konflux-ci · gbenhaim · Mar 17, 2024 · Mar 17, 2024 · Mar 17, 2024 · Mar 17, 2024
@@ -14,6 +14,11 @@ The input is provided inside a YAML file with its root containing a single eleme
 named `composes`. This element is a list in which each entry is to be converted
 into inputs for a single call to ODCS.
 
+The task requires a secret to reside on the namespace where the task is running.
+The secret should be named `odcs-service-account` and it should include two fields:
+`client-id` - containing an OIDC client ID and `client-secret` containing the client's
+secret for generating OIDC token.
+
 Element fields:
 
 * kind: Corresponds to sub-types of [`ComposeSourceGeneric`][input structure].
@@ -39,8 +44,6 @@ composes:
 | IMAGE           | Image used for running the tasks's script                         |
 | COMPOSE_INPUTS  | relative path from workdir workspace to the compose inputs file   |
 | COMPOSE_OUTPUTS | relative path from workdir workspace to store compose output files|
-| KT_PATH         | Path to mount keytab to be used for authentication with ODCS      |
-| KRB_CACHE_PATH  | Path to store Kerberos cache                                      |
 
 
 ## Results:

@@ -5,13 +5,6 @@ metadata:
   name: generate-odcs-compose
 spec:
   params:
-    - name: KT_PATH
-      type: string
-      description: path to mount keytab
-      default: /tmp/kt
-    - name: KRB_CACHE_PATH
-      description: path to krb cache
-      default: /tmp/krb5ccname
     - name: COMPOSE_INPUTS
       description: relative path from workdir workspace to the compose inputs file
       default: compose_inputs.yaml
@@ -23,23 +16,23 @@ spec:
       description: |
         Working directory that will be used for reading configuration files
         and writing the output
-    - name: keytab-secret
-      description: for storing keytab secret
-      mountPath: "$(params.KT_PATH)"
-    - name: krb-cache
-      description: location of krb cache
-      mountPath: "$(params.KRB_CACHE_PATH)"
   results:
     - name: repodir_path
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:b95417fbab81a012881b79fee82f187074248b84
+      image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197
       env:
-        - name: KRB5CCNAME
-          value: "$(params.KRB_CACHE_PATH)/krb5ccname"
-        - name: KRB5_CLIENT_KTNAME
-          value: "$(params.KT_PATH)/keytab"
+        - name: CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: odcs-service-account
+              key: client-id
+        - name: CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: odcs-service-account
+              key: client-secret
         - name: COMPOSE_INPUTS
           value: "$(params.COMPOSE_INPUTS)"
         - name: COMPOSE_OUTPUTS

@@ -0,0 +1,7 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- gbenhaim
+- avi-biton
+- amisstea
+- yftacherzog
@@ -0,0 +1,27 @@
+# provision-env-with-ephemeral-namespace task
+
+## Description:
+This task generates a spaceRequest which in turn creates a namespace in the cluster.
+The namespace is intended to be used to run integration tests for components, in
+an ephemeral environment that will be completely clean of previous artifacts.
+
+
+## Params:
+
+| name               | description                                                       |
+|--------------------|-------------------------------------------------------------------|
+| KONFLUXNAMESPACE   | The namespace to create the spaceRequest from                     |
+| SPACEREQUEST_NAME  | The name for the newly created space request                      |
+
+
+## Results:
+
+| name              | description                                                                                      |
+|-------------------|--------------------------------------------------------------------------------------------------|
+| secretRef         | The name of the secret with a SA token that had admin permissions in the newly created namespace |
+
+
+## Source repository for task:
+https://github.com/redhat-appstudio/tekton-tools
+
+
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- provision-env-with-ephemeral-namespace.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: provision-env-with-ephemeral-namespace
+spec:
+  results:
+    - name: secretRef
+      description:
+        SecretRef is the name of the secret with a SA token that has admin-like
+        (or whatever we set in the tier template) permissions in the namespace
+      type: string
+  steps:
+    - name: request-ephemeral-namespace
+      image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c
+      env:
+        - name: KONFLUXNAMESPACE
+          value: "$(context.pipelineRun.namespace)"
+        - name: PIPELINERUN_NAME
+          value: "$(context.pipelineRun.name)"
+        - name: PIPELINERUN_UID
+          value: "$(context.pipelineRun.uid)"
+      script: |
+        #!/bin/bash
+        set -ex
+        set -o pipefail
+
+        cat <<EOF > space_request.yaml
+        apiVersion: toolchain.dev.openshift.com/v1alpha1
+        kind: SpaceRequest
+        metadata:
+          generateName: task-spacerequest-
+          namespace: $KONFLUXNAMESPACE
+          ownerReferences:
+          - apiVersion: tekton.dev/v1
+            kind: PipelineRun
+            name: $PIPELINERUN_NAME
+            uid: $PIPELINERUN_UID
+        spec:
+          tierName: appstudio-env
+        EOF
+
+        SPACEREQUEST_NAME=$(oc create -f space_request.yaml -o=jsonpath='{.metadata.name}')
+
+        if oc wait spacerequests $SPACEREQUEST_NAME --for=condition=Ready --timeout=5m -n $KONFLUXNAMESPACE; then
+          secretRef=$(oc get spacerequests $SPACEREQUEST_NAME -o=jsonpath='{.status.namespaceAccess[0].secretRef}')
+          echo $secretRef > tee "$(results.secretRef.path)"
+        else
+          exit 1
+        fi
@@ -0,0 +1,8 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- gbenhaim
+- oamsalem
+- amisstea
+- avi-biton
+- yftacherzog
@@ -26,7 +26,7 @@ spec:
       emptyDir: {}
   steps:
     - name: verify-signed-rpms
-      image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:b95417fbab81a012881b79fee82f187074248b84
+      image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197
       volumeMounts:
         - name: workdir
           mountPath: "$(params.WORKDIR)"
@@ -48,7 +48,7 @@ spec:
           --workdir "${WORKDIR}" \
           --status-path "${WORKDIR}"/status
     - name: output-results
-      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
+      image: quay.io/redhat-appstudio/hacbs-test:v1.1.8@sha256:8de0ec0875c7c6a41e0208b0030090992169f501166154edaded8a4f6121b164
       volumeMounts:
         - name: workdir
           mountPath: "$(params.WORKDIR)"

@@ -0,0 +1,7 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- gbenhaim
+- avi-biton
+- amisstea
+- yftacherzog