Merge branch 'main' into update-renovate

konflux-ci · Mar 18, 2024 · 608cc69 · 608cc69
2 parents 037b44e + 79503e8
commit 608cc69
Show file tree

Hide file tree

Showing 15 changed files with 463 additions and 96 deletions.
diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml
@@ -14,6 +14,13 @@
     name: stackrox-secret
     type: string
     default: "rox-api-token"
+- op: add
+  path: /spec/params/-
+  value:
+    name: event-type
+    type: string
+    default: "push"
+    description: "Event that triggered the pipeline run, e.g. push, pull_request"
 - op: add
   path: /spec/results/-
   value:
@@ -27,16 +34,16 @@
 - op: add
   path: /spec/tasks/3/params
   value:
-  - name: IMAGE
-    value: $(params.output-image)
-  - name: DOCKERFILE
-    value: $(params.dockerfile)
-  - name: CONTEXT
-    value: $(params.path-context)
-  - name: IMAGE_EXPIRES_AFTER
-    value: "$(params.image-expires-after)"
-  - name: COMMIT_SHA
-    value: "$(tasks.clone-repository.results.commit)"
+    - name: IMAGE
+      value: $(params.output-image)
+    - name: DOCKERFILE
+      value: $(params.dockerfile)
+    - name: CONTEXT
+      value: $(params.path-context)
+    - name: IMAGE_EXPIRES_AFTER
+      value: "$(params.image-expires-after)"
+    - name: COMMIT_SHA
+      value: "$(tasks.clone-repository.results.commit)"
 # Remove tasks
 # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0
 # to compute offsets
@@ -75,14 +82,14 @@
   value:
     name: acs-image-check
     params:
-    - name: rox-secret-name
-      value: $(params.stackrox-secret)
-    - name: image
-      value: $(params.output-image)
-    - name: insecure-skip-tls-verify
-      value: "true"
-    - name: image-digest
-      value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: rox-secret-name
+        value: $(params.stackrox-secret)
+      - name: image
+        value: $(params.output-image)
+      - name: insecure-skip-tls-verify
+        value: "true"
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
     runAfter:
       - build-container
     taskRef:
@@ -92,16 +99,16 @@
   value:
     name: acs-image-scan
     params:
-    - name: rox-secret-name
-      value: $(params.stackrox-secret)
-    - name: image
-      value: $(params.output-image)
-    - name: insecure-skip-tls-verify
-      value: "true"
-    - name: image-digest
-      value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: rox-secret-name
+        value: $(params.stackrox-secret)
+      - name: image
+        value: $(params.output-image)
+      - name: insecure-skip-tls-verify
+        value: "true"
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
     runAfter:
-    - build-container
+      - build-container
     taskRef:
       kind: Task
       name: acs-image-scan
@@ -110,14 +117,18 @@
   value:
     name: acs-deploy-check
     params:
-    - name: rox-secret-name
-      value: $(params.stackrox-secret)
-    - name: gitops-repo-url
-      value: $(params.git-url)-gitops
-    - name: insecure-skip-tls-verify
-      value: "true"
+      - name: rox-secret-name
+        value: $(params.stackrox-secret)
+      - name: gitops-repo-url
+        value: $(params.git-url)-gitops
+      - name: insecure-skip-tls-verify
+        value: "true"
     runAfter:
-    - update-deployment
+      - update-deployment
+    when:
+      - input: "pull_request"
+        operator: notin
+        values: ["$(params.event-type)"]
     taskRef:
       kind: Task
       name: acs-deploy-check
@@ -132,6 +143,10 @@
         value: $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)
     runAfter:
       - build-container
+    when:
+      - input: "pull_request"
+        operator: notin
+        values: ["$(params.event-type)"]
     taskRef:
       kind: Task
       name: update-deployment
diff --git a/task/generate-odcs-compose/0.1/README.md b/task/generate-odcs-compose/0.1/README.md
@@ -14,6 +14,11 @@ The input is provided inside a YAML file with its root containing a single eleme
 named `composes`. This element is a list in which each entry is to be converted
 into inputs for a single call to ODCS.
 
+The task requires a secret to reside on the namespace where the task is running.
+The secret should be named `odcs-service-account` and it should include two fields:
+`client-id` - containing an OIDC client ID and `client-secret` containing the client's
+secret for generating OIDC token.
+
 Element fields:
 
 * kind: Corresponds to sub-types of [`ComposeSourceGeneric`][input structure].
@@ -39,8 +44,6 @@ composes:
 | IMAGE           | Image used for running the tasks's script                         |
 | COMPOSE_INPUTS  | relative path from workdir workspace to the compose inputs file   |
 | COMPOSE_OUTPUTS | relative path from workdir workspace to store compose output files|
-| KT_PATH         | Path to mount keytab to be used for authentication with ODCS      |
-| KRB_CACHE_PATH  | Path to store Kerberos cache                                      |
 
 
 ## Results:

diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml
@@ -5,13 +5,6 @@ metadata:
   name: generate-odcs-compose
 spec:
   params:
-    - name: KT_PATH
-      type: string
-      description: path to mount keytab
-      default: /tmp/kt
-    - name: KRB_CACHE_PATH
-      description: path to krb cache
-      default: /tmp/krb5ccname
     - name: COMPOSE_INPUTS
       description: relative path from workdir workspace to the compose inputs file
       default: compose_inputs.yaml
@@ -23,23 +16,23 @@ spec:
       description: |
         Working directory that will be used for reading configuration files
         and writing the output
-    - name: keytab-secret
-      description: for storing keytab secret
-      mountPath: "$(params.KT_PATH)"
-    - name: krb-cache
-      description: location of krb cache
-      mountPath: "$(params.KRB_CACHE_PATH)"
   results:
     - name: repodir_path
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:b95417fbab81a012881b79fee82f187074248b84
+      image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197
       env:
-        - name: KRB5CCNAME
-          value: "$(params.KRB_CACHE_PATH)/krb5ccname"
-        - name: KRB5_CLIENT_KTNAME
-          value: "$(params.KT_PATH)/keytab"
+        - name: CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: odcs-service-account
+              key: client-id
+        - name: CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: odcs-service-account
+              key: client-secret
         - name: COMPOSE_INPUTS
           value: "$(params.COMPOSE_INPUTS)"
         - name: COMPOSE_OUTPUTS

diff --git a/task/generate-odcs-compose/OWNERS b/task/generate-odcs-compose/OWNERS
@@ -0,0 +1,7 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- gbenhaim
+- avi-biton
+- amisstea
+- yftacherzog
diff --git a/task/provision-env-with-ephemeral-namespace/0.1/README.md b/task/provision-env-with-ephemeral-namespace/0.1/README.md
@@ -0,0 +1,27 @@
+# provision-env-with-ephemeral-namespace task
+
+## Description:
+This task generates a spaceRequest which in turn creates a namespace in the cluster.
+The namespace is intended to be used to run integration tests for components, in
+an ephemeral environment that will be completely clean of previous artifacts.
+
+
+## Params:
+
+| name               | description                                                       |
+|--------------------|-------------------------------------------------------------------|
+| KONFLUXNAMESPACE   | The namespace to create the spaceRequest from                     |
+| SPACEREQUEST_NAME  | The name for the newly created space request                      |
+
+
+## Results:
+
+| name              | description                                                                                      |
+|-------------------|--------------------------------------------------------------------------------------------------|
+| secretRef         | The name of the secret with a SA token that had admin permissions in the newly created namespace |
+
+
+## Source repository for task:
+https://github.com/redhat-appstudio/tekton-tools
+
+
diff --git a/task/provision-env-with-ephemeral-namespace/0.1/kustomization.yaml b/task/provision-env-with-ephemeral-namespace/0.1/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- provision-env-with-ephemeral-namespace.yaml
diff --git a/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: provision-env-with-ephemeral-namespace
+spec:
+  results:
+    - name: secretRef
+      description:
+        SecretRef is the name of the secret with a SA token that has admin-like
+        (or whatever we set in the tier template) permissions in the namespace
+      type: string
+  steps:
+    - name: request-ephemeral-namespace
+      image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c
+      env:
+        - name: KONFLUXNAMESPACE
+          value: "$(context.pipelineRun.namespace)"
+        - name: PIPELINERUN_NAME
+          value: "$(context.pipelineRun.name)"
+        - name: PIPELINERUN_UID
+          value: "$(context.pipelineRun.uid)"
+      script: |
+        #!/bin/bash
+        set -ex
+        set -o pipefail
+
+        cat <<EOF > space_request.yaml
+        apiVersion: toolchain.dev.openshift.com/v1alpha1
+        kind: SpaceRequest
+        metadata:
+          generateName: task-spacerequest-
+          namespace: $KONFLUXNAMESPACE
+          ownerReferences:
+          - apiVersion: tekton.dev/v1
+            kind: PipelineRun
+            name: $PIPELINERUN_NAME
+            uid: $PIPELINERUN_UID
+        spec:
+          tierName: appstudio-env
+        EOF
+
+        SPACEREQUEST_NAME=$(oc create -f space_request.yaml -o=jsonpath='{.metadata.name}')
+
+        if oc wait spacerequests $SPACEREQUEST_NAME --for=condition=Ready --timeout=5m -n $KONFLUXNAMESPACE; then
+          secretRef=$(oc get spacerequests $SPACEREQUEST_NAME -o=jsonpath='{.status.namespaceAccess[0].secretRef}')
+          echo $secretRef > tee "$(results.secretRef.path)"
+        else
+          exit 1
+        fi
diff --git a/task/provision-env-with-ephemeral-namespace/OWNERS b/task/provision-env-with-ephemeral-namespace/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- gbenhaim
+- oamsalem
+- amisstea
+- avi-biton
+- yftacherzog
diff --git a/task/update-deployment/0.1/update-deployment.yaml b/task/update-deployment/0.1/update-deployment.yaml
@@ -22,51 +22,56 @@ spec:
         secretName: $(params.gitops-auth-secret-name)
         optional: true
   steps:
-  - name: patch-gitops
-    image: quay.io/redhat-appstudio/task-toolset@sha256:931a9f7886586391ccb38d33fd15a47eb03568f9b19512b0a57a56384fa52a3c
-    volumeMounts:
-      - name: gitops-auth-secret
-        mountPath: /gitops-auth-secret
-    env:
-      - name: PARAM_GITOPS_REPO_URL
-        value: $(params.gitops-repo-url)
-      - name: PARAM_IMAGE
-        value: $(params.image)
-    script: |
-      if test -f /gitops-auth-secret/password ; then
-        gitops_repo_url=${PARAM_GITOPS_REPO_URL}
-        remote_without_protocol=${gitops_repo_url#'https://'}
+    - name: patch-gitops
+      image: quay.io/redhat-appstudio/task-toolset@sha256:931a9f7886586391ccb38d33fd15a47eb03568f9b19512b0a57a56384fa52a3c
+      volumeMounts:
+        - name: gitops-auth-secret
+          mountPath: /gitops-auth-secret
+      env:
+        - name: PARAM_GITOPS_REPO_URL
+          value: $(params.gitops-repo-url)
+        - name: PARAM_IMAGE
+          value: $(params.image)
+      script: |
+        if test -f /gitops-auth-secret/password ; then
+          gitops_repo_url=${PARAM_GITOPS_REPO_URL}
+          remote_without_protocol=${gitops_repo_url#'https://'}
 
-        password=$(cat /gitops-auth-secret/password)
-        if test -f /gitops-auth-secret/username ; then
-          username=$(cat /gitops-auth-secret/username)
-          echo "https://${username}:${password})@${hostname}" > "${HOME}/.git-credentials"
-          origin_with_auth=https://${username}:${password}@${remote_without_protocol}.git
+          password=$(cat /gitops-auth-secret/password)
+          if test -f /gitops-auth-secret/username ; then
+            username=$(cat /gitops-auth-secret/username)
+            echo "https://${username}:${password})@${hostname}" > "${HOME}/.git-credentials"
+            origin_with_auth=https://${username}:${password}@${remote_without_protocol}.git
+          else
+            origin_with_auth=https://${password}@${remote_without_protocol}.git
+          fi
         else
-          origin_with_auth=https://${password}@${remote_without_protocol}.git
+          echo "git credentials to push into gitops repository ${PARAM_GITOPS_REPO_URL} is not configured."
+          echo "gitops repository is not updated automatically."
+          echo "You can update gitops repository with the new image: ${PARAM_IMAGE} manually"
+          echo "TODO: configure git credentials to update gitops repository."
+          exit 0
         fi
-      else
-        echo "git credentials to push into gitops repository ${PARAM_GITOPS_REPO_URL} is not configured."
-        echo "gitops repository is not updated automatically."
-        echo "You can update gitops repository with the new image: ${PARAM_IMAGE} manually"
-        echo "TODO: configure git credentials to update gitops repository."
-        exit 0
-      fi
 
-      # https://github.com/user-org/test-component-gitops => test-component
-      gitops_repo_name=$(basename ${PARAM_GITOPS_REPO_URL})
-      component_id=${gitops_repo_name%'-gitops'}
-      deployment_patch_filepath="components/${component_id}/overlays/development/deployment-patch.yaml"
+        # https://github.com/user-org/test-component-gitops => test-component
+        gitops_repo_name=$(basename ${PARAM_GITOPS_REPO_URL})
+        component_id=${gitops_repo_name%'-gitops'}
+        deployment_patch_filepath="components/${component_id}/overlays/development/deployment-patch.yaml"
 
-      git config --global user.email "[email protected]"
-      git config --global user.name "gitops-update"
+        git config --global user.email "[email protected]"
+        git config --global user.name "gitops-update"
 
-      git clone ${PARAM_GITOPS_REPO_URL}
-      cd ${gitops_repo_name}
+        git clone ${PARAM_GITOPS_REPO_URL}
+        cd ${gitops_repo_name}
 
-      sed -i "s| image: .*| image: ${PARAM_IMAGE}|" $deployment_patch_filepath
+        sed -i "s| image: .*| image: ${PARAM_IMAGE}|" $deployment_patch_filepath
 
-      git add .
-      git commit -m "Update '${component_id}' component image to: ${PARAM_IMAGE}"
-      git remote set-url origin $origin_with_auth
-      git push
+        git add .
+        git commit -m "Update '${component_id}' component image to: ${PARAM_IMAGE}"
+        git remote set-url origin $origin_with_auth
+        git push 2> /dev/null || \
+        {
+          echo "Failed to push update to gitops repository: ${PARAM_GITOPS_REPO_URL}"
+          echo 'Do you have correct git credentials configured?'
+          exit 1
+        }