diff --git a/.tekton/cli-build.yaml b/.tekton/cli-build.yaml index 6c650316f..d4f8c5e6e 100644 --- a/.tekton/cli-build.yaml +++ b/.tekton/cli-build.yaml @@ -28,6 +28,15 @@ spec: - description: Fully Qualified Output Image name: output-image type: string + - description: >- + OCI repository of the CLI image to use as a reference in the Tekton bundle. When setting + this value, take into account where the CLI image will be available for usage. For certain + workflows, e.g. pull request, this should be the repo in which the CLI image is built into + because those CLI images are not promoted to another location. For merge workflows that go + through a release, for example, this should be the repository for which the CLI image will + be released to. + name: bundle-cli-ref-repo + type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context @@ -55,6 +64,7 @@ spec: - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after + type: string - default: "false" description: Build a source image. name: build-source-image @@ -154,7 +164,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:e6b92dfd7442b261ef539d780c635163b2b2d099b8ce9455e0baf51a0fedabec - name: kind value: task resolver: bundles @@ -195,7 +205,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:c2e4e492c5f069c02ef2555514ceff65c75d4325657fd33727de68df7cca5f69 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:877e04e662dab4f2022a68de0e57dbb2d1af08a54433bb32d64305ef63b7dbee - name: kind value: task resolver: bundles @@ -224,7 +234,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:9b31f147f06d1e7fcff39844a7e991ac07f89d91b97eea63e00f32f5f457ed2e - name: kind value: task resolver: bundles @@ -261,6 +271,32 @@ spec: operator: in values: - "true" + - name: build-tekton-bundle + params: + - name: IMAGE + value: $(params.output-image).bundle + - name: CONTEXT + value: tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml + - name: STEPS_IMAGE + value: $(params.bundle-cli-ref-repo)@$(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: tkn-bundle-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle-oci-ta:0.1@sha256:b4b457d18a01348bd3d7d19b0ce05754c739efb2eb44be602c3050ed99c31a21 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -274,7 +310,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 - name: kind value: task resolver: bundles @@ -296,7 +332,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 - name: kind value: task resolver: bundles @@ -327,10 +363,8 @@ spec: - "false" - name: sast-snyk-check params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT @@ -342,7 +376,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:9172196136831a61b9039ea4498fcdc71d6adc86d9694f236bea7b2a85488cd3 - name: kind value: task resolver: bundles @@ -364,7 +398,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae - name: kind value: task resolver: bundles @@ -407,7 +441,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:a2beb43c9f2a72f55ca17e196f66bcdaf4ff9a0b722c7e063af1f38e7003faad - name: kind value: task resolver: bundles diff --git a/.tekton/cli-main-ci-pull-request.yaml b/.tekton/cli-main-ci-pull-request.yaml index d4b959082..5a4283291 100644 --- a/.tekton/cli-main-ci-pull-request.yaml +++ b/.tekton/cli-main-ci-pull-request.yaml @@ -24,6 +24,8 @@ spec: value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-ci/cli-main-ci:on-pr-{{revision}} + - name: bundle-cli-ref-repo + value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-ci/cli-main-ci - name: image-expires-after value: 5d - name: dockerfile diff --git a/.tekton/cli-main-ci-push.yaml b/.tekton/cli-main-ci-push.yaml index d567bfeeb..f9e45a4d1 100644 --- a/.tekton/cli-main-ci-push.yaml +++ b/.tekton/cli-main-ci-push.yaml @@ -23,6 +23,8 @@ spec: value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-ci/cli-main-ci:{{revision}} + - name: bundle-cli-ref-repo + value: quay.io/enterprise-contract/cli - name: image-expires-after value: '' - name: dockerfile diff --git a/.tekton/task-build.yaml b/.tekton/task-build.yaml deleted file mode 100644 index 3267d296f..000000000 --- a/.tekton/task-build.yaml +++ /dev/null @@ -1,269 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: task-build -spec: - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image. - name: build-source-image - type: string - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:d091a9e19567a4cbdc5acd57903c71ba71dc51d749a4ba7477e689608851e981 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:b7a6b67e97c6c03b552b9cd57d4a2868d63e279ee68ced2a53e713befca9e009 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image) - - name: CONTEXT - value: ./source/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: tkn-bundle - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-tkn-bundle:0.1@sha256:7542d1701f13ee69429326f4e52db38c9c38e6e79277953eabe31cd809772b0e - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - #- Skipping build-source-image - #- Skipping deprecated-base-image-check - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - #- Skipping ecosystem-cert-preflight-checks - - name: sast-snyk-check - runAfter: - - build-container - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:df33774c66799947d012605febdc75e82498413ecc6e374774c648006b816cd1 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - workspace: workspace - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - - name: git-auth - optional: true diff --git a/.tekton/task-main-pull-request.yaml b/.tekton/task-main-pull-request.yaml deleted file mode 100644 index 9ccae467a..000000000 --- a/.tekton/task-main-pull-request.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/enterprise-contract/ec-cli?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - # Only rebuild the task bundle if there is a change to the task definition - pipelinesascode.tekton.dev/on-cel-expression: >- - event == "pull_request" && target_branch == "main" && "tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml".pathChanged() - pipelinesascode.tekton.dev/pipeline: ".tekton/task-build.yaml" - labels: - appstudio.openshift.io/application: ec-main-task-build - appstudio.openshift.io/component: task-main - pipelines.appstudio.openshift.io/type: build - name: task-main-on-pull-request - namespace: rhtap-contract-tenant -spec: - # Note that some params here are not used since the build-container - # task is tkn-bundle rather than buildah - params: - - name: dockerfile - value: Dockerfile - - name: git-url - value: '{{source_url}}' - - name: image-expires-after - value: 5d - - name: output-image - value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-task-build/task-main:on-pr-{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' - pipelineRef: - name: task-build - workspaces: - - name: workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' diff --git a/.tekton/task-main-push.yaml b/.tekton/task-main-push.yaml deleted file mode 100644 index 3413f8259..000000000 --- a/.tekton/task-main-push.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/enterprise-contract/ec-cli?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - # Only rebuild the task bundle if there is a change to the task definition - pipelinesascode.tekton.dev/on-cel-expression: >- - event == "push" && target_branch == "main" && "tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml".pathChanged() - pipelinesascode.tekton.dev/pipeline: ".tekton/task-build.yaml" - labels: - appstudio.openshift.io/application: ec-main-task-build - appstudio.openshift.io/component: task-main - pipelines.appstudio.openshift.io/type: build - name: task-main-on-push - namespace: rhtap-contract-tenant -spec: - # Note that some params here are not used since the build-container - # task is tkn-bundle rather than buildah - params: - - name: dockerfile - value: Dockerfile - - name: git-url - value: '{{source_url}}' - - name: output-image - value: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-main-task-build/task-main:{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' - pipelineRef: - name: task-build - workspaces: - - name: workspace - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' diff --git a/Makefile b/Makefile index 0f4122def..6f3539014 100644 --- a/Makefile +++ b/Makefile @@ -83,11 +83,6 @@ build-for-test: dist/ec_$(BUILD_IMG_ARCH) clean: ## Delete build output @rm -f dist/* -.PHONY: generate-pipelines -generate-pipelines: ## Generate release pipelines - kustomize build ./release/src/cli --output ./release/cli.yaml - kustomize build ./release/src/tekton-task --output ./release/tekton-task.yaml - ##@ Testing # Declutter the output by grepping out the files where there are no diff --git a/hack/copy-snapshot-image.sh b/hack/copy-snapshot-image.sh new file mode 100755 index 000000000..364f41c77 --- /dev/null +++ b/hack/copy-snapshot-image.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +SNAPSHOT_SPEC=$1 +TARGET_REPO=$2 + +echo "Target repo: ${TARGET_REPO}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +GIT_SHA="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].source.git.revision')" +IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" + +TAGS=( + 'latest' + "${GIT_SHA}" +) +for tag in "${TAGS[@]}"; do + echo "Pushing image with tag ${tag}" + cosign copy --force "${IMAGE_REF}" "${TARGET_REPO}:${tag}" +done diff --git a/hack/expand-snapshot.sh b/hack/expand-snapshot.sh new file mode 100755 index 000000000..3c4d1106d --- /dev/null +++ b/hack/expand-snapshot.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +# This script is meant to take an existing snapshot reference which includes just +# the EC CLI image and use that to create a new snapshot which includes the EC Tekton +# bundle image. + +set -o errexit +set -o nounset +set -o pipefail + +# Release service includes the namespace with the resource name. Let's clean that up. +SNAPSHOT_NAME="${1#*/}" +CLI_SNAPSHOT_PATH=$2 +BUNDLE_SNAPSHOT_PATH=$3 + +echo "Fetching ${SNAPSHOT_NAME} snapshot" +SNAPSHOT_SPEC="$(oc get snapshot ${SNAPSHOT_NAME} -o json | jq '.spec')" +echo "${SNAPSHOT_SPEC}" + +echo "Verifying snapshot contains a single component" +echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null + +CLI_IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')" +echo "CLI image ref: ${CLI_IMAGE_REF}" + +echo "Storing EC CLI snapshot in ${CLI_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" > "${CLI_SNAPSHOT_PATH}" + +BUNDLE_IMAGE_REF="$( + cosign download attestation "${CLI_IMAGE_REF}" | jq -r '.payload | @base64d | fromjson | + .predicate.buildConfig.tasks[] | select(.name == "build-tekton-bundle") | + .results[] | select(.name == "IMAGE_REF") | .value' +)" + +echo "Bundle image ref: ${BUNDLE_IMAGE_REF}" + +echo "Creating new snapshot spec for bundle and storing in ${BUNDLE_SNAPSHOT_PATH}" +echo "${SNAPSHOT_SPEC}" | jq --arg bundle "${BUNDLE_IMAGE_REF}" \ + '.components[0].name = "tekton-bundle" | .components[0].containerImage = $bundle' | \ + tee "${BUNDLE_SNAPSHOT_PATH}" diff --git a/release/README.md b/release/README.md index 3ceef72c4..cd80c9730 100644 --- a/release/README.md +++ b/release/README.md @@ -1,19 +1,17 @@ -# Release Pipelines +# Release Pipeline -This directory contains the Tekton Pipelines used to release EC from the main branch. These -Pipelines execute in [Konflux](https://konflux-ci.dev/). - -The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src` directory. To -make changes to the Pipelines, update the corresponding files in that directory and run the -`make generate-pipelines` command (requires `kustomize`). +This directory contains the Tekton Pipeline used to release EC from the main branch. The Pipeline +executes in [Konflux](https://konflux-ci.dev/). ## Setup -The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeliens +The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeline will run. This creates a ServiceAccount with access to perform the release. -## Why are there two Pipelines? +## Why are there two verify-enterprise-contract Tasks? -Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline -parameter. Because the CLI and the Tekton Task require different EC policies, the only way to -achieve this is by using different Pipelines with different default values for the EC policy. +The CLI and the bundle images require different EC policies. The bundle image, for example, does not +include binary content, as such, it makes little sense to run scan it with an anti-virus for example. +Currently, it is not possible to use a single EC policy for different components, but there are plans +for doing so. When that becomes a reality, a single snapshot and a single execution of the +verify-enterprise-contract would be sufficient. diff --git a/release/cli.yaml b/release/cli.yaml index 15acd2178..80ae52fab 100644 --- a/release/cli.yaml +++ b/release/cli.yaml @@ -1,3 +1,4 @@ +--- # Copyright The Enterprise Contract Contributors # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,160 +21,117 @@ metadata: name: release-cli spec: description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release + - default: quay.io/enterprise-contract/cli + description: Location to push the CLI image to + name: cli-repo type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan + - default: quay.io/enterprise-contract/tekton-task + description: Location to push the bundle image to + name: bundle-repo type: string - description: The namespaced name (namespace/name) of the snapshot name: snapshot type: string - - default: github.com/enterprise-contract/ec-cli//policies/cli - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - default: pipeline_intention=release description: | Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax "key1=value1,key2=value2..." name: enterpriseContractExtraRuleData type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data + - name: clone-repository params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) + - name: url + value: https://github.com/enterprise-contract/ec-cli + - name: revision + value: main - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources + value: source taskRef: params: + # TODO: Can't use Konflux's git-clone Task because that requires a security context not provided + # to the ServiceAccount running this pipeline (securityContext.runAsUser: 0). - name: url - value: https://github.com/lcarva/release-service-bundles.git + value: https://github.com/lcarva/build-definitions.git - name: revision - value: support-tenant-releases + value: no-root-git-clone - name: pathInRepo - value: tasks/collect-data/collect-data.yaml + value: task/git-clone/0.1/git-clone.yaml resolver: git workspaces: - - name: data + - name: output workspace: release-workspace - - name: reduce-snapshot + - name: expand-snapshot params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + - name: input + value: $(params.snapshot) runAfter: - - collect-data - taskRef: + - clone-repository + taskSpec: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git + - name: input + type: string + results: + - name: cli-snapshot-spec + type: string + - name: bundle-snapshot-spec + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + steps: + - command: + - hack/expand-snapshot.sh + - $(params.input) + - $(results.cli-snapshot-spec.path) + - $(results.bundle-snapshot-spec.path) + image: quay.io/konflux-ci/appstudio-utils:latest + name: expand + workingDir: $(workspaces.source.path)/source + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace - - name: apply-mapping + - name: verify-enterprise-contract-cli params: - - name: failOnEmptyResult + - name: IMAGES + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: SSL_CERT_DIR + value: /var/run/secrets/kubernetes.io/serviceaccount + - name: POLICY_CONFIGURATION + value: $(workspaces.data.path)/source/policies/cli/policy.yaml + - name: IGNORE_REKOR value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot + - name: EXTRA_RULE_DATA + value: $(params.enterpriseContractExtraRuleData) taskRef: params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git + - name: bundle + value: quay.io/enterprise-contract/ec-task-bundle:snapshot + - name: kind + value: task + - name: name + value: verify-enterprise-contract + resolver: bundles workspaces: - - name: config + - name: data workspace: release-workspace - - name: verify-enterprise-contract + # TODO: Consider using matrix? + - name: verify-enterprise-contract-bundle params: - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) - name: SSL_CERT_DIR value: /var/run/secrets/kubernetes.io/serviceaccount - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" + value: $(workspaces.data.path)/source/policies/tekton-task/policy.yaml - name: IGNORE_REKOR value: "true" - name: EXTRA_RULE_DATA value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping taskRef: params: - name: bundle @@ -186,33 +144,51 @@ spec: workspaces: - name: data workspace: release-workspace - - name: push-snapshot + - name: push params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 + - name: cli-snapshot-spec + value: $(tasks.expand-snapshot.results.cli-snapshot-spec) + - name: cli-target-repo + value: $(params.cli-repo) + - name: bundle-snapshot-spec + value: $(tasks.expand-snapshot.results.bundle-snapshot-spec) + - name: bundle-target-repo + value: $(params.bundle-repo) runAfter: - - verify-enterprise-contract - taskRef: + - verify-enterprise-contract-cli + - verify-enterprise-contract-bundle + taskSpec: params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" + - name: cli-snapshot-spec + type: string + - name: cli-target-repo + type: string + - name: bundle-snapshot-spec + type: string + - name: bundle-target-repo + type: string + stepTemplate: + env: + - name: HOME + value: /tekton/home + workingDir: $(workspaces.source.path)/source + steps: + - command: + - hack/copy-snapshot-image.sh + - $(params.cli-snapshot-spec) + - $(params.cli-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-cli + - command: + - hack/copy-snapshot-image.sh + - $(params.bundle-snapshot-spec) + - $(params.bundle-target-repo) + image: quay.io/konflux-ci/appstudio-utils:latest + name: copy-bundle + workspaces: + - name: source workspaces: - - name: data + - name: source workspace: release-workspace workspaces: - name: release-workspace diff --git a/release/src/base/kustomization.yaml b/release/src/base/kustomization.yaml deleted file mode 100644 index cb62baad4..000000000 --- a/release/src/base/kustomization.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml -patches: - - path: tasks/verify-access-to-resources.yaml - target: - kind: Pipeline - - path: tasks/collect-data.yaml - target: - kind: Pipeline - - path: tasks/apply-mapping.yaml - target: - kind: Pipeline - - path: tasks/push-snapshot.yaml - target: - kind: Pipeline diff --git a/release/src/base/release.yaml b/release/src/base/release.yaml deleted file mode 100644 index bdeae4064..000000000 --- a/release/src/base/release.yaml +++ /dev/null @@ -1,222 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# This Pipeline is a variation of: -# https://github.com/konflux-ci/release-service-catalog/blob/development/pipelines/push-to-external-registry/push-to-external-registry.yaml -# It has been modified from its original version. It has been formatted to fit Tenant Release Pipelines. -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release -spec: - description: >- - Tekton pipeline to release Snapshots to a registry. - params: - - name: release - type: string - description: - The namespaced name (namespace/name) of the Release custom resource initiating this pipeline execution - - name: releasePlan - type: string - description: The namespaced name (namespace/name) of the releasePlan - - name: snapshot - type: string - description: The namespaced name (namespace/name) of the snapshot - - name: enterpriseContractPolicy - type: string - description: JSON representation of the EnterpriseContractPolicy - default: UPDATE_ME - - name: enterpriseContractExtraRuleData - type: string - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - default: "pipeline_intention=release" - - name: enterpriseContractTimeout - type: string - description: Timeout setting for `ec validate` - default: 40m0s - workspaces: - - name: release-workspace - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-access-to-resources - - name: reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - collect-data - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - workspaces: - - name: config - workspace: release-workspace - runAfter: - - reduce-snapshot - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - - name: verify-enterprise-contract - taskRef: - resolver: "bundles" - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - params: - - name: IMAGES - value: "$(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)" - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - workspaces: - - name: data - workspace: release-workspace - runAfter: - - apply-mapping - - name: push-snapshot - retries: 5 - when: - - input: "$(tasks.apply-mapping.results.mapped)" - operator: in - values: ["true"] - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - params: - - name: snapshotPath - value: "$(tasks.collect-data.results.snapshotSpec)" - - name: dataPath - value: "$(tasks.collect-data.results.data)" - - name: resultsDirPath - value: "$(tasks.collect-data.results.resultsDir)" - workspaces: - - name: data - workspace: release-workspace - runAfter: - - verify-enterprise-contract - finally: - - name: cleanup - taskRef: - resolver: "git" - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - params: - - name: subdirectory - value: "$(context.pipelineRun.uid)" - - name: delay - value: "0" - workspaces: - - name: input - workspace: release-workspace diff --git a/release/src/base/tasks/apply-mapping.yaml b/release/src/base/tasks/apply-mapping.yaml deleted file mode 100644 index 442eedb67..000000000 --- a/release/src/base/tasks/apply-mapping.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need changes from https://github.com/konflux-ci/release-service-catalog/pull/631 to be in the -# production branch -- op: replace - path: /spec/tasks/3/taskRef/params/1/value - value: development diff --git a/release/src/base/tasks/collect-data.yaml b/release/src/base/tasks/collect-data.yaml deleted file mode 100644 index 021374782..000000000 --- a/release/src/base/tasks/collect-data.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/1/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml diff --git a/release/src/base/tasks/push-snapshot.yaml b/release/src/base/tasks/push-snapshot.yaml deleted file mode 100644 index 806e5a591..000000000 --- a/release/src/base/tasks/push-snapshot.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes to be merged and made available in the production branch: -# https://github.com/konflux-ci/release-service-catalog/pull/671 -- op: replace - path: /spec/tasks/5/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml diff --git a/release/src/base/tasks/verify-access-to-resources.yaml b/release/src/base/tasks/verify-access-to-resources.yaml deleted file mode 100644 index 80111c4a1..000000000 --- a/release/src/base/tasks/verify-access-to-resources.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -# Need these changes: https://github.com/konflux-ci/release-service-catalog/pull/672 -- op: replace - path: /spec/tasks/0/taskRef/params - value: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml diff --git a/release/src/cli/kustomization.yaml b/release/src/cli/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/cli/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/cli/patch.yaml b/release/src/cli/patch.yaml deleted file mode 100644 index 2e1644026..000000000 --- a/release/src/cli/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/cli diff --git a/release/src/tekton-task/kustomization.yaml b/release/src/tekton-task/kustomization.yaml deleted file mode 100644 index 1d7d66ca8..000000000 --- a/release/src/tekton-task/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patches: - - path: patch.yaml - target: - kind: Pipeline diff --git a/release/src/tekton-task/patch.yaml b/release/src/tekton-task/patch.yaml deleted file mode 100644 index 3328132e9..000000000 --- a/release/src/tekton-task/patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -- op: replace - path: /metadata/name - value: release-cli -- op: replace - path: /spec/params/3/default # enterpriseContractPolicy - value: github.com/enterprise-contract/ec-cli//policies/tekton-task diff --git a/release/tekton-task.yaml b/release/tekton-task.yaml deleted file mode 100644 index 58d579d49..000000000 --- a/release/tekton-task.yaml +++ /dev/null @@ -1,218 +0,0 @@ -# Copyright The Enterprise Contract Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: release-cli -spec: - description: Tekton pipeline to release Snapshots to a registry. - finally: - - name: cleanup - params: - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: delay - value: "0" - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/cleanup-workspace/cleanup-workspace.yaml - resolver: git - workspaces: - - name: input - workspace: release-workspace - params: - - description: The namespaced name (namespace/name) of the Release custom resource - initiating this pipeline execution - name: release - type: string - - description: The namespaced name (namespace/name) of the releasePlan - name: releasePlan - type: string - - description: The namespaced name (namespace/name) of the snapshot - name: snapshot - type: string - - default: github.com/enterprise-contract/ec-cli//policies/tekton-task - description: JSON representation of the EnterpriseContractPolicy - name: enterpriseContractPolicy - type: string - - default: pipeline_intention=release - description: | - Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax - "key1=value1,key2=value2..." - name: enterpriseContractExtraRuleData - type: string - - default: 40m0s - description: Timeout setting for `ec validate` - name: enterpriseContractTimeout - type: string - tasks: - - name: verify-access-to-resources - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: requireInternalServices - value: "false" - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/verify-access-to-resources/verify-access-to-resources.yaml - resolver: git - - name: collect-data - params: - - name: release - value: $(params.release) - - name: releasePlan - value: $(params.releasePlan) - - name: snapshot - value: $(params.snapshot) - - name: subdirectory - value: $(context.pipelineRun.uid) - runAfter: - - verify-access-to-resources - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: support-tenant-releases - - name: pathInRepo - value: tasks/collect-data/collect-data.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: reduce-snapshot - params: - - name: SNAPSHOT - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SINGLE_COMPONENT - value: $(tasks.collect-data.results.singleComponentMode) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE - value: snapshot/$(tasks.collect-data.results.snapshotName) - - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS - value: $(tasks.collect-data.results.snapshotNamespace) - - name: SNAPSHOT_PATH - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - runAfter: - - collect-data - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: production - - name: pathInRepo - value: tasks/reduce-snapshot/reduce-snapshot.yaml - resolver: git - workspaces: - - name: data - workspace: release-workspace - - name: apply-mapping - params: - - name: failOnEmptyResult - value: "true" - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - runAfter: - - reduce-snapshot - taskRef: - params: - - name: url - value: https://github.com/konflux-ci/release-service-catalog.git - - name: revision - value: development - - name: pathInRepo - value: tasks/apply-mapping/apply-mapping.yaml - resolver: git - workspaces: - - name: config - workspace: release-workspace - - name: verify-enterprise-contract - params: - - name: IMAGES - value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) - - name: SSL_CERT_DIR - value: /var/run/secrets/kubernetes.io/serviceaccount - - name: POLICY_CONFIGURATION - value: $(params.enterpriseContractPolicy) - - name: STRICT - value: "1" - - name: IGNORE_REKOR - value: "true" - - name: EXTRA_RULE_DATA - value: $(params.enterpriseContractExtraRuleData) - - name: TIMEOUT - value: $(params.enterpriseContractTimeout) - runAfter: - - apply-mapping - taskRef: - params: - - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot - - name: kind - value: task - - name: name - value: verify-enterprise-contract - resolver: bundles - workspaces: - - name: data - workspace: release-workspace - - name: push-snapshot - params: - - name: snapshotPath - value: $(tasks.collect-data.results.snapshotSpec) - - name: dataPath - value: $(tasks.collect-data.results.data) - - name: resultsDirPath - value: $(tasks.collect-data.results.resultsDir) - retries: 5 - runAfter: - - verify-enterprise-contract - taskRef: - params: - - name: url - value: https://github.com/lcarva/release-service-bundles.git - - name: revision - value: KFLUXBUGS-1741 - - name: pathInRepo - value: tasks/push-snapshot/push-snapshot.yaml - resolver: git - when: - - input: $(tasks.apply-mapping.results.mapped) - operator: in - values: - - "true" - workspaces: - - name: data - workspace: release-workspace - workspaces: - - name: release-workspace