diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 1a08e730bf..9a8c1433df 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -14,6 +14,13 @@ name: stackrox-secret type: string default: "rox-api-token" +- op: add + path: /spec/params/- + value: + name: event-type + type: string + default: "push" + description: "Event that triggered the pipeline run, e.g. push, pull_request" - op: add path: /spec/results/- value: @@ -27,16 +34,16 @@ - op: add path: /spec/tasks/3/params value: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: COMMIT_SHA + value: "$(tasks.clone-repository.results.commit)" # Remove tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets @@ -75,14 +82,14 @@ value: name: acs-image-check params: - - name: rox-secret-name - value: $(params.stackrox-secret) - - name: image - value: $(params.output-image) - - name: insecure-skip-tls-verify - value: "true" - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: rox-secret-name + value: $(params.stackrox-secret) + - name: image + value: $(params.output-image) + - name: insecure-skip-tls-verify + value: "true" + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) runAfter: - build-container taskRef: @@ -92,16 +99,16 @@ value: name: acs-image-scan params: - - name: rox-secret-name - value: $(params.stackrox-secret) - - name: image - value: $(params.output-image) - - name: insecure-skip-tls-verify - value: "true" - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: rox-secret-name + value: $(params.stackrox-secret) + - name: image + value: $(params.output-image) + - name: insecure-skip-tls-verify + value: "true" + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) runAfter: - - build-container + - build-container taskRef: kind: Task name: acs-image-scan @@ -110,14 +117,18 @@ value: name: acs-deploy-check params: - - name: rox-secret-name - value: $(params.stackrox-secret) - - name: gitops-repo-url - value: $(params.git-url)-gitops - - name: insecure-skip-tls-verify - value: "true" + - name: rox-secret-name + value: $(params.stackrox-secret) + - name: gitops-repo-url + value: $(params.git-url)-gitops + - name: insecure-skip-tls-verify + value: "true" runAfter: - - update-deployment + - update-deployment + when: + - input: "pull_request" + operator: notin + values: ["$(params.event-type)"] taskRef: kind: Task name: acs-deploy-check @@ -132,6 +143,10 @@ value: $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) runAfter: - build-container + when: + - input: "pull_request" + operator: notin + values: ["$(params.event-type)"] taskRef: kind: Task name: update-deployment diff --git a/task/generate-odcs-compose/0.1/README.md b/task/generate-odcs-compose/0.1/README.md index 8c06718307..114a434136 100644 --- a/task/generate-odcs-compose/0.1/README.md +++ b/task/generate-odcs-compose/0.1/README.md @@ -14,6 +14,11 @@ The input is provided inside a YAML file with its root containing a single eleme named `composes`. This element is a list in which each entry is to be converted into inputs for a single call to ODCS. +The task requires a secret to reside on the namespace where the task is running. +The secret should be named `odcs-service-account` and it should include two fields: +`client-id` - containing an OIDC client ID and `client-secret` containing the client's +secret for generating OIDC token. + Element fields: * kind: Corresponds to sub-types of [`ComposeSourceGeneric`][input structure]. @@ -39,8 +44,6 @@ composes: | IMAGE | Image used for running the tasks's script | | COMPOSE_INPUTS | relative path from workdir workspace to the compose inputs file | | COMPOSE_OUTPUTS | relative path from workdir workspace to store compose output files| -| KT_PATH | Path to mount keytab to be used for authentication with ODCS | -| KRB_CACHE_PATH | Path to store Kerberos cache | ## Results: diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 10fcb04335..084eb609c7 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -5,13 +5,6 @@ metadata: name: generate-odcs-compose spec: params: - - name: KT_PATH - type: string - description: path to mount keytab - default: /tmp/kt - - name: KRB_CACHE_PATH - description: path to krb cache - default: /tmp/krb5ccname - name: COMPOSE_INPUTS description: relative path from workdir workspace to the compose inputs file default: compose_inputs.yaml @@ -23,23 +16,23 @@ spec: description: | Working directory that will be used for reading configuration files and writing the output - - name: keytab-secret - description: for storing keytab secret - mountPath: "$(params.KT_PATH)" - - name: krb-cache - description: location of krb cache - mountPath: "$(params.KRB_CACHE_PATH)" results: - name: repodir_path description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:b95417fbab81a012881b79fee82f187074248b84 + image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197 env: - - name: KRB5CCNAME - value: "$(params.KRB_CACHE_PATH)/krb5ccname" - - name: KRB5_CLIENT_KTNAME - value: "$(params.KT_PATH)/keytab" + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: odcs-service-account + key: client-id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: odcs-service-account + key: client-secret - name: COMPOSE_INPUTS value: "$(params.COMPOSE_INPUTS)" - name: COMPOSE_OUTPUTS diff --git a/task/generate-odcs-compose/OWNERS b/task/generate-odcs-compose/OWNERS new file mode 100644 index 0000000000..eb271a7024 --- /dev/null +++ b/task/generate-odcs-compose/OWNERS @@ -0,0 +1,7 @@ +# See the OWNERS docs: https://go.k8s.io/owners + +approvers: +- gbenhaim +- avi-biton +- amisstea +- yftacherzog diff --git a/task/provision-env-with-ephemeral-namespace/0.1/README.md b/task/provision-env-with-ephemeral-namespace/0.1/README.md new file mode 100644 index 0000000000..41610b93e6 --- /dev/null +++ b/task/provision-env-with-ephemeral-namespace/0.1/README.md @@ -0,0 +1,27 @@ +# provision-env-with-ephemeral-namespace task + +## Description: +This task generates a spaceRequest which in turn creates a namespace in the cluster. +The namespace is intended to be used to run integration tests for components, in +an ephemeral environment that will be completely clean of previous artifacts. + + +## Params: + +| name | description | +|--------------------|-------------------------------------------------------------------| +| KONFLUXNAMESPACE | The namespace to create the spaceRequest from | +| SPACEREQUEST_NAME | The name for the newly created space request | + + +## Results: + +| name | description | +|-------------------|--------------------------------------------------------------------------------------------------| +| secretRef | The name of the secret with a SA token that had admin permissions in the newly created namespace | + + +## Source repository for task: +https://github.com/redhat-appstudio/tekton-tools + + diff --git a/task/provision-env-with-ephemeral-namespace/0.1/kustomization.yaml b/task/provision-env-with-ephemeral-namespace/0.1/kustomization.yaml new file mode 100644 index 0000000000..40e7f0e4c6 --- /dev/null +++ b/task/provision-env-with-ephemeral-namespace/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- provision-env-with-ephemeral-namespace.yaml diff --git a/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml new file mode 100644 index 0000000000..ef2d96740b --- /dev/null +++ b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: provision-env-with-ephemeral-namespace +spec: + results: + - name: secretRef + description: + SecretRef is the name of the secret with a SA token that has admin-like + (or whatever we set in the tier template) permissions in the namespace + type: string + steps: + - name: request-ephemeral-namespace + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c + env: + - name: KONFLUXNAMESPACE + value: "$(context.pipelineRun.namespace)" + - name: PIPELINERUN_NAME + value: "$(context.pipelineRun.name)" + - name: PIPELINERUN_UID + value: "$(context.pipelineRun.uid)" + script: | + #!/bin/bash + set -ex + set -o pipefail + + cat < space_request.yaml + apiVersion: toolchain.dev.openshift.com/v1alpha1 + kind: SpaceRequest + metadata: + generateName: task-spacerequest- + namespace: $KONFLUXNAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: PipelineRun + name: $PIPELINERUN_NAME + uid: $PIPELINERUN_UID + spec: + tierName: appstudio-env + EOF + + SPACEREQUEST_NAME=$(oc create -f space_request.yaml -o=jsonpath='{.metadata.name}') + + if oc wait spacerequests $SPACEREQUEST_NAME --for=condition=Ready --timeout=5m -n $KONFLUXNAMESPACE; then + secretRef=$(oc get spacerequests $SPACEREQUEST_NAME -o=jsonpath='{.status.namespaceAccess[0].secretRef}') + echo $secretRef > tee "$(results.secretRef.path)" + else + exit 1 + fi diff --git a/task/provision-env-with-ephemeral-namespace/OWNERS b/task/provision-env-with-ephemeral-namespace/OWNERS new file mode 100644 index 0000000000..d90b38493a --- /dev/null +++ b/task/provision-env-with-ephemeral-namespace/OWNERS @@ -0,0 +1,8 @@ +# See the OWNERS docs: https://go.k8s.io/owners + +approvers: +- gbenhaim +- oamsalem +- amisstea +- avi-biton +- yftacherzog diff --git a/task/update-deployment/0.1/update-deployment.yaml b/task/update-deployment/0.1/update-deployment.yaml index 477f17aa1e..87db461747 100644 --- a/task/update-deployment/0.1/update-deployment.yaml +++ b/task/update-deployment/0.1/update-deployment.yaml @@ -22,51 +22,56 @@ spec: secretName: $(params.gitops-auth-secret-name) optional: true steps: - - name: patch-gitops - image: quay.io/redhat-appstudio/task-toolset@sha256:931a9f7886586391ccb38d33fd15a47eb03568f9b19512b0a57a56384fa52a3c - volumeMounts: - - name: gitops-auth-secret - mountPath: /gitops-auth-secret - env: - - name: PARAM_GITOPS_REPO_URL - value: $(params.gitops-repo-url) - - name: PARAM_IMAGE - value: $(params.image) - script: | - if test -f /gitops-auth-secret/password ; then - gitops_repo_url=${PARAM_GITOPS_REPO_URL} - remote_without_protocol=${gitops_repo_url#'https://'} + - name: patch-gitops + image: quay.io/redhat-appstudio/task-toolset@sha256:931a9f7886586391ccb38d33fd15a47eb03568f9b19512b0a57a56384fa52a3c + volumeMounts: + - name: gitops-auth-secret + mountPath: /gitops-auth-secret + env: + - name: PARAM_GITOPS_REPO_URL + value: $(params.gitops-repo-url) + - name: PARAM_IMAGE + value: $(params.image) + script: | + if test -f /gitops-auth-secret/password ; then + gitops_repo_url=${PARAM_GITOPS_REPO_URL} + remote_without_protocol=${gitops_repo_url#'https://'} - password=$(cat /gitops-auth-secret/password) - if test -f /gitops-auth-secret/username ; then - username=$(cat /gitops-auth-secret/username) - echo "https://${username}:${password})@${hostname}" > "${HOME}/.git-credentials" - origin_with_auth=https://${username}:${password}@${remote_without_protocol}.git + password=$(cat /gitops-auth-secret/password) + if test -f /gitops-auth-secret/username ; then + username=$(cat /gitops-auth-secret/username) + echo "https://${username}:${password})@${hostname}" > "${HOME}/.git-credentials" + origin_with_auth=https://${username}:${password}@${remote_without_protocol}.git + else + origin_with_auth=https://${password}@${remote_without_protocol}.git + fi else - origin_with_auth=https://${password}@${remote_without_protocol}.git + echo "git credentials to push into gitops repository ${PARAM_GITOPS_REPO_URL} is not configured." + echo "gitops repository is not updated automatically." + echo "You can update gitops repository with the new image: ${PARAM_IMAGE} manually" + echo "TODO: configure git credentials to update gitops repository." + exit 0 fi - else - echo "git credentials to push into gitops repository ${PARAM_GITOPS_REPO_URL} is not configured." - echo "gitops repository is not updated automatically." - echo "You can update gitops repository with the new image: ${PARAM_IMAGE} manually" - echo "TODO: configure git credentials to update gitops repository." - exit 0 - fi - # https://github.com/user-org/test-component-gitops => test-component - gitops_repo_name=$(basename ${PARAM_GITOPS_REPO_URL}) - component_id=${gitops_repo_name%'-gitops'} - deployment_patch_filepath="components/${component_id}/overlays/development/deployment-patch.yaml" + # https://github.com/user-org/test-component-gitops => test-component + gitops_repo_name=$(basename ${PARAM_GITOPS_REPO_URL}) + component_id=${gitops_repo_name%'-gitops'} + deployment_patch_filepath="components/${component_id}/overlays/development/deployment-patch.yaml" - git config --global user.email "rhtap@noreplay.com" - git config --global user.name "gitops-update" + git config --global user.email "rhtap@noreplay.com" + git config --global user.name "gitops-update" - git clone ${PARAM_GITOPS_REPO_URL} - cd ${gitops_repo_name} + git clone ${PARAM_GITOPS_REPO_URL} + cd ${gitops_repo_name} - sed -i "s| image: .*| image: ${PARAM_IMAGE}|" $deployment_patch_filepath + sed -i "s| image: .*| image: ${PARAM_IMAGE}|" $deployment_patch_filepath - git add . - git commit -m "Update '${component_id}' component image to: ${PARAM_IMAGE}" - git remote set-url origin $origin_with_auth - git push + git add . + git commit -m "Update '${component_id}' component image to: ${PARAM_IMAGE}" + git remote set-url origin $origin_with_auth + git push 2> /dev/null || \ + { + echo "Failed to push update to gitops repository: ${PARAM_GITOPS_REPO_URL}" + echo 'Do you have correct git credentials configured?' + exit 1 + } diff --git a/task/verify-enterprise-contract/0.1/README.md b/task/verify-enterprise-contract/0.1/README.md new file mode 100644 index 0000000000..478fa40cce --- /dev/null +++ b/task/verify-enterprise-contract/0.1/README.md @@ -0,0 +1,40 @@ +# Verify Enterprise Contract Task + +This task verifies a signature and attestation for an image and then runs a policy against the image's attestation using the ```ec validate image``` command. + +## Install the task +kubectl apply -f https://raw.githubusercontent.com/enterprise-contract/ec-cli/main/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml + +## Parameters +### Required +* **IMAGES**: A JSON formatted list of images. +### Optional +* **POLICY_CONFIGURATION**: Name or inline policy in JSON configuration to use. For name `namespace/name` or `name` syntax supported. If + namespace is omitted the namespace where the task runs is used. For inline policy provide the [specification](https://enterprise-contract.github.io/ecc/main/reference.html#k8s-api-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyspec) as JSON. +* **PUBLIC_KEY**: Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. +* **REKOR_HOST**: Rekor host for transparency log lookups +* **SSL_CERT_DIR**: Path to a directory containing SSL certs to be used when communicating + with external services. +* **STRICT**: Fail the task if policy fails. Set to "false" to disable it. +* **HOMEDIR**: Value for the HOME environment variable. +* **EFFECTIVE_TIME**: Run policy checks with the provided time. + + +## Usage + +This TaskRun runs the Task to verify an image. This assumes a policy is created and stored on the cluster with the namespaced name of `enterprise-contract-service/default`. For more information on creating a policy, refer to the Enterprise Contract [documentation](https://enterprise-contract.github.io/ecc/main/index.html). + +```yaml +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: verify-enterprise-contract +spec: + taskRef: + name: verify-enterprise-contract + params: + - name: IMAGES + value: '{"components": ["containerImage": "quay.io/example/repo:latest"]}' +``` diff --git a/task/verify-enterprise-contract/0.1/kustomization.yaml b/task/verify-enterprise-contract/0.1/kustomization.yaml new file mode 100644 index 0000000000..5c4256628a --- /dev/null +++ b/task/verify-enterprise-contract/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- verify-enterprise-contract.yaml diff --git a/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml new file mode 100644 index 0000000000..05c34d948f --- /dev/null +++ b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml @@ -0,0 +1,201 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: verify-enterprise-contract + annotations: + tekton.dev/displayName: Verify Enterprise Contract + tekton.dev/pipelines.minVersion: "0.19" + tekton.dev/tags: ec, chains, signature, conftest + labels: + app.kubernetes.io/version: "0.1" +spec: + description: Verify the enterprise contract is met + params: + - name: IMAGES + type: string + description: | + Spec section of an ApplicationSnapshot resource. Not all fields of the + resource are required. A minimal example: + { + "components": [ + { + "containerImage": "quay.io/example/repo:latest" + } + ] + } + Each "containerImage" in the "components" array is validated. + - name: POLICY_CONFIGURATION + type: string + description: | + Name of the policy configuration (EnterpriseContractPolicy + resource) to use. `namespace/name` or `name` syntax supported. If + namespace is omitted the namespace where the task runs is used. + default: "enterprise-contract-service/default" + + - name: PUBLIC_KEY + type: string + description: >- + Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. + default: "" + + - name: REKOR_HOST + type: string + description: Rekor host for transparency log lookups + default: "" + + - name: IGNORE_REKOR + type: string + description: >- + Skip Rekor transparency log checks during validation. + default: "false" + + - name: TUF_MIRROR + type: string + description: TUF mirror URL. Provide a value when NOT using public sigstore deployment. + default: "" + + - name: SSL_CERT_DIR + type: string + description: | + Path to a directory containing SSL certs to be used when communicating + with external services. This is useful when using the integrated registry + and a local instance of Rekor on a development cluster which may use + certificates issued by a not-commonly trusted root CA. In such cases, + "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple + paths can be provided by using the ":" separator. + default: "" + + - name: INFO + type: string + description: Include rule titles and descriptions in the output. Set to "false" to disable it. + default: "true" + + - name: STRICT + type: string + description: Fail the task if policy fails. Set to "false" to disable it. + default: "true" + + - name: HOMEDIR + type: string + description: Value for the HOME environment variable. + default: /tekton/home + + - name: EFFECTIVE_TIME + type: string + description: Run policy checks with the provided time. + default: "now" + + workspaces: + - name: data + description: The workspace where the snapshot spec json file resides + optional: true + + results: + - name: TEST_OUTPUT + description: Short summary of the policy evaluation for each image + + stepTemplate: + env: + - name: HOME + value: "$(params.HOMEDIR)" + + steps: + - name: version + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + command: [ec] + args: + - version + - name: initialize-tuf + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + script: |- + set -euo pipefail + + if [[ -z "${TUF_MIRROR:-}" ]]; then + echo 'TUF_MIRROR not set. Skipping TUF root initialization.' + exit + fi + + echo 'Initializing TUF root...' + cosign initialize --mirror "${TUF_MIRROR}" --root "${TUF_MIRROR}/root.json" + echo 'Done!' + env: + - name: TUF_MIRROR + value: "$(params.TUF_MIRROR)" + - name: validate + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + command: [ec] + args: + - validate + - image + - "--verbose" + - "--images" + - "$(params.IMAGES)" + - "--policy" + - "$(params.POLICY_CONFIGURATION)" + - "--public-key" + - "$(params.PUBLIC_KEY)" + - "--rekor-url" + - "$(params.REKOR_HOST)" + - "--ignore-rekor=$(params.IGNORE_REKOR)" + # NOTE: The syntax below is required to negate boolean parameters + - "--info=$(params.INFO)" + - "--strict=false" + - "--show-successes" + - "--effective-time=$(params.EFFECTIVE_TIME)" + - "--output" + - "yaml=$(params.HOMEDIR)/report.yaml" + - "--output" + - "appstudio=$(results.TEST_OUTPUT.path)" + - "--output" + - "json=$(params.HOMEDIR)/report-json.json" + env: + - name: SSL_CERT_DIR + # The Tekton Operator automatically sets the SSL_CERT_DIR env to the value below but, + # of course, without the $(param.SSL_CERT_DIR) bit. When a Task Step sets it to a + # value, the Tekton Operator does not do any processing of the value. However, Tekton + # Pipelines will fail to execute because some of these values are required for its + # execution. As a workaround, append the SSL_CERT_DIR value from params to the default + # value expected by Tekton Pipelines. NOTE: If params.SSL_CERT_DIR is empty, the value + # will contain a trailing ":" - this is ok. + value: "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:$(params.SSL_CERT_DIR)" + # The EC cache is used to avoid fetching the same image layers from the registry more than + # once. However, this is not thread safe. This results in inconsistencies when extracting + # files from an image, see https://github.com/enterprise-contract/ec-cli/issues/1109 + - name: EC_CACHE + value: "false" + computeResources: + requests: + cpu: 250m + memory: 2Gi + limits: + memory: 2Gi + - name: report + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + command: [cat] + args: + - "$(params.HOMEDIR)/report.yaml" + - name: report-json + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + command: [cat] + args: + - "$(params.HOMEDIR)/report-json.json" + - name: summary + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + command: [jq] + args: + - "." + - "$(results.TEST_OUTPUT.path)" + - name: assert + image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:1.0.alpha + command: [jq] + args: + - "--argjson" + - "strict" + - "$(params.STRICT)" + - "-e" + - > + .result == "SUCCESS" or .result == "WARNING" or ($strict | not) + - "$(results.TEST_OUTPUT.path)" diff --git a/task/verify-enterprise-contract/OWNERS b/task/verify-enterprise-contract/OWNERS new file mode 100644 index 0000000000..2ba6bdf427 --- /dev/null +++ b/task/verify-enterprise-contract/OWNERS @@ -0,0 +1 @@ +Enterprise Contract Team diff --git a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml index 389186d7b4..1f653c7c31 100644 --- a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml +++ b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml @@ -26,7 +26,7 @@ spec: emptyDir: {} steps: - name: verify-signed-rpms - image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:b95417fbab81a012881b79fee82f187074248b84 + image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197 volumeMounts: - name: workdir mountPath: "$(params.WORKDIR)" @@ -48,7 +48,7 @@ spec: --workdir "${WORKDIR}" \ --status-path "${WORKDIR}"/status - name: output-results - image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc + image: quay.io/redhat-appstudio/hacbs-test:v1.1.8@sha256:8de0ec0875c7c6a41e0208b0030090992169f501166154edaded8a4f6121b164 volumeMounts: - name: workdir mountPath: "$(params.WORKDIR)" diff --git a/task/verify-signed-rpms/OWNERS b/task/verify-signed-rpms/OWNERS new file mode 100644 index 0000000000..eb271a7024 --- /dev/null +++ b/task/verify-signed-rpms/OWNERS @@ -0,0 +1,7 @@ +# See the OWNERS docs: https://go.k8s.io/owners + +approvers: +- gbenhaim +- avi-biton +- amisstea +- yftacherzog