RHTAP gitops PR pipeline (#887)

* Add task that gathers image refs from gitops repo

For RHTAP, we will need a pipeline that runs on pull requests to the
gitops repo. This pipeline will run EC validation on the deployment
images found in the repo.

Add a task that takes a gitops repo (passed in via the 'source'
workspace) and returns the images in EC-compatible format.

Signed-off-by: Adam Cmiel <[email protected]>

* Add gitops-pull-request pipeline

On each pull request to a gitops repo, the pipeline will run EC
validation on the deployment images.

Signed-off-by: Adam Cmiel <[email protected]>

---------

Signed-off-by: Adam Cmiel <[email protected]>
Co-authored-by: John Duimovich <[email protected]>

pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml

@@ -0,0 +1,76 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: gitops-pull-request
+spec:
+  params:
+    - description: Gitops repo url
+      name: git-url
+      type: string
+    - description: Gitops repo revision
+      name: revision
+      type: string
+      default: ""
+    - description: Enterprise Contract policy to validate against
+      name: ec-policy-configuration
+      type: string
+      default: github.com/enterprise-contract/config//default
+    - description: Should EC violations cause the pipeline to fail?
+      name: ec-strict
+      type: string
+      default: "true"
+    - description: The public key that EC should use to verify signatures
+      name: ec-public-key
+      type: string
+      default: "k8s://$(context.pipelineRun.namespace)/cosign-pub"
+    - description: The Rekor host that EC should use to look up transparency logs
+      name: ec-rekor-host
+      type: string
+      default: http://rekor-server.rhtap.svc
+    - description: The TUF mirror that EC should use
+      name: ec-tuf-mirror
+      type: string
+      default: http://tuf.rhtap.svc
+  tasks:
+    - name: clone-repository
+      params:
+        - name: url
+          value: $(params.git-url)
+        - name: revision
+          value: $(params.revision)
+      taskRef:
+        name: git-clone
+        version: "0.1"
+      workspaces:
+        - name: output
+          workspace: workspace
+        - name: basic-auth
+          workspace: git-auth
+    - name: gather-deploy-images
+      runAfter:
+        - clone-repository
+      taskRef:
+        name: gather-deploy-images
+        version: "0.1"
+      workspaces:
+        - name: source
+          workspace: workspace
+    - name: verify-enteprise-contract
+      params:
+        - name: IMAGES
+          value: $(tasks.gather-deploy-images.results.IMAGES_TO_VERIFY)
+        - name: STRICT
+          value: $(params.ec-strict)
+        - name: POLICY_CONFIGURATION
+          value: $(params.ec-policy-configuration)
+        - name: PUBLIC_KEY
+          value: $(params.ec-public-key)
+        - name: REKOR_HOST
+          value: $(params.ec-rekor-host)
+        - name: TUF_MIRROR
+          value: $(params.ec-tuf-mirror)
+      runAfter:
+        - gather-deploy-images
+      taskRef:
+        name: verify-enterprise-contract
+        version: "0.1"

pipelines/gitops-pull-request-rhtap/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitops-pull-request.yaml

pipelines/rhtap/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../docker-build-rhtap
+- ../gitops-pull-request-rhtap

task/gather-deploy-images/0.1/README.md

@@ -0,0 +1,13 @@
+# gather-deploy-images task
+
+Extract images from deployment YAML to pass to EC for validation
+
+## Results
+|name|description|
+|---|---|
+|IMAGES_TO_VERIFY|The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1|
+
+## Workspaces
+|name|description|optional|
+|---|---|---|
+|source|Should contain a cloned gitops repo at the ./source subpath|false|

task/gather-deploy-images/0.1/gather-deploy-images.yaml

@@ -0,0 +1,39 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: gather-deploy-images
+spec:
+  description: Extract images from deployment YAML to pass to EC for validation
+  workspaces:
+    - description: Should contain a cloned gitops repo at the ./source subpath
+      name: source
+  results:
+    - name: IMAGES_TO_VERIFY
+      description: The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1
+  steps:
+  - name: get-images-per-env
+    image: quay.io/redhat-appstudio/appstudio-utils:5bd7d6cb0b17f9f2eab043a8ad16ba3d90551bc2@sha256:8c7fcf86af40c71aeb58e4279625c8308af5144e2f6b8e28b0ec7e795260e5f7
+    workingDir: $(workspaces.source.path)/source
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+
+      component_name=$(yq .metadata.name application.yaml)
+
+      for env in development stage prod; do
+        yq '.spec.template.spec.containers[0].image' "components/${component_name}/overlays/${env}/deployment-patch.yaml"
+      done | sort -u > /tmp/all-images.txt
+
+      # TODO: each component needs a {"source": {"git": {"url": "...", "revision": "..."}}}
+      #       will that be too large for Tekton results?
+
+      jq --compact-output --raw-input --slurp < /tmp/all-images.txt '
+        # split input file
+        split("\n") |
+        # drop empty lines
+        map(select(length > 0)) |
+        # convert into EC-compatible format
+        {
+          "components": map({"containerImage": .})
+        }
+      ' | tee $(results.IMAGES_TO_VERIFY.path)