec: + params: + - name: mappedSnapshot + value: "" + - name: tag + value: "test" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-push-snapshot:0.6 + - name: kind + value: task + - name: name + value: push-snapshot diff --git a/catalog/task/push-snapshot/0.6/tests/run.yaml b/catalog/task/push-snapshot/0.6/tests/run.yaml new file mode 100644 index 000000000..982ab93c9 --- /dev/null +++ b/catalog/task/push-snapshot/0.6/tests/run.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: push-snapshot-run-empty-params +spec: + params: + - name: mappedSnapshot + value: "" + - name: tag + value: "test" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-push-snapshot:0.6 + - name: kind + value: task + - name: name + value: push-snapshot diff --git a/catalog/task/sign-index-image/0.2/README.md b/catalog/task/sign-index-image/0.2/README.md new file mode 100644 index 000000000..3a5739d9c --- /dev/null +++ b/catalog/task/sign-index-image/0.2/README.md @@ -0,0 +1,20 @@ +# sign-index-image + +Creates an InternalRequest to sign an index image + +## Parameters + +| Name | Description | Optional | Default value | +|------|-------------|----------|---------------| +| requestJsonResults | The JSON result of the IIB build internal request | Yes | "{}" | +| targetIndex | targetIndex signing image | Yes | - | +| requestUpdateTimeout | Max seconds waiting for the status update| Yes | 360 | +| signingPipelineImage | An image with CLI tools needed for the signing | Yes | quay.io/redhat-isv/operator-pipelines-images:released | +| requester | Name of the user that requested the signing, for auditing purposes | No | - | +| configMapName | ConfigMap Name for this request | No | hacbs-signing-pipeline-config | +| pipelineRunName | The name of the Parent PipelineRun for this task | Yes | `ir-$(context.pipelineRun.name)` | + +## Changes since 0.1 + + * The syntax for `taskRef.bundle` and `pipelineRef.bundle` is deprecated, + bundles resolver is used with new format. \ No newline at end of file diff --git a/catalog/task/sign-index-image/0.2/samples/sign-index-image_TaskRun.yaml b/catalog/task/sign-index-image/0.2/samples/sign-index-image_TaskRun.yaml new file mode 100644 index 000000000..a651b2965 --- /dev/null +++ b/catalog/task/sign-index-image/0.2/samples/sign-index-image_TaskRun.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: sign-index-image-run-empty-params +spec: + params: + - name: requestJsonResults + value: "" + - name: requestUpdateTimeout + value: "" + - name: signingPipelineImage + value: "" + - name: requester + value: "" + - name: configMapName + value: "" + - name: pipelineRunName + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-sign-index-image:0.2 + - name: kind + value: task + - name: name + value: sign-index-image diff --git a/catalog/task/sign-index-image/0.2/sign-index-image.yaml b/catalog/task/sign-index-image/0.2/sign-index-image.yaml new file mode 100644 index 000000000..3c871f870 --- /dev/null +++ b/catalog/task/sign-index-image/0.2/sign-index-image.yaml @@ -0,0 +1,117 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: sign-index-image + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Task to create an internalrequest to sign a FBC Index Image. + params: + - name: requestJsonResults + type: string + default: "{}" + description: The JSON results of the Internal Request + - name: targetIndex + type: string + description: targetIndex signing image + - name: requestUpdateTimeout + type: string + default: "360" + description: Max seconds waiting for the status update + - name: signingPipelineImage + type: string + default: "quay.io/redhat-isv/operator-pipelines-images:released" + description: An image with CLI tools needed for the signing + - name: requester + type: string + value: "" + description: Name of the user that requested the signing, for auditing purposes + - name: configMapName + type: string + description: ConfigMap Name for this request + - name: pipelineRunName + type: string + description: The name of the Parent PipelineRun of this task + results: + - name: requestMessage + description: Internal Request message + - name: requestReason + description: Internal Request reason + - name: requestResults + description: Internal Request results + steps: + - name: sign-index-image + image: + quay.io/hacbs-release/release-base-image@sha256:9e7fd1a3ccf0d2c8077f565c78e50862a7cc4792d548b5c01c8b09077e6d23a7 + script: | + #!/usr/bin/env sh + PATH=/bin:/usr/bin:/usr/local/bin + export PATH + + jsonInputFile="/tmp/$$.json" + cat > ${jsonInputFile} < ${internalRequest} < ${TASKRUN} <- + Tekton task that pushes container images to a registry using `skopeo copy` + params: + - name: srcImageURL + description: Source URL + type: string + - name: destImageURL + description: Destination URL + type: string + - name: srcToken + description: Robot bearer token for source + type: string + - name: destToken + description: Robot bearer token for destination + type: string + - name: retries + description: Retry skopeo copy N times. + type: string + default: "0" + steps: + - name: skopeo-copy + image: quay.io/skopeo/stable:v1.7.0 + script: | + if [[ -z "$(params.srcImageURL)" && -z "$(params.destImageURL)" ]] + then + exit 1 # Missing URL parameters + elif [[ -z "$(params.srcToken)" && -z "$(params.destToken)" ]] + then + exit 2 # Missing TOKEN parameters + fi + srcDigest=$(skopeo inspect --format '{{.Digest}}' "$(params.srcImageURL)" 2>/dev/null) + destDigest=$(skopeo inspect --format '{{.Digest}}' "$(params.destImageURL)" 2>/dev/null) + if [[ "$destDigest" != "$srcDigest" || -z "$destDigest" ]] + then + skopeo copy \ + --all \ + --preserve-digests \ + --retry-times "$(params.retries)" \ + --src-registry-token "$(params.srcToken)" \ + --dest-registry-token "$(params.destToken)" \ + "$(params.srcImageURL)" \ + "$(params.destImageURL)" ; + fi diff --git a/catalog/task/skopeo-copy/0.2/tests/run.yaml b/catalog/task/skopeo-copy/0.2/tests/run.yaml new file mode 100644 index 000000000..86c499470 --- /dev/null +++ b/catalog/task/skopeo-copy/0.2/tests/run.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: skopeo-copy-run-empty-params +spec: + params: + - name: srcImageURL + value: "" + - name: destImageURL + value: "" + - name: srcToken + value: "" + - name: destToken + value: "" + - name: retries + value: "" + taskRef: + resolverRef: + resolver: "bundles" + params: + - name: bundle + value: quay.io/hacbs-release/task-skopeo-copy:0.2 + - name: kind + value: task + - name: name + value: skopeo-copy