From 377b430669601ef1f29210757e9d0add31ef7e04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Thu, 16 May 2024 13:13:51 +0200 Subject: [PATCH] fix --- meta/domain-devspaces/index.yaml | 6 +- share/gitea-tekton-org/index.yaml | 6 +- share/organisation/ci-space.tf | 2 +- share/organisation/gitea-user.tf | 2 +- share/organisation/index.yaml | 6 +- share/tekton-tasks/all_Task.tf | 1510 ----------------------------- share/tekton-tasks/common.tf | 13 - share/tekton-tasks/index.yaml | 27 - 8 files changed, 11 insertions(+), 1561 deletions(-) delete mode 100644 share/tekton-tasks/all_Task.tf delete mode 100644 share/tekton-tasks/common.tf delete mode 100644 share/tekton-tasks/index.yaml diff --git a/meta/domain-devspaces/index.yaml b/meta/domain-devspaces/index.yaml index ca9f4a3..a1c8720 100644 --- a/meta/domain-devspaces/index.yaml +++ b/meta/domain-devspaces/index.yaml @@ -251,10 +251,10 @@ options: type: object type: array gitea_ssh_port: - default: 2222 + default: '2222' examples: - - 2222 - type: integer + - '2222' + type: string gitea_ssh_prefix: default: git examples: diff --git a/share/gitea-tekton-org/index.yaml b/share/gitea-tekton-org/index.yaml index d0d6784..3a7a2bb 100644 --- a/share/gitea-tekton-org/index.yaml +++ b/share/gitea-tekton-org/index.yaml @@ -22,10 +22,10 @@ options: - your_company.com type: string gitea_ssh_port: - default: 2222 + default: '2222' examples: - - 2222 - type: integer + - '2222' + type: string gitea_ssh_prefix: default: git examples: diff --git a/share/organisation/ci-space.tf b/share/organisation/ci-space.tf index 1210e04..2013d9e 100644 --- a/share/organisation/ci-space.tf +++ b/share/organisation/ci-space.tf @@ -64,7 +64,7 @@ resource "kubectl_manifest" "ci-ssh-creds" { namespace: "${var.domain}-ci-${var.instance}" labels: ${jsonencode(local.common_labels)} spec: - length: "2048" + length: "4096" forceRegenerate: false data: known_hosts: "${data.local_file.known_host[0].content}" diff --git a/share/organisation/gitea-user.tf b/share/organisation/gitea-user.tf index 13c6992..c8e0626 100644 --- a/share/organisation/gitea-user.tf +++ b/share/organisation/gitea-user.tf @@ -60,7 +60,7 @@ resource "kubectl_manifest" "ssh-creds" { namespace: "${local.sorted-stages[count.index].namespace}" labels: ${jsonencode(local.common_labels)} spec: - length: "2048" + length: "4096" forceRegenerate: false data: known_hosts: "${data.local_file.known_host[0].content}" diff --git a/share/organisation/index.yaml b/share/organisation/index.yaml index 9c6321c..ab17bbb 100644 --- a/share/organisation/index.yaml +++ b/share/organisation/index.yaml @@ -89,10 +89,10 @@ options: - '' type: string gitea_ssh_port: - default: 2222 + default: '2222' examples: - - 2222 - type: integer + - '2222' + type: string gitea_ssh_prefix: default: git examples: diff --git a/share/tekton-tasks/all_Task.tf b/share/tekton-tasks/all_Task.tf deleted file mode 100644 index 6e3d42a..0000000 --- a/share/tekton-tasks/all_Task.tf +++ /dev/null @@ -1,1510 +0,0 @@ -resource "kubectl_manifest" "Task_python-coverage" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: python-coverage - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Code Quality - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/tags: python, coverage - tekton.dev/displayName: python coverage - tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le - namespace: ${var.namespace} - spec: - description: This task can be used to measure code coverage of Python projects. - workspaces: - - name: source - params: - - name: PYTHON - description: The used Python version, more precisely the tag for the Python image - type: string - default: latest - - name: ARGS - description: The additional arguments to be used with pytest - type: string - default: '' - - name: SOURCE_PATH - description: The path to the source code - default: . - - name: REQUIREMENTS_FILE - description: The name of the requirements file inside the source location - default: requirements.txt - steps: - - name: code-coverage - image: docker.io/python:$(inputs.params.PYTHON) - workingDir: $(workspaces.source.path) - script: |- - export PATH=$PATH:$HOME/.local/bin - if [ -n "$(inputs.params.REQUIREMENTS_FILE)" ] && [ -e "$(inputs.params.REQUIREMENTS_FILE)" ];then - pip install -r $(inputs.params.SOURCE_PATH)/$(inputs.params.REQUIREMENTS_FILE) - pip show pytest || { - echo "###\nWarning: Pytest is missing in your requirements\n###"; - pip install pytest - } - pip show coverage || { - echo "###\nWarning: Coverage is missing in your requirements\n###"; - pip install coverage - } - else - pip install pytest coverage - fi - coverage run -m pytest $(inputs.params.ARGS) $(inputs.params.SOURCE_PATH) - coverage report -m -EOF -} - -resource "kubectl_manifest" "Task_npm" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: npm - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/categories: Build Tools - tekton.dev/tags: build-tool - tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le - namespace: ${var.namespace} - spec: - description: |- - This task can be used to run npm goals on a project. - This task can be used to run npm goals on a project where package.json is present and has some pre-defined npm scripts. - workspaces: - - name: source - params: - - name: PATH_CONTEXT - type: string - default: . - description: The path where package.json of the project is defined. - - name: ARGS - type: array - default: - - version - description: The npm goals you want to run. - - name: IMAGE - type: string - default: docker.io/library/node:12-alpine@sha256:dfbebf17bfb014e1e7068e76325a117bccf8679c68aec6a28514184a209c8bae - description: The node image you want to use. - steps: - - name: npm-run - image: $(params.IMAGE) - command: - - npm - args: - - $(params.ARGS) - workingDir: $(workspaces.source.path)/$(params.PATH_CONTEXT) - env: - - name: CI - value: 'true' -EOF -} - -resource "kubectl_manifest" "Task_pytest" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: pytest - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Testing - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/tags: python, pytest - tekton.dev/displayName: pytest - tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le - namespace: ${var.namespace} - spec: - description: This task will run pytest on the provided input. - workspaces: - - name: source - - description: The workspace consisting of the custom pip settings. - name: pip-conf - optional: true - params: - - name: PYTHON_IMAGE - description: The used Python image - type: string - default: docker.io/python:3.11.1-bullseye - - name: ARGS - description: The additional arguments to be used with pytest - type: string - default: '' - - name: SOURCE_PATH - description: The path to the source code - default: . - - name: REQUIREMENTS_FILE - description: The name of the requirements file inside the source location, with fallback to the requirements file in the root location - default: requirements.txt - - name: PIP_CONF_FILE - description: The name of the custom pip config file. - default: pip.conf - steps: - - name: unit-test - image: $(params.PYTHON_IMAGE) - workingDir: $(workspaces.source.path) - env: - - name: PARAM_PIP_CONF_FILE - value: $(params.PIP_CONF_FILE) - - name: WORKSPACE_PIP_CONF_BOUND - value: $(workspaces.pip-conf.bound) - - name: WORKSPACE_PIP_CONF_PATH - value: $(workspaces.pip-conf.path) - script: |- - export PATH=$PATH:$HOME/.local/bin - - if [ "$${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then - export PIP_CONFIG_FILE="$${WORKSPACE_PIP_CONF_PATH}/$${PARAM_PIP_CONF_FILE}" - fi - - if [ -e "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" ]; - then - pip install -r "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" - pip show pytest || { - printf "###\nWarning: Pytest is missing in your test requirements file\n###"; - pip install pytest - } - else - if [ -e "$(params.REQUIREMENTS_FILE)" ]; - then - pip install -r "$(params.REQUIREMENTS_FILE)" - fi - pip install pytest - fi - if [ -z "$(params.ARGS)" ]; then - pytest "$(params.SOURCE_PATH)" - else - pytest "$(params.ARGS)" "$(params.SOURCE_PATH)" - fi -EOF -} - -resource "kubectl_manifest" "Task_shellcheck" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: shellcheck - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality - tekton.dev/tags: linter - tekton.dev/displayName: Shellcheck - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: This task can be used to perform lint check on Shell Script files - workspaces: - - name: shared-workspace - description: A workspace that contains the fetched git repository. - params: - - name: args - type: array - description: extra args needs to append - default: - - --help - steps: - - name: lint-shell - image: docker.io/koalaman/shellcheck:v0.7.1@sha256:ad95c140f7bf5cc66e50e19da7d72c398583ba24c5866ac32c882eb3ddc153ee - workingDir: $(workspaces.shared-workspace.path) - command: - - /bin/shellcheck - args: - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_markdown-lint" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: markdown-lint - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality - tekton.dev/tags: linter - tekton.dev/displayName: Markdown linter - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: This task can be used to perform lint check on Markdown files - workspaces: - - name: shared-workspace - description: A workspace that contains the fetched git repository. - params: - - name: args - type: array - description: extra args needs to append - default: - - --help - steps: - - name: lint-markdown-files - image: docker.io/markdownlint/markdownlint:0.11.0@sha256:399a199c92f89f42cf3a0a1159bd86ca5cdc293fcfd39f87c0669ddee9767724 - workingDir: $(workspaces.shared-workspace.path) - command: - - mdl - args: - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_black" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: black - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality - tekton.dev/tags: formatter, python, black - tekton.dev/displayName: Python Black - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: This task can be used to format Python code - workspaces: - - name: shared-workspace - description: The workspace containing python source code which we want to format. - params: - - name: image - description: The container image to use black in - default: docker.io/cytopia/black:latest-0.2@sha256:2ec766f1c7e42e6b59c0873ce066fa0a2aa2bf8a80dbc1c40f1566bb539303e0 - - name: requirements_file - description: The name of the requirements file inside the source location - default: requirements.txt - - name: args - type: array - description: extra args that needs to be appended - default: - - --help - steps: - - name: format-python-code - image: $(params.image) - workingDir: $(workspaces.shared-workspace.path) - script: | - export HOME=/tmp/python - export PATH=$PATH:/tmp/python/.local/bin - if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then - python -mpip install --user -r $(params.requirements_file) - fi - black $@ - args: - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_kube-linter" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: kube-linter - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality - tekton.dev/tags: Kubernetes, Misconfiguration - tekton.dev/displayName: Kube-Linter - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: |- - This task makes it possible to use kube-linter within Tekton Pipeline. - The KubeLinter tool by StackRox is an open-source command-line interface to identify misconfigurations in Kubernetes objects. KubeLinter offers the ability to integrate checks on Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. With 31 standard built-in checks and the room to configure your own, you get immediate feedback about misconfigurations and Kubernetes security violations. - workspaces: - - name: source - description: A workspace that contains fetched git repo. - params: - - name: config_file_url - type: string - description: url from where the config file would be fetched. - default: '' - - name: config_file_path - type: string - description: path to config file. - default: '' - - name: manifest - type: string - description: path to manifest files or manifest directory to be checked. - default: . - - name: includelist - type: string - description: A string with comma separated checks to be included - default: '' - - name: excludelist - type: string - description: A string with comma separated checks to be excluded - default: '' - - name: default_option - type: string - description: 'provides two options (adding all built-in checks or disabling all default checks): add-all-built-in and/do-not-auto-add-defaults' - default: '' - - name: output_format - type: string - description: format in which report will be generated. (json|sarif|plain) (default:"json") - default: json - - name: args - type: array - description: args - default: [] - steps: - - name: fetch-config-file - image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 - workingDir: $(workspaces.source.path) - script: | - #!/usr/bin/env bash - set -e - - if [ -n "$(params.config_file_url)" ] - then - curl "$(params.config_file_url)" --output "$(params.config_file_path)" - echo "Fetched the config file from given ($(params.config_file_url)) URL and successfully saved at $(workspaces.source.path)/$(params.config_file_path)" - else - echo "No config file url was set" - fi - - name: lint-yaml - image: docker.io/stackrox/kube-linter:0.2.2-2-g7d10a69154-alpine@sha256:e520e9d8d3a2dfa611914836536545b135845e7bda9f1df34b060e116232dbf0 - workingDir: $(workspaces.source.path) - script: | - mv ../../kube-linter ../../bin; - - if [ -n "$(params.config_file_path)" ] - then - kube-linter lint "$(params.manifest)" --config "$(params.config_file_path)" --format "$(params.output_format)" "$@" - else - if [ -n "$(params.default_option)" ] - then - kube-linter lint "$(params.manifest)" --"$(params.default_option)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@" - else - kube-linter lint "$(params.manifest)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@" - fi - fi - args: - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_yaml-lint" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: yaml-lint - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality - tekton.dev/tags: linter - tekton.dev/displayName: YAML linter - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: This task can be used to perform lint check on YAML files - workspaces: - - name: shared-workspace - description: A workspace that contains the fetched git repository. - params: - - name: args - type: array - description: extra args needs to append - default: - - --help - steps: - - name: lint-yaml-files - image: docker.io/cytopia/yamllint:1.23@sha256:e9deea51bbdc35950cacf6594dab94100d9bbf5c987540b8874167d58e6bdce2 - workingDir: $(workspaces.shared-workspace.path) - command: - - yamllint - args: - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_buildpacks-phases" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: buildpacks-phases - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Image Build, Security - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/tags: image-build - tekton.dev/displayName: Buildpacks (phases) - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: The Buildpacks-Phases task builds source into a container image and pushes it to a registry, using Cloud Native Buildpacks. This task separately calls the aspects of the Cloud Native Buildpacks lifecycle, to provide increased security via container isolation. - workspaces: - - name: source - description: Directory where application source is located. - - name: cache - description: Directory where cache is stored (when no cache image is provided). - optional: true - params: - - name: APP_IMAGE - description: The name of where to store the app image. - - name: BUILDER_IMAGE - description: The image on which builds will run (must include lifecycle and compatible buildpacks). - - name: SOURCE_SUBPATH - description: A subpath within the `source` input where the source to build is located. - default: '' - - name: ENV_VARS - type: array - description: Environment variables to set during _build-time_. - default: [] - - name: PROCESS_TYPE - description: The default process type to set on the image. - default: web - - name: RUN_IMAGE - description: Reference to a run image to use. - default: '' - - name: CACHE_IMAGE - description: The name of the persistent app cache image (if no cache workspace is provided). - default: '' - - name: USER_ID - description: The user ID of the builder image user. - default: '1000' - - name: GROUP_ID - description: The group ID of the builder image user. - default: '1000' - - name: PLATFORM_DIR - description: The name of the platform directory. - default: empty-dir - - name: LIFECYCLE_IMAGE - description: The image to use when executing sensitive phases. - default: docker.io/buildpacksio/lifecycle:0.10.2@sha256:1bf8d3fc41d2fdf0ee4abdad50038ab8902ef58c74f5bcfc432c26767d889ed0 - - name: USER_HOME - description: Absolute path to the user's home directory. - default: /tekton/home - results: - - name: APP_IMAGE_DIGEST - description: The digest of the built `APP_IMAGE`. - stepTemplate: - env: - - name: CNB_PLATFORM_API - value: '0.4' - - name: HOME - value: $(params.USER_HOME) - steps: - - name: prepare - image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 - args: - - --env-vars - - $(params.ENV_VARS[*]) - script: | - #!/usr/bin/env bash - set -e - - if [[ "$(workspaces.cache.bound)" == "true" ]]; then - echo "> Setting permissions on '$(workspaces.cache.path)'..." - chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)" - fi - - for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do - echo "> Setting permissions on '$path'..." - chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path" - done - - echo "> Parsing additional configuration..." - parsing_flag="" - envs=() - for arg in "$@"; do - if [[ "$arg" == "--env-vars" ]]; then - echo "-> Parsing env variables..." - parsing_flag="env-vars" - elif [[ "$parsing_flag" == "env-vars" ]]; then - envs+=("$arg") - fi - done - - echo "> Processing any environment variables..." - ENV_DIR="/platform/env" - - echo "--> Creating 'env' directory: $ENV_DIR" - mkdir -p "$ENV_DIR" - - for env in "$${envs[@]}"; do - IFS='=' read -r key value string <<< "$env" - if [[ "$key" != "" && "$value" != "" ]]; then - path="$${ENV_DIR}/$${key}" - echo "--> Writing $${path}..." - echo -n "$value" > "$path" - fi - done - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: $(params.PLATFORM_DIR) - mountPath: /platform - securityContext: - privileged: true - - name: copy-stack-toml - image: $(params.BUILDER_IMAGE) - imagePullPolicy: Always - command: - - /bin/sh - args: - - -c - - | - cp /cnb/stack.toml /layers/ - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: detect - image: $(params.BUILDER_IMAGE) - imagePullPolicy: Always - command: - - /cnb/lifecycle/detector - args: - - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - - -group=/layers/group.toml - - -plan=/layers/plan.toml - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: $(params.PLATFORM_DIR) - mountPath: /platform - - name: empty-dir - mountPath: /tekton/home - - name: analyze - image: $(params.LIFECYCLE_IMAGE) - imagePullPolicy: Always - command: - - /cnb/lifecycle/analyzer - args: - - -layers=/layers - - -group=/layers/group.toml - - -cache-dir=$(workspaces.cache.path) - - -cache-image=$(params.CACHE_IMAGE) - - -uid=$(params.USER_ID) - - -gid=$(params.GROUP_ID) - - $(params.APP_IMAGE) - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: restore - image: $(params.LIFECYCLE_IMAGE) - imagePullPolicy: Always - command: - - /cnb/lifecycle/restorer - args: - - -group=/layers/group.toml - - -layers=/layers - - -cache-dir=$(workspaces.cache.path) - - -cache-image=$(params.CACHE_IMAGE) - - -uid=$(params.USER_ID) - - -gid=$(params.GROUP_ID) - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: build - image: $(params.BUILDER_IMAGE) - imagePullPolicy: Always - command: - - /cnb/lifecycle/builder - args: - - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - - -layers=/layers - - -group=/layers/group.toml - - -plan=/layers/plan.toml - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: $(params.PLATFORM_DIR) - mountPath: /platform - - name: empty-dir - mountPath: /tekton/home - - name: export - image: $(params.LIFECYCLE_IMAGE) - imagePullPolicy: Always - command: - - /cnb/lifecycle/exporter - args: - - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - - -layers=/layers - - -group=/layers/group.toml - - -cache-dir=$(workspaces.cache.path) - - -cache-image=$(params.CACHE_IMAGE) - - -report=/layers/report.toml - - -process-type=$(params.PROCESS_TYPE) - - -uid=$(params.USER_ID) - - -gid=$(params.GROUP_ID) - - -stack=/layers/stack.toml - - -run-image=$(params.RUN_IMAGE) - - $(params.APP_IMAGE) - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: results - image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 - script: | - #!/usr/bin/env bash - set -e - cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path) - volumeMounts: - - name: layers-dir - mountPath: /layers - volumes: - - name: empty-dir - emptyDir: {} - - name: layers-dir - emptyDir: {} -EOF -} - -resource "kubectl_manifest" "Task_sonarqube-scanner" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: sonarqube-scanner - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/deprecated: 'true' - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/categories: Security - tekton.dev/tags: security - tekton.dev/displayName: sonarqube scanner - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: |- - The following task can be used to perform static analysis on the source code provided the SonarQube server is hosted - SonarQube is the leading tool for continuously inspecting the Code Quality and Security of your codebases, all while empowering development teams. Analyze over 25 popular programming languages including C#, VB.Net, JavaScript, TypeScript and C++. It detects bugs, vulnerabilities and code smells across project branches and pull requests. - workspaces: - - name: source - description: Workspace containing the code which needs to be scanned by SonarQube - - name: sonar-settings - description: Optional workspace where SonarQube properties can be mounted - optional: true - - name: sonar-credentials - description: | - A workspace containing a login or password for use within sonarqube. - optional: true - params: - - name: SONAR_HOST_URL - description: SonarQube server URL - default: '' - - name: SONAR_PROJECT_KEY - description: Project's unique key - default: '' - - name: PROJECT_VERSION - description: 'Version of the project. Default: 1.0' - default: '1.0' - - name: SOURCE_TO_SCAN - description: Comma-separated paths to directories containing main source files - default: . - - name: SONAR_ORGANIZATION - description: The organization in sonarqube where the project exists - default: '' - - name: SONAR_SCANNER_IMAGE - description: The sonarqube scanner CLI image which will run the scan - default: docker.io/sonarsource/sonar-scanner-cli:4.6@sha256:7a976330a8bad1beca6584c1c118e946e7a25fdc5b664d5c0a869a6577d81b4f - - name: SONAR_LOGIN_KEY - description: Name of the file of the login within the sonarqube credentials workspace - default: login - - name: SONAR_PASSWORD_KEY - description: Name of the file of the password within the sonarqube credentials workspace - default: password - steps: - - name: sonar-properties-create - image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 - workingDir: $(workspaces.source.path) - env: - - name: SONAR_HOST_URL - value: $(params.SONAR_HOST_URL) - - name: SONAR_PROJECT_KEY - value: $(params.SONAR_PROJECT_KEY) - - name: PROJECT_VERSION - value: $(params.PROJECT_VERSION) - - name: SOURCE_TO_SCAN - value: $(params.SOURCE_TO_SCAN) - - name: SONAR_ORGANIZATION - value: $(params.SONAR_ORGANIZATION) - script: | - #!/usr/bin/env bash - - replaceValues() { - filename=$1 - thekey=$2 - newvalue=$3 - - if ! grep -R "^[#]*\s*$${thekey}=.*" $filename >/dev/null; then - echo "APPENDING because '$${thekey}' not found" - echo "" >>$filename - echo "$thekey=$newvalue" >>$filename - else - echo "SETTING because '$${thekey}' found already" - sed -ir "s|^[#]*\s*$${thekey}=.*|$thekey=$newvalue|" $filename - fi - } - - if [[ "$(workspaces.sonar-settings.bound)" == "true" ]]; then - if [[ -f $(workspaces.sonar-settings.path)/sonar-project.properties ]]; then - echo "using user provided sonar-project.properties file" - cp -RL $(workspaces.sonar-settings.path)/sonar-project.properties $(workspaces.source.path)/sonar-project.properties - fi - fi - - if [[ -f $(workspaces.source.path)/sonar-project.properties ]]; then - if [[ -n "$${SONAR_HOST_URL}" ]]; then - echo "replacing sonar host URL" - replaceValues $(workspaces.source.path)/sonar-project.properties sonar.host.url "$${SONAR_HOST_URL}" - fi - if [[ -n "$${SONAR_PROJECT_KEY}" ]]; then - echo "replacing sonar project key" - replaceValues $(workspaces.source.path)/sonar-project.properties sonar.projectKey "$${SONAR_PROJECT_KEY}" - fi - echo "Values in sonar-project.properties file replaced successfully..." - else - echo "Creating sonar-project.properties file..." - touch sonar-project.properties - [[ -n "$${SONAR_PROJECT_KEY}" ]] && { - echo "sonar.projectKey=$${SONAR_PROJECT_KEY}" >> sonar-project.properties - } || { - echo "missing property SONAR_PROJECT_KEY" - exit 1 - } - - [[ -n "$${SONAR_HOST_URL}" ]] && { - echo "sonar.host.url=$${SONAR_HOST_URL}" >> sonar-project.properties - } || { - echo "missing property SONAR_HOST_URL" - exit 1 - } - - [[ -n "$${PROJECT_VERSION}" ]] && { - echo "sonar.projectVersion=$${PROJECT_VERSION}" >> sonar-project.properties - } || { - echo "missing property PROJECT_VERSION" - exit 1 - } - - [[ -n "$${SONAR_ORGANIZATION}" ]] && { - echo "sonar.organization=$${SONAR_ORGANIZATION}" >> sonar-project.properties - } || { - echo "missing property SONAR_ORGANIZATION" - exit 1 - } - echo "sonar.sources=$${SOURCE_TO_SCAN}" >> sonar-project.properties - echo "---------------------------" - cat $(workspaces.source.path)/sonar-project.properties - fi - - if [[ "$(workspaces.sonar-credentials.bound)" == "true" ]]; then - if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY) ]]; then - SONAR_PASSWORD=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY)` - replaceValues $(workspaces.source.path)/sonar-project.properties sonar.password "$${SONAR_PASSWORD}" - fi - if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY) ]]; then - SONAR_LOGIN=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY)` - replaceValues $(workspaces.source.path)/sonar-project.properties sonar.login "$${SONAR_LOGIN}" - fi - fi - - name: sonar-scan - image: $(params.SONAR_SCANNER_IMAGE) - workingDir: $(workspaces.source.path) - command: - - sonar-scanner -EOF -} - -resource "kubectl_manifest" "Task_check-make" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: check-make - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality - tekton.dev/tags: linter - tekton.dev/displayName: Makefile linter - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: This task can be used to perform lint check on Makefiles - workspaces: - - name: shared-workspace - description: A workspace that contains the fetched git repository. - params: - - name: args - type: array - description: extra args needs to append - default: - - --help - steps: - - name: lint-makefile - image: docker.io/cytopia/checkmake:0.1.0@sha256:50957311f1ae25fd5925e1a45798d323cf00b3654cd1eede8db7814c72cec41d - workingDir: $(workspaces.shared-workspace.path) - command: - - checkmake - args: - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_gitea-set-status" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: gitea-set-status - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Git - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/tags: gitea - tekton.dev/displayName: set gitea status - tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le - namespace: ${var.namespace} - spec: - description: |- - This task will set the status of the CI job to the specified value along with a link to the specified target URL where developers can follow the progress of the CI job. - The `gitea-set-status` task allows external services to mark Gitea commits with an `error`, `failure`, `pending`, or `success` state, which is then reflected in pull requests involving those commits. Statuses include as well a `description` and a `target_url`, to give the user informations about the CI statuses or a direct link to the full log. - params: - - name: GITEA_HOST_URL - description: | - The Gitea host, e.g: git.yourcompany.com. Can include port. - type: string - default: gitea-http.${var.domain}-ci.svc:3000 - - name: GITEA_HTTPS_OR_HTTP - description: | - If we should connect with HTTP or HTTPS. Use "http" or "https" here. - type: string - default: http - - name: API_PATH_PREFIX - description: | - The API path prefix of Gitea, default: /api/v1 - default: /api/v1 - type: string - - name: REPO_FULL_NAME - description: | - The Gitea repository full name, e.g.: tektoncd/catalog - type: string - - name: GITEA_TOKEN_SECRET_NAME - description: | - The name of the kubernetes secret that contains the Gitea token, default: gitea - type: string - default: gitea - - name: GITEA_TOKEN_SECRET_KEY - description: | - The key within the kubernetes secret that contains the Gitea token, default: token - type: string - default: token - - name: SHA - description: | - Commit SHA to set the status for. - type: string - - name: TARGET_URL - description: | - The target URL to associate with this status. This URL will be linked - from the Gitea UI to allow users to easily see the source of the - status. - type: string - - name: DESCRIPTION - description: | - A short description of the status. - type: string - - name: CONTEXT - description: | - The Gitea context, A string label to differentiate this status from - the status of other systems. ie: "continuous-integration/tekton" - default: continuous-integration/tekton - type: string - - name: STATE - description: | - The state of the status. Can be one of the following `error`, - `failure`, `pending`, `warning` or `success`. - type: string - - name: IMAGE - description: | - Image providing the python binary which this task uses. - type: string - default: python:3.10.1-alpine3.15@sha256:affe0faa14e7553fc570beec3864e74b5e36f8c19b2bb49ae8ba79c0e9e7236e - - name: SHEBANG - description: | - Python path. Depends on the image. - type: string - default: /usr/bin/env python - volumes: - - name: giteatoken - secret: - secretName: $(params.GITEA_TOKEN_SECRET_NAME) - steps: - - name: set-status - volumeMounts: - - name: giteatoken - mountPath: /etc/gitea-set-status - image: $(params.IMAGE) - script: |- - #!$(params.SHEBANG) - - """This script will set the CI status on a Gitea commit""" - - import json - import sys - import http.client - - gitea_token = open("/etc/gitea-set-status/$(params.GITEA_TOKEN_SECRET_KEY)", "r").read() - - status_url = "$(params.API_PATH_PREFIX)" + "/repos/$(params.REPO_FULL_NAME)/" + \ - "statuses/$(params.SHA)" - - data = { - "state": "$(params.STATE)", - "target_url": "$(params.TARGET_URL)", - "description": "$(params.DESCRIPTION)", - "context": "$(params.CONTEXT)" - } - print("Sending this data to Gitea: ") - print(data) - - authHeader = "token " + gitea_token - - if "$(params.GITEA_HTTPS_OR_HTTP)" == "https": - conn = http.client.HTTPSConnection("$(params.GITEA_HOST_URL)") - else: - conn = http.client.HTTPConnection("$(params.GITEA_HOST_URL)") - - conn.request( - "POST", - status_url, - body=json.dumps(data), - headers={ - "User-Agent": "TektonCD, the peaceful cat", - "Authorization": authHeader, - "Accept": "application/json", - "Content-Type": "application/json", - }) - resp = conn.getresponse() - if not str(resp.status).startswith("2"): - print("Error: %d" % (resp.status)) - print(resp.read()) - sys.exit(1) - else: - print("Gitea status '$(params.STATE)' has been set on " - "$(params.REPO_FULL_NAME)#$(params.SHA) ") -EOF -} - -resource "kubectl_manifest" "Task_hadolint" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - annotations: - tekton.dev/categories: Code Quality - tekton.dev/displayName: Hadolint - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/platforms: linux/amd64 - tekton.dev/tags: Kubernetes, Misconfiguration - name: hadolint - labels: ${jsonencode(local.common_labels)} - namespace: ${var.namespace} - spec: - description: |- - This task makes it possible to use Hadolint within Tekton Pipeline. - A smarter Dockerfile linter that helps you build best practice Docker images. The linter parses the Dockerfile into an AST and performs rules on top of the AST - params: - - default: '' - description: ignore rules. - name: ignore-rules - type: string - - default: ./Dockerfile - description: Dockerfile path. - name: dockerfile-path - type: string - - default: tty - description: The output format for the results [tty | json | checkstyle | codeclimate | gitlab_codeclimate | codacy] (default tty). - name: output-format - type: string - steps: - - image: ghcr.io/hadolint/hadolint:v2.8.0-debian@sha256:50b0e60aa2b4aba5a26eeb4ad08c96ed7a828fca996632e29114aabea18345f4 - name: lint-dockerfile - script: | - #!/bin/bash - set -e - if [ -n "$RULES" ] - then - IFS="," read -a RULES <<< "$RULES" - for rule in $${RULES[@]}; do ignore_rules="--ignore $rule $ignore_rules"; done - command_to_run="hadolint $${ignore_rules}" - else - command_to_run="hadolint" - fi - $command_to_run "$DOCKERFILE" -f "$OFORMAT" - env: - - name: RULES - value: $(params.ignore-rules) - - name: DOCKERFILE - value: $(params.dockerfile-path) - - name: OFORMAT - value: $(params.output-format) - workingDir: $(workspaces.source.path) - workspaces: - - description: A workspace that contains fetched git repo. - name: source -EOF -} - -resource "kubectl_manifest" "Task_hugo" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1 - kind: Task - metadata: - name: hugo - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Build Tools, Cloud - tekton.dev/tags: buildtools, cloud - tekton.dev/displayName: Hugo - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: |- - A Task that builds a Hugo site. - This task uses the Hugo static site generator to build a static site from the content in the specified directory. - workspaces: - - name: work-dir - params: - - name: content-dir - type: string - description: The directory where the content is located - default: '' - - name: minify - type: string - description: Minify the output e.g. HTML, CSS, JS, XML - default: 'false' - - name: base-url - type: string - description: The base URL for the Hugo site. By default reads from the hugo.toml or hugo.yaml - default: '' - - name: verbose - type: string - description: Verbose output - default: 'false' - results: - - name: output - description: generated static site - steps: - - name: build - env: - - name: HUGO_MINIFY - value: $(params.minify) - - name: HUGO_BASEURL - value: $(params.base-url) - - name: HUGO_VERBOSE - value: $(params.verbose) - - name: HUGO_CONTENT_DIR - value: $(params.content-dir) - image: docker.io/hugomods/hugo:0.122.0@sha256:e90f2e6786969463f3475c7d5e7f031cb5dbf75a8394687d52f99d6c9d0eda0d - script: |- - export HUGOCMD="hugo" - - - if [ "$HUGO_MINIFY" = 'true' ]; then - export HUGOCMD="$${HUGOCMD} --minify" - fi - - if [ "$HUGO_BASEURL" != '' ]; then - export HUGOCMD="$${HUGOCMD} --baseURL $HUGO_BASEURL" - fi - - if [ "$HUGO_VERBOSE" = 'true' ]; then - export HUGOCMD="$${HUGOCMD} --verbose" - fi - - if [ "$HUGO_CONTENT_DIR" != '' ]; then - export HUGOCMD="$${HUGOCMD} --contentDir $${HUGO_CONTENT_DIR}" - fi - - cd "$(workspaces.work-dir.path)" || exit - $HUGOCMD - - printf "%s/public" "$(workspaces.work-dir.path)" | tee /tekton/results/output -EOF -} - -resource "kubectl_manifest" "Task_buildah" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: buildah - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Image Build - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/tags: image-build - tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 - tekton.dev/displayName: buildah - namespace: ${var.namespace} - spec: - description: |- - Buildah task builds source into a container image and then pushes it to a container registry. - Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry. - params: - - name: IMAGE - description: Reference of the image buildah will produce. - - name: BUILDER_IMAGE - description: The location of the buildah builder image. - default: quay.io/buildah/stable:v1 - - name: STORAGE_DRIVER - description: Set buildah storage driver - default: overlay - - name: DOCKERFILE - description: Path to the Dockerfile to build. - default: ./Dockerfile - - name: CONTEXT - description: Path to the directory to use as context. - default: . - - name: TLSVERIFY - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - default: 'true' - - name: FORMAT - description: The format of the built container, oci or docker - default: oci - - name: BUILD_EXTRA_ARGS - description: Extra parameters passed for the build command when building images. - default: '' - - name: PUSH_EXTRA_ARGS - description: Extra parameters passed for the push command when pushing images. - type: string - default: '' - - name: SKIP_PUSH - description: Skip pushing the built image - default: 'false' - workspaces: - - name: source - - name: sslcertdir - optional: true - - name: dockerconfig - description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json. - optional: true - results: - - name: IMAGE_DIGEST - description: Digest of the image just built. - - name: IMAGE_URL - description: Image repository where the built image would be pushed to - steps: - - name: build-and-push - image: $(params.BUILDER_IMAGE) - workingDir: $(workspaces.source.path) - script: | - [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)" - [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG - # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args) - # shellcheck disable=SC2046,SC2086 - buildah $${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \ - "--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \ - -f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)" - [ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0 - # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args) - # shellcheck disable=SC2046,SC2086 - buildah $${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \ - "--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \ - "docker://$(params.IMAGE)" - tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest - printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)" - volumeMounts: - - name: varlibcontainers - mountPath: /var/lib/containers - securityContext: - privileged: true - volumes: - - name: varlibcontainers - emptyDir: {} -EOF -} - -resource "kubectl_manifest" "Task_buildpacks" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: buildpacks - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Image Build - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/tags: image-build - tekton.dev/displayName: Buildpacks - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: The Buildpacks task builds source into a container image and pushes it to a registry, using Cloud Native Buildpacks. - workspaces: - - name: source - description: Directory where application source is located. - - name: cache - description: Directory where cache is stored (when no cache image is provided). - optional: true - - name: dockerconfig - description: An optional workspace that allows providing a .docker/config.json file for Buildpacks lifecycle binary to access the container registry. The file should be placed at the root of the Workspace with name config.json. - optional: true - params: - - name: APP_IMAGE - description: The name of where to store the app image. - - name: BUILDER_IMAGE - description: The image on which builds will run (must include lifecycle and compatible buildpacks). - - name: SOURCE_SUBPATH - description: A subpath within the `source` input where the source to build is located. - default: '' - - name: ENV_VARS - type: array - description: Environment variables to set during _build-time_. - default: [] - - name: PROCESS_TYPE - description: The default process type to set on the image. - default: web - - name: RUN_IMAGE - description: Reference to a run image to use. - default: '' - - name: CACHE_IMAGE - description: The name of the persistent app cache image (if no cache workspace is provided). - default: '' - - name: SKIP_RESTORE - description: Do not write layer metadata or restore cached layers. - default: 'false' - - name: USER_ID - description: The user ID of the builder image user. - default: '1000' - - name: GROUP_ID - description: The group ID of the builder image user. - default: '1000' - - name: PLATFORM_DIR - description: The name of the platform directory. - default: empty-dir - results: - - name: APP_IMAGE_DIGEST - description: The digest of the built `APP_IMAGE`. - - name: APP_IMAGE_URL - description: The URL of the built `APP_IMAGE`. - stepTemplate: - env: - - name: CNB_PLATFORM_API - value: '0.9' - steps: - - name: prepare - image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 - args: - - --env-vars - - $(params.ENV_VARS[*]) - script: | - #!/usr/bin/env bash - set -e - - if [[ "$(workspaces.cache.bound)" == "true" ]]; then - echo "> Setting permissions on '$(workspaces.cache.path)'..." - chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)" - fi - - for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do - echo "> Setting permissions on '$path'..." - chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path" - - if [[ "$path" == "$(workspaces.source.path)" ]]; then - chmod 775 "$(workspaces.source.path)" - fi - done - - echo "> Parsing additional configuration..." - parsing_flag="" - envs=() - for arg in "$@"; do - if [[ "$arg" == "--env-vars" ]]; then - echo "-> Parsing env variables..." - parsing_flag="env-vars" - elif [[ "$parsing_flag" == "env-vars" ]]; then - envs+=("$arg") - fi - done - - echo "> Processing any environment variables..." - ENV_DIR="/platform/env" - - echo "--> Creating 'env' directory: $ENV_DIR" - mkdir -p "$ENV_DIR" - - for env in "$${envs[@]}"; do - IFS='=' read -r key value <<< "$env" - if [[ "$key" != "" && "$value" != "" ]]; then - path="$${ENV_DIR}/$${key}" - echo "--> Writing $${path}..." - echo -n "$value" > "$path" - fi - done - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: $(params.PLATFORM_DIR) - mountPath: /platform - - name: create - image: $(params.BUILDER_IMAGE) - imagePullPolicy: Always - command: - - /cnb/lifecycle/creator - env: - - name: DOCKER_CONFIG - value: $(workspaces.dockerconfig.path) - args: - - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - - -cache-dir=$(workspaces.cache.path) - - -cache-image=$(params.CACHE_IMAGE) - - -uid=$(params.USER_ID) - - -gid=$(params.GROUP_ID) - - -layers=/layers - - -platform=/platform - - -report=/layers/report.toml - - -process-type=$(params.PROCESS_TYPE) - - -skip-restore=$(params.SKIP_RESTORE) - - -previous-image=$(params.APP_IMAGE) - - -run-image=$(params.RUN_IMAGE) - - $(params.APP_IMAGE) - volumeMounts: - - name: layers-dir - mountPath: /layers - - name: $(params.PLATFORM_DIR) - mountPath: /platform - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - - name: results - image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 - script: | - #!/usr/bin/env bash - set -e - grep "digest" /layers/report.toml | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee "$(results.APP_IMAGE_DIGEST.path)" - echo -n "$(params.APP_IMAGE)" | tee "$(results.APP_IMAGE_URL.path)" - volumeMounts: - - name: layers-dir - mountPath: /layers - volumes: - - name: empty-dir - emptyDir: {} - - name: layers-dir - emptyDir: {} -EOF -} - -resource "kubectl_manifest" "Task_kubeval" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: kubeval - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/pipelines.minVersion: 0.12.1 - tekton.dev/categories: Code Quality, Kubernetes - tekton.dev/tags: test - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: |- - This task makes it possible to use Kubeval within your Tekton pipelines. - Kubeval is a tool used for validating Kubernetes configuration files. By default the task will recursively scan the provided repository for YAML files and validate them against the Kubernetes schemas. - workspaces: - - name: source - params: - - name: files - default: . - - name: output - default: stdout - - name: args - type: array - default: [] - steps: - - name: kubeval - workingDir: $(workspaces.source.path) - image: docker.io/garethr/kubeval:0.15.0@sha256:6962d8ecbb7839637667f66e6703e6ebaae0c29dfe93a31d9968fba4324c7b8d - command: - - kubeval - - -d - - $(params.files) - - -o - - $(params.output) - - $(params.args) -EOF -} - -resource "kubectl_manifest" "Task_pylint" { - yaml_body = <<-EOF - apiVersion: tekton.dev/v1beta1 - kind: Task - metadata: - name: pylint - labels: ${jsonencode(local.common_labels)} - annotations: - tekton.dev/categories: Code Quality - tekton.dev/pipelines.minVersion: 0.17.0 - tekton.dev/tags: python, pylint - tekton.dev/displayName: pylint - tekton.dev/platforms: linux/amd64 - namespace: ${var.namespace} - spec: - description: This task will run pylint on the provided input. - workspaces: - - name: source - - description: The workspace consisting of the custom pip settings. - name: pip-conf - optional: true - params: - - name: image - description: The container image with pylint - default: registry.gitlab.com/pipeline-components/pylint:0.12.0@sha256:051b701936dfab6fa27bd1ebd50ef56b19577565661bc0227e50dd1cf94a3d6e - - name: path - description: The path to the module which should be analysed by pylint - default: . - type: string - - name: requirements_file - description: The name of the requirements file inside the source location - default: requirements.txt - - name: args - description: The arguments to pass to the pylint CLI. - type: array - default: [] - - name: pip_conf_file - description: The name of the custom pip config file. - default: pip.conf - steps: - - name: pylint - image: $(params.image) - workingDir: $(workspaces.source.path) - env: - - name: HOME - value: /tmp/python - - name: PARAM_PIP_CONF_FILE - value: $(params.pip_conf_file) - - name: WORKSPACE_PIP_CONF_BOUND - value: $(workspaces.pip-conf.bound) - - name: WORKSPACE_PIP_CONF_PATH - value: $(workspaces.pip-conf.path) - script: | - export PATH=$PATH:$HOME/.local/bin - - if [ "$${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then - export PIP_CONFIG_FILE="$${WORKSPACE_PIP_CONF_PATH}/$${PARAM_PIP_CONF_FILE}" - fi - - if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then - python -mpip install --user -r "$(params.requirements_file)" - fi - pylint $@ "$(params.path)" - args: - - $(params.args) -EOF -} - diff --git a/share/tekton-tasks/common.tf b/share/tekton-tasks/common.tf deleted file mode 100644 index 47a6e0c..0000000 --- a/share/tekton-tasks/common.tf +++ /dev/null @@ -1,13 +0,0 @@ - -locals { - common_labels = { - "vynil.solidite.fr/owner-name" = var.instance - "vynil.solidite.fr/owner-namespace" = var.namespace - "vynil.solidite.fr/owner-category" = var.category - "vynil.solidite.fr/owner-component" = var.component - "app.kubernetes.io/managed-by" = "vynil" - "app.kubernetes.io/name" = var.component - "app.kubernetes.io/instance" = var.instance - } - common-labels = local.common_labels -} diff --git a/share/tekton-tasks/index.yaml b/share/tekton-tasks/index.yaml deleted file mode 100644 index 823b62c..0000000 --- a/share/tekton-tasks/index.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: vinyl.solidite.fr/v1beta1 -kind: Component -category: share -metadata: - name: tekton-tasks - description: Install base tekton-tasks -options: - domain: - default: media - examples: - - media - type: string -dependencies: -- dist: null - category: workflow - component: tekton-pipelines -providers: - kubernetes: null - authentik: null - kubectl: true - postgresql: null - mysql: null - restapi: null - http: null - gitea: null -tfaddtype: null