-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(RELEASE-1342): support internal-pipelinerun (#735)
- Updated the sign-index-image task to support the `internal-pipelinerun` requestType - New mandatory parameter `releasePlanAdmissionPath` - It is needed in order to obtain the serviceAccount so it can be used in the PipelineRun definition for the internal-pipelinerun Signed-off-by: Scott Hebert <[email protected]>
- Loading branch information
Showing
8 changed files
with
301 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
163 changes: 163 additions & 0 deletions
163
tasks/sign-index-image/tests/test-sign-index-image-plr.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
--- | ||
apiVersion: tekton.dev/v1 | ||
kind: Pipeline | ||
metadata: | ||
name: test-sign-index-image-plr | ||
spec: | ||
description: Test creating a internal pipelinerun to sign an image using the simple-signing-pipeline request | ||
workspaces: | ||
- name: tests-workspace | ||
tasks: | ||
- name: setup | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
taskSpec: | ||
workspaces: | ||
- name: data | ||
steps: | ||
- name: setup-values | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
cat > "$(workspaces.data.path)/data.json" << EOF | ||
{ | ||
"sign": { | ||
"configMapName": "signing-config-map", | ||
"request": "simple-signing-pipeline", | ||
"requestType": "internal-pipelinerun" | ||
} | ||
} | ||
EOF | ||
cat > "$(workspaces.data.path)/release_plan_admission.json" << EOF | ||
{ | ||
"spec": { | ||
"pipeline": { | ||
"pipelineRef": { | ||
"resolver": "git", | ||
"params": [ | ||
{ | ||
"name": "url", | ||
"value": "https://localhost.git" | ||
}, | ||
{ | ||
"name": "revision", | ||
"value": "main" | ||
}, | ||
{ | ||
"name": "pathInRepo", | ||
"value": "pipelines/abc/abc.yaml" | ||
} | ||
] | ||
}, | ||
"serviceAccountName": "release-service-account" | ||
} | ||
} | ||
} | ||
EOF | ||
- name: run-task | ||
taskRef: | ||
name: sign-index-image | ||
params: | ||
- name: requester | ||
value: testuser | ||
- name: referenceImage | ||
value: quay.io/testrepo/testimage:tag | ||
- name: manifestListDigests | ||
value: "sha256:6f9a420f660e73a sha256:6f9a420f660e73b" | ||
- name: pipelineRunUid | ||
value: $(context.pipelineRun.uid) | ||
- name: taskGitUrl | ||
value: "http://localhost" | ||
- name: taskGitRevision | ||
value: "main" | ||
- name: dataPath | ||
value: data.json | ||
- name: releasePlanAdmissionPath | ||
value: release_plan_admission.json | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
runAfter: | ||
- setup | ||
- name: check-result | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
taskSpec: | ||
steps: | ||
- name: check-result | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
internalPipelineruns="$(kubectl get pr \ | ||
-l "internal-services.appstudio.openshift.io/pipelinerun-uid=$(context.pipelineRun.uid)" \ | ||
-o json --sort-by=.metadata.creationTimestamp | jq -c)" | ||
plrsLength=$(jq ".items | length" <<< "${internalPipelineruns}" ) | ||
expectedReferences=() | ||
expectedReferences+=("quay.io/testrepo/testimage:tag") | ||
expectedReferences+=("quay.io/testrepo/testimage:tag") | ||
expectedDigests=() | ||
expectedDigests+=("sha256:6f9a420f660e73a") | ||
expectedDigests+=("sha256:6f9a420f660e73b") | ||
foundReferences=() | ||
foundDigests=() | ||
for((iplr=0; iplr<plrsLength; iplr++)); do | ||
params=$(jq -r ".items[$iplr].spec.params" <<< "${internalPipelineruns}") | ||
refValue=$(jq -r '.[1].value' <<< "${params}") | ||
manifestDigest=$(jq -r '.[2].value' <<< "${params}") | ||
foundReferences+=("${refValue}") | ||
foundDigests+=("${manifestDigest}") | ||
if [ "$(jq -r '.[4].value' <<< "${params}")" != "signing-config-map" ]; then | ||
echo "config_map_name does not match" | ||
exit 1 | ||
fi | ||
if [ "$(jq -r '.[3].value' <<< "${params}")" != "testuser" ]; then | ||
echo "requester does not match" | ||
exit 1 | ||
fi | ||
if [ "$(jq -r '.[0].value' <<< "${params}")" != \ | ||
"quay.io/redhat-isv/operator-pipelines-images:released" ]; then | ||
echo "pipeline_image does not match" | ||
exit 1 | ||
fi | ||
done | ||
differenceReferences=$(echo "${expectedReferences[@]}" "${foundReferences[@]}" | tr ' ' '\n' \ | ||
| sort | uniq -u) | ||
differenceDigests=$(echo "${expectedDigests[@]}" "${foundDigests[@]}" | tr ' ' '\n' | sort | uniq -u) | ||
if [ -n "${differenceReferences}" ] ; then | ||
echo "error: references expected compared to found do not match" | ||
echo "" | ||
echo "${differenceReferences}" | ||
exit 1 | ||
fi | ||
if [ -n "${differenceDigests}" ] ; then | ||
echo "error: digests expected compared to found do not match" | ||
echo "" | ||
echo "${differenceDigests}" | ||
exit 1 | ||
fi | ||
runAfter: | ||
- run-task | ||
finally: | ||
- name: cleanup | ||
taskSpec: | ||
steps: | ||
- name: delete-plrs | ||
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
kubectl delete pr -l "internal-services.appstudio.openshift.io/pipelinerun-uid=$(context.pipelineRun.uid)" |
Oops, something went wrong.