Skip to content

Commit

Permalink
Implement git-clone-oci-ta Task
Browse files Browse the repository at this point in the history
Ref: EC-550

Signed-off-by: Luiz Carvalho <[email protected]>
  • Loading branch information
lcarva committed May 10, 2024
1 parent d0ef184 commit 66e5245
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 68 deletions.
19 changes: 10 additions & 9 deletions task/git-clone-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# git-clone task
# git-clone-oci-ta task

The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.
The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.

## Parameters
|name|description|default value|required|
Expand All @@ -11,27 +11,28 @@ The git-clone Task will clone a repo from the provided url into the output Works
|submodules|Initialize and fetch git submodules.|true|false|
|depth|Perform a shallow clone, fetching only the most recent N commits.|1|false|
|sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false|
|subdirectory|Subdirectory inside the `output` Workspace to clone the repo into.|""|false|
|sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false|
|deleteExisting|Clean out the contents of the destination directory if it already exists before cloning.|true|false|
|httpProxy|HTTP proxy server for non-SSL requests.|""|false|
|httpsProxy|HTTPS proxy server for SSL requests.|""|false|
|noProxy|Opt out of proxying HTTP/HTTPS requests.|""|false|
|verbose|Log the commands that are executed during `git-clone`'s operation.|true|false|
|gitInitImage|Deprecated. Has no effect. Will be removed in the future.|""|false|
|userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden the gitInitImage param with an image containing custom user configuration. |/tekton/home|false|
|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.|true|false|
|verbose|Log the commands that are executed during `git-clone`'s operation.|false|false|
|userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. |/tekton/home|false|
|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. |true|false|
|fetchTags|Fetch all tags for the repo.|false|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|ociStorage|The OCI repository where the clone repository will be stored.||true|
|imageExpiresAfter|Expiration date for the artifacts created in the OCI repository.|""|false|

## Results
|name|description|
|---|---|
|commit|The precise commit SHA that was fetched by this Task.|
|url|The precise URL that was fetched by this Task.|
|sourceArtifact|The OCI reference to the trusted source artifact containing the cloned git repo.|

## Workspaces
|name|description|optional|
|---|---|---|
|output|The git repo will be cloned onto the volume backing this Workspace.|false|
|ssh-directory|A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. |true|
|basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true|
103 changes: 44 additions & 59 deletions task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,20 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/categories: Git
tekton.dev/displayName: git clone
tekton.dev/displayName: git clone oci trusted artifacts
tekton.dev/pipelines.minVersion: 0.21.0
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
tekton.dev/tags: git
name: git-clone
name: git-clone-oci-ta
spec:
description: |-
The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.
description: >-
The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted
artifact in the provided OCI repository.
params:
- description: Repository URL to clone from.
name: url
Expand All @@ -37,18 +39,10 @@ spec:
description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
name: sslVerify
type: string
- default: "source"
description: Subdirectory inside the `output` Workspace to clone the repo into.
name: subdirectory
type: string
- default: ""
description: Define the directory patterns to match or exclude when performing a sparse checkout.
name: sparseCheckoutDirectories
type: string
- default: "true"
description: Clean out the contents of the destination directory if it already exists before cloning.
name: deleteExisting
type: string
- default: ""
description: HTTP proxy server for non-SSL requests.
name: httpProxy
Expand All @@ -65,10 +59,6 @@ spec:
description: Log the commands that are executed during `git-clone`'s operation.
name: verbose
type: string
- default: ""
description: Deprecated. Has no effect. Will be removed in the future.
name: gitInitImage
type: string
- default: /tekton/home
description: |
Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.
Expand All @@ -91,11 +81,22 @@ spec:
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: ca-bundle.crt
- name: ociStorage
type: string
description: The OCI repository where the clone repository will be stored.
- name: imageExpiresAfter
type: string
description: Expiration date for the artifacts created in the OCI repository.
default: ""

results:
- description: The precise commit SHA that was fetched by this Task.
name: commit
- description: The precise URL that was fetched by this Task.
name: url
- description: The OCI reference to the trusted source artifact containing the cloned git repo.
name: sourceArtifact
type: string
steps:
- name: clone
env:
Expand All @@ -113,10 +114,6 @@ spec:
value: $(params.depth)
- name: PARAM_SSL_VERIFY
value: $(params.sslVerify)
- name: PARAM_SUBDIRECTORY
value: $(params.subdirectory)
- name: PARAM_DELETE_EXISTING
value: $(params.deleteExisting)
- name: PARAM_HTTP_PROXY
value: $(params.httpProxy)
- name: PARAM_HTTPS_PROXY
Expand All @@ -131,10 +128,6 @@ spec:
value: $(params.userHome)
- name: PARAM_FETCH_TAGS
value: $(params.fetchTags)
- name: PARAM_GIT_INIT_IMAGE
value: $(params.gitInitImage)
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
Expand All @@ -143,6 +136,8 @@ spec:
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
- name: CHECKOUT_DIR
value: /var/source
image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8
computeResources: {}
securityContext:
Expand All @@ -151,6 +146,8 @@ spec:
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
- name: source
mountPath: /var/source
script: |
#!/usr/bin/env sh
set -eu
Expand All @@ -159,10 +156,6 @@ spec:
set -x
fi
if [ -n "${PARAM_GIT_INIT_IMAGE}" ]; then
echo "WARNING: provided deprecated gitInitImage parameter has no effect."
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
Expand Down Expand Up @@ -193,27 +186,6 @@ spec:
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
cleandir() {
# Delete any existing contents of the repo directory if it exists.
#
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
# or the root of a mounted volume.
if [ -d "${CHECKOUT_DIR}" ] ; then
# Delete non-hidden files and directories
rm -rf "${CHECKOUT_DIR:?}"/*
# Delete files and directories starting with . but excluding ..
rm -rf "${CHECKOUT_DIR}"/.[!.]*
# Delete files and directories starting with .. plus any other character
rm -rf "${CHECKOUT_DIR}"/..?*
fi
}
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
cleandir
fi
test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
Expand Down Expand Up @@ -243,22 +215,19 @@ spec:
- name: symlink-check
image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
# the cluster will set imagePullPolicy to IfNotPresent
# also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
env:
- name: PARAM_ENABLE_SYMLINK_CHECK
value: $(params.enableSymlinkCheck)
- name: PARAM_SUBDIRECTORY
value: $(params.subdirectory)
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: CHECKOUT_DIR
value: /var/source
volumeMounts:
- name: source
mountPath: /var/source
computeResources: {}
script: |
#!/usr/bin/env bash
set -euo pipefail
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
check_symlinks() {
FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false
while read symlink
Expand All @@ -278,9 +247,23 @@ spec:
echo "Running symlink check"
check_symlinks
fi
- name: create-trusted-artifact
# TODO: Is there a released version of this?
image: quay.io/redhat-user-workloads/rhtap-build-tenant/trusted-artifacts/trusted-artifacts:e8d9e76c49161d70386276b1592061907097e63b@sha256:721ec9440781e719064037b07f89495d11fda57bdf4a0419bba30dcf8b435827
env:
- name: IMAGE_EXPIRES_AFTER
value: $(params.imageExpiresAfter)
volumeMounts:
- name: source
mountPath: /var/source
args:
- create
- --store
- $(params.ociStorage)
- $(results.sourceArtifact.path)=/var/source

workspaces:
- description: The git repo will be cloned onto the volume backing this Workspace.
name: output
- description: |
A .ssh directory with private key, known_hosts, config, etc. Copied to
the user's home before git commands are executed. Used to authenticate
Expand All @@ -297,6 +280,8 @@ spec:
name: basic-auth
optional: true
volumes:
- name: source
emptyDir: {}
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
Expand Down

0 comments on commit 66e5245

Please sign in to comment.