From b56a7de4844db51848c5137a2f39011b52571cdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Fri, 19 Apr 2024 12:22:23 +0200 Subject: [PATCH] fix --- share/gitea-tekton-org/datas.tf | 17 ++ share/gitea-tekton-org/gitea_hook.tf | 38 +++ share/gitea-tekton-org/index.yaml | 38 +++ share/gitea-tekton-org/listener.tf | 12 + share/gitea-tekton-org/rbac.tf | 46 ++++ .../tekton.dev_v1_Task_hugo.yaml | 86 +++++++ ...ekton.dev_v1beta1_Pipeline_buildpacks.yaml | 139 ++++++++++ ...kton.dev_v1beta1_Task_ansible-builder.yaml | 51 ++++ ...ekton.dev_v1beta1_Task_ansible-runner.yaml | 72 ++++++ .../tekton.dev_v1beta1_Task_black.yaml | 43 ++++ .../tekton.dev_v1beta1_Task_buildah.yaml | 98 +++++++ ....dev_v1beta1_Task_buildkit-daemonless.yaml | 51 ++++ ...on.dev_v1beta1_Task_buildpacks-phases.yaml | 241 +++++++++++++++++ .../tekton.dev_v1beta1_Task_buildpacks.yaml | 178 +++++++++++++ .../tekton.dev_v1beta1_Task_check-make.yaml | 31 +++ .../tekton.dev_v1beta1_Task_curl.yaml | 32 +++ .../tekton.dev_v1beta1_Task_docker-build.yaml | 113 ++++++++ ...on.dev_v1beta1_Task_generate-build-id.yaml | 42 +++ .../tekton.dev_v1beta1_Task_git-clone.yaml | 242 ++++++++++++++++++ .../tekton.dev_v1beta1_Task_git-version.yaml | 51 ++++ ...ton.dev_v1beta1_Task_gitea-set-status.yaml | 162 ++++++++++++ .../tekton.dev_v1beta1_Task_hadolint.yaml | 60 +++++ .../tekton.dev_v1beta1_Task_kaniko.yaml | 65 +++++ .../tekton.dev_v1beta1_Task_kube-linter.yaml | 90 +++++++ .../tekton.dev_v1beta1_Task_kubeval.yaml | 41 +++ ...tekton.dev_v1beta1_Task_markdown-lint.yaml | 31 +++ .../tekton.dev_v1beta1_Task_npm.yaml | 44 ++++ ...kton.dev_v1beta1_Task_prometheus-gate.yaml | 62 +++++ .../tekton.dev_v1beta1_Task_pylint.yaml | 66 +++++ .../tekton.dev_v1beta1_Task_pytest.yaml | 77 ++++++ ...kton.dev_v1beta1_Task_python-coverage.yaml | 55 ++++ .../tekton.dev_v1beta1_Task_shellcheck.yaml | 31 +++ .../tekton.dev_v1beta1_Task_skopeo-copy.yaml | 79 ++++++ ...on.dev_v1beta1_Task_sonarqube-scanner.yaml | 158 ++++++++++++ .../tekton.dev_v1beta1_Task_ts-lint.yaml | 31 +++ .../tekton.dev_v1beta1_Task_write-file.yaml | 57 +++++ .../tekton.dev_v1beta1_Task_yaml-lint.yaml | 31 +++ .../tekton.dev_v1beta1_Task_yq.yaml | 57 +++++ share/organisation/ci-space.tf | 66 +++++ share/organisation/gitea-user.tf | 34 ++- share/organisation/index.yaml | 5 + 41 files changed, 2911 insertions(+), 12 deletions(-) create mode 100644 share/gitea-tekton-org/datas.tf create mode 100644 share/gitea-tekton-org/gitea_hook.tf create mode 100644 share/gitea-tekton-org/index.yaml create mode 100644 share/gitea-tekton-org/listener.tf create mode 100644 share/gitea-tekton-org/rbac.tf create mode 100644 share/gitea-tekton-org/tekton.dev_v1_Task_hugo.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Pipeline_buildpacks.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-builder.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-runner.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_black.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildah.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildkit-daemonless.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks-phases.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_check-make.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_curl.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_docker-build.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_generate-build-id.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-clone.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-version.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_gitea-set-status.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_hadolint.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_kaniko.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_kube-linter.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_kubeval.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_markdown-lint.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_npm.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_prometheus-gate.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_pylint.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_pytest.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_python-coverage.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_shellcheck.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_skopeo-copy.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_sonarqube-scanner.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_ts-lint.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_write-file.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_yaml-lint.yaml create mode 100644 share/gitea-tekton-org/tekton.dev_v1beta1_Task_yq.yaml create mode 100644 share/organisation/ci-space.tf diff --git a/share/gitea-tekton-org/datas.tf b/share/gitea-tekton-org/datas.tf new file mode 100644 index 0000000..6410e20 --- /dev/null +++ b/share/gitea-tekton-org/datas.tf @@ -0,0 +1,17 @@ +locals { + common-labels = { + "vynil.solidite.fr/owner-name" = var.instance + "vynil.solidite.fr/owner-namespace" = var.namespace + "vynil.solidite.fr/owner-category" = var.category + "vynil.solidite.fr/owner-component" = var.component + "app.kubernetes.io/managed-by" = "vynil" + "app.kubernetes.io/name" = var.component + "app.kubernetes.io/instance" = var.instance + } +} + +data "kustomization_overlay" "data" { + namespace = var.namespace + common_labels = local.common-labels + resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"] +} diff --git a/share/gitea-tekton-org/gitea_hook.tf b/share/gitea-tekton-org/gitea_hook.tf new file mode 100644 index 0000000..d98d5ae --- /dev/null +++ b/share/gitea-tekton-org/gitea_hook.tf @@ -0,0 +1,38 @@ +locals { + gitea_host = "http://gitea-http.${var.domain}-ci.svc:3000" + gitea_username = data.kubernetes_secret_v1.gitea.data["username"] + gitea_password = data.kubernetes_secret_v1.gitea.data["password"] + request_headers = { + "Content-Type" = "application/json" + Authorization = "Basic ${base64encode("${local.gitea_username}:${local.gitea_password}")}" + } +} + +data "kubernetes_secret_v1" "gitea" { + metadata { + name = "gitea-admin-user" + namespace = "${var.domain}-ci" + } +} +provider "restapi" { + uri = "${local.gitea_host}/api/v1" + headers = local.request_headers + id_attribute = "id" +} + +# resource "restapi_object" "gitea_org_hook" { +# path = "/orgs/${var.organization}/hooks" +# data = jsonencode({ +# type = "gitea" +# active = true +# branch_filter = "*" +# events = [ +# "create", +# "push" +# ], +# config = { +# url = "" +# content_type = "application/json" +# } +# }) +# } diff --git a/share/gitea-tekton-org/index.yaml b/share/gitea-tekton-org/index.yaml new file mode 100644 index 0000000..5642526 --- /dev/null +++ b/share/gitea-tekton-org/index.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: vinyl.solidite.fr/v1beta1 +kind: Component +category: share +metadata: + name: gitea-tekton-org + description: null +options: + domain: + default: your-company + examples: + - your-company + type: string + organization: + default: your-org + examples: + - your-org + type: string +dependencies: +- dist: null + category: apps + component: gitea +- dist: null + category: workflow + component: tekton-pipelines +- dist: null + category: workflow + component: tekton-triggers +providers: + kubernetes: true + authentik: null + kubectl: true + postgresql: null + mysql: null + restapi: true + http: null + gitea: null +tfaddtype: null diff --git a/share/gitea-tekton-org/listener.tf b/share/gitea-tekton-org/listener.tf new file mode 100644 index 0000000..59f23d0 --- /dev/null +++ b/share/gitea-tekton-org/listener.tf @@ -0,0 +1,12 @@ +resource "kubectl_manifest" "el" { + yaml_body = <<-EOF + apiVersion: triggers.tekton.dev/v1beta1 + kind: EventListener + metadata: + name: "${var.instance}-${var.component}" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + spec: + serviceAccountName: "${var.instance}-${var.component}" + EOF +} diff --git a/share/gitea-tekton-org/rbac.tf b/share/gitea-tekton-org/rbac.tf new file mode 100644 index 0000000..1a46881 --- /dev/null +++ b/share/gitea-tekton-org/rbac.tf @@ -0,0 +1,46 @@ + +resource "kubectl_manifest" "sa" { + yaml_body = <<-EOF + apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${var.instance}-${var.component}" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + EOF +} +resource "kubectl_manifest" "rb" { + yaml_body = <<-EOF + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${var.instance}-${var.component}" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + subjects: + - kind: ServiceAccount + name: "${var.instance}-${var.component}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-triggers-eventlistener-roles + EOF +} +resource "kubectl_manifest" "crb" { + yaml_body = <<-EOF + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${var.namespace}-${var.instance}-${var.component}" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + subjects: + - kind: ServiceAccount + name: "${var.instance}-${var.component}" + namespace: "${var.namespace}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-triggers-eventlistener-clusterroles + EOF +} diff --git a/share/gitea-tekton-org/tekton.dev_v1_Task_hugo.yaml b/share/gitea-tekton-org/tekton.dev_v1_Task_hugo.yaml new file mode 100644 index 0000000..8a4b43b --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1_Task_hugo.yaml @@ -0,0 +1,86 @@ +apiVersion: tekton.dev/v1 +kind: Task + +metadata: + name: hugo + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Build Tools, Cloud + tekton.dev/tags: buildtools, cloud + tekton.dev/displayName: Hugo + tekton.dev/platforms: "linux/amd64" + +spec: + description: >- + A Task that builds a Hugo site. + + This task uses the Hugo static site generator to build a static site from the + content in the specified directory. + + workspaces: + - name: work-dir + + params: + - name: content-dir + type: string + description: The directory where the content is located + default: "" + + - name: minify + type: string + description: Minify the output e.g. HTML, CSS, JS, XML + default: "false" + + - name: base-url + type: string + description: The base URL for the Hugo site. By default reads from the hugo.toml or hugo.yaml + default: "" + + - name: verbose + type: string + description: Verbose output + default: "false" + + results: + - name: output + description: generated static site + + steps: + - name: build + env: + - name: HUGO_MINIFY + value: $(params.minify) + - name: HUGO_BASEURL + value: $(params.base-url) + - name: HUGO_VERBOSE + value: $(params.verbose) + - name: HUGO_CONTENT_DIR + value: $(params.content-dir) + + image: docker.io/hugomods/hugo:0.122.0@sha256:e90f2e6786969463f3475c7d5e7f031cb5dbf75a8394687d52f99d6c9d0eda0d + script: | + export HUGOCMD="hugo" + + + if [ "$HUGO_MINIFY" = 'true' ]; then + export HUGOCMD="${HUGOCMD} --minify" + fi + + if [ "$HUGO_BASEURL" != '' ]; then + export HUGOCMD="${HUGOCMD} --baseURL $HUGO_BASEURL" + fi + + if [ "$HUGO_VERBOSE" = 'true' ]; then + export HUGOCMD="${HUGOCMD} --verbose" + fi + + if [ "$HUGO_CONTENT_DIR" != '' ]; then + export HUGOCMD="${HUGOCMD} --contentDir ${HUGO_CONTENT_DIR}" + fi + + cd "$(workspaces.work-dir.path)" || exit + $HUGOCMD + + printf "%s/public" "$(workspaces.work-dir.path)" | tee /tekton/results/output \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Pipeline_buildpacks.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Pipeline_buildpacks.yaml new file mode 100644 index 0000000..4c1ba5c --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Pipeline_buildpacks.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: buildpacks + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: image-build + tekton.dev/displayName: "Buildpacks" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + The Buildpacks pipeline builds source from a Git repository into a container image and pushes it to a registry, using Cloud Native Buildpacks. + + workspaces: + - name: source-ws + description: Location where source is stored. + - name: cache-ws + description: Location where cache is stored if CACHE_IMAGE is not provided. + optional: true + + params: + - name: BUILDER_IMAGE + description: The image on which builds will run (must include lifecycle and compatible buildpacks). + - name: TRUST_BUILDER + description: >- + Whether the builder image is trusted. + When false, each build phase is executed in isolation and credentials are only shared with trusted images. + default: "false" + - name: APP_IMAGE + description: The name of where to store the app image. + - name: SOURCE_URL + description: A git repo url where the source code resides. + - name: SOURCE_REFERENCE + description: The branch, tag or SHA to checkout. + default: "" + - name: SOURCE_SUBPATH + description: A subpath within checked out source where the source to build is located. + default: "" + - name: ENV_VARS + type: array + description: Environment variables to set during _build-time_. + default: [""] + - name: PROCESS_TYPE + description: The default process type to set on the image. + default: "web" + - name: RUN_IMAGE + description: The name of the run image to use (defaults to image specified in builder). + default: "" + - name: CACHE_IMAGE + description: The name of the persistent cache image. + default: "" + - name: USER_ID + description: The user ID of the builder image user. + default: "1000" + - name: GROUP_ID + description: The group ID of the builder image user. + default: "1000" + + tasks: + - name: fetch-from-git + taskRef: + name: git-clone + params: + - name: url + value: $(params.SOURCE_URL) + - name: revision + value: $(params.SOURCE_REFERENCE) + workspaces: + - name: output + workspace: source-ws + - name: build-trusted + runAfter: + - fetch-from-git + taskRef: + name: buildpacks + when: + - input: "$(params.TRUST_BUILDER)" + operator: in + values: ["true", "yes", "TRUE", "True"] + workspaces: + - name: source + workspace: source-ws + - name: cache + workspace: cache-ws + params: + - name: BUILDER_IMAGE + value: "$(params.BUILDER_IMAGE)" + - name: APP_IMAGE + value: "$(params.APP_IMAGE)" + - name: SOURCE_SUBPATH + value: "$(params.SOURCE_SUBPATH)" + - name: PROCESS_TYPE + value: "$(params.PROCESS_TYPE)" + - name: ENV_VARS + value: ["$(params.ENV_VARS)"] + - name: RUN_IMAGE + value: "$(params.RUN_IMAGE)" + - name: CACHE_IMAGE + value: "$(params.CACHE_IMAGE)" + - name: USER_ID + value: "$(params.USER_ID)" + - name: GROUP_ID + value: "$(params.GROUP_ID)" + - name: build-untrusted + runAfter: + - fetch-from-git + taskRef: + name: buildpacks-phases + when: + - input: "$(params.TRUST_BUILDER)" + operator: notin + values: ["true", "yes", "TRUE", "True"] + workspaces: + - name: source + workspace: source-ws + - name: cache + workspace: cache-ws + params: + - name: BUILDER_IMAGE + value: "$(params.BUILDER_IMAGE)" + - name: APP_IMAGE + value: "$(params.APP_IMAGE)" + - name: SOURCE_SUBPATH + value: "$(params.SOURCE_SUBPATH)" + - name: ENV_VARS + value: ["$(params.ENV_VARS)"] + - name: PROCESS_TYPE + value: "$(params.PROCESS_TYPE)" + - name: RUN_IMAGE + value: "$(params.RUN_IMAGE)" + - name: CACHE_IMAGE + value: "$(params.CACHE_IMAGE)" + - name: USER_ID + value: "$(params.USER_ID)" + - name: GROUP_ID + value: "$(params.GROUP_ID)" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-builder.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-builder.yaml new file mode 100644 index 0000000..1f90fbf --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-builder.yaml @@ -0,0 +1,51 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ansible-builder + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/deprecated: "true" + tekton.dev/pipelines.minVersion: "0.12.0" + tekton.dev/displayName: ansible-builder + tekton.dev/categories: Build Tools + tekton.dev/tags: ansible, ansible-builder, build-tool, automation + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + Creates a build context (including a Containerfile) from an execution environment spec. + This build context is populated with dependencies including requirements files. + workspaces: + - name: source + description: The source workspace where the execution environment code is cloned. + params: + - description: Execution environment file definition. + name: FILENAME + type: string + default: execution-environment.yml + - description: Execution environment build context. + name: BUILD_CONTEXT + type: string + default: context + - name: OUTPUT_FILENAME + description: Name of file to write image definition to. Either Dockerfile or Containerfile. + type: string + default: Containerfile + - description: ansible-builder output verbosity. + name: VERBOSITY + type: string + default: "2" + - name: BUILDER_IMAGE + description: The location of the ansible-builder image. + type: string + default: quay.io/ansible/ansible-builder:latest + steps: + + - name: ansible-builder-create + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + script: | + #!/bin/sh + set -eux -o + + ansible-builder create -f "$(params.FILENAME)" -c "$(params.BUILD_CONTEXT)" --output-filename "$(params.OUTPUT_FILENAME)" -v "$(params.VERBOSITY)" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-runner.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-runner.yaml new file mode 100644 index 0000000..8fbb6d8 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ansible-runner.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ansible-runner + labels: + app.kubernetes.io/version: '0.2' + app.kubernetes.io/ansible-version: '2.12.5' + annotations: + tekton.dev/deprecated: "true" + tekton.dev/pipelines.minVersion: '0.12.1' + tekton.dev/categories: CLI + tekton.dev/tags: cli + tekton.dev/displayName: 'Ansible Runner' + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + Task to run Ansible playbooks using Ansible Runner + + workspaces: + - name: runner-dir + description: The Ansibler runner directory + params: + - name: project-dir + description: The project directory under the workspace runner-dir + default: 'project' + - name: args + description: The arguments to pass ansible-runner + type: array + default: + - --help + - name: user-home + description: Absolute path to the user's home directory. + default: /tekton/home + - name: image + description: Ansible runner image. + default: quay.io/ansible/ansible-runner:stable-2.12-latest #tag: stable-2.12-latest + stepTemplate: + env: + - name: HOME + value: $(params.user-home) + steps: + - name: requirements + image: $(params.image) + script: | + #!/bin/bash + set -e + + if [ -f requirements.txt ]; + then + pip3 install --user \ + -r requirements.txt + fi + + if [ -f requirements.yml ]; + then + ansible-galaxy role install -vv \ + -r requirements.yml + ansible-galaxy collection install -vv \ + -r requirements.yml + fi + workingDir: '$(workspaces.runner-dir.path)/$(params.project-dir)' + + - name: run-playbook + image: $(params.image) + command: ['entrypoint'] + args: + - ansible-runner + - run + - $(params.args) + - $(params.project-dir) + workingDir: '$(workspaces.runner-dir.path)' \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_black.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_black.yaml new file mode 100644 index 0000000..0769f24 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_black.yaml @@ -0,0 +1,43 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: black + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: formatter, python, black + tekton.dev/displayName: "Python Black" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to format Python code + workspaces: + - name: shared-workspace + description: >- + The workspace containing python source code which we want to format. + params: + - name: image + description: The container image to use black in + default: docker.io/cytopia/black:latest-0.2@sha256:2ec766f1c7e42e6b59c0873ce066fa0a2aa2bf8a80dbc1c40f1566bb539303e0 + - name: requirements_file + description: The name of the requirements file inside the source location + default: requirements.txt + - name: args + type: array + description: extra args that needs to be appended + default: ["--help"] + steps: + - name: format-python-code + image: $(params.image) + workingDir: $(workspaces.shared-workspace.path) + script: | + export HOME=/tmp/python + export PATH=$PATH:/tmp/python/.local/bin + if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then + python -mpip install --user -r $(params.requirements_file) + fi + black $@ + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildah.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildah.yaml new file mode 100644 index 0000000..5ac0445 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildah.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: buildah + labels: + app.kubernetes.io/version: "0.7" + annotations: + tekton.dev/categories: Image Build + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: image-build + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" + tekton.dev/displayName: buildah +spec: + description: >- + Buildah task builds source into a container image and + then pushes it to a container registry. + + Buildah Task builds source into a container image using Project Atomic's + Buildah build tool.It uses Buildah's support for building from Dockerfiles, + using its buildah bud command.This command executes the directives in the + Dockerfile to assemble a container image, then pushes that image to a + container registry. + + params: + - name: IMAGE + description: Reference of the image buildah will produce. + - name: BUILDER_IMAGE + description: The location of the buildah builder image. + default: quay.io/buildah/stable:v1 + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: Path to the directory to use as context. + default: . + - name: TLSVERIFY + description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) + default: "true" + - name: FORMAT + description: The format of the built container, oci or docker + default: "oci" + - name: BUILD_EXTRA_ARGS + description: Extra parameters passed for the build command when building images. + default: "" + - name: PUSH_EXTRA_ARGS + description: Extra parameters passed for the push command when pushing images. + type: string + default: "" + - name: SKIP_PUSH + description: Skip pushing the built image + default: "false" + workspaces: + - name: source + - name: sslcertdir + optional: true + - name: dockerconfig + description: >- + An optional workspace that allows providing a .docker/config.json file + for Buildah to access the container registry. + The file should be placed at the root of the Workspace with name config.json. + optional: true + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + - name: IMAGE_URL + description: Image repository where the built image would be pushed to + steps: + - name: build-and-push + image: $(params.BUILDER_IMAGE) + workingDir: $(workspaces.source.path) + script: | + [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)" + [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG + # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args) + # shellcheck disable=SC2046,SC2086 + buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \ + "--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \ + -f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)" + [ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0 + # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args) + # shellcheck disable=SC2046,SC2086 + buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \ + "--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \ + "docker://$(params.IMAGE)" + tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest + printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)" + volumeMounts: + - name: varlibcontainers + mountPath: /var/lib/containers + securityContext: + privileged: true + volumes: + - name: varlibcontainers + emptyDir: {} \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildkit-daemonless.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildkit-daemonless.yaml new file mode 100644 index 0000000..a25f4f2 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildkit-daemonless.yaml @@ -0,0 +1,51 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: buildkit-daemonless + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "buildkit daemonless" + tekton.dev/platforms: "linux/amd64" + tekton.dev/deprecated: "true" +spec: + description: >- + This Task builds source into a container image using Moby BuildKit. + + This buildkit-daemonless Task is similar to buildkit but does not need + creating Secret, Deployment, and Service resources for setting up the + buildkitd daemon cluster. + + params: + - name: DOCKERFILE + description: The name of the Dockerfile + default: "Dockerfile" + - name: BUILDKIT_IMAGE + description: The name of the BuildKit image + # The image needs to be rootful because Tekton creates /builder/home/.docker/config.json owned by root:root with 0600 + # https://github.com/tektoncd/pipeline/issues/852 + default: "docker.io/moby/buildkit:v0.6.2@sha256:db234cf7362aef489e4273a6937794cb19c09ba15c7ee0ec6f85044086ea4f6a" + workspaces: + - name: source + resources: + outputs: + - name: image + type: image + steps: + - name: build-and-push + image: $(params.BUILDKIT_IMAGE) + workingDir: $(workspaces.source.path) + securityContext: + privileged: true + command: ["buildctl-daemonless.sh", "--debug", + "build", + "--progress=plain", + "--frontend=dockerfile.v0", + "--opt", "filename=$(params.DOCKERFILE)", + "--local", "context=.", "--local", "dockerfile=.", + "--output", "type=image,name=$(resources.outputs.image.url),push=true", + "--export-cache", "type=inline", + "--import-cache", "type=registry,ref=$(resources.outputs.image.url)"] \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks-phases.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks-phases.yaml new file mode 100644 index 0000000..017b198 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks-phases.yaml @@ -0,0 +1,241 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: buildpacks-phases + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/categories: Image Build, Security + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: image-build + tekton.dev/displayName: "Buildpacks (phases)" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + The Buildpacks-Phases task builds source into a container image and pushes it to + a registry, using Cloud Native Buildpacks. This task separately calls the aspects of the + Cloud Native Buildpacks lifecycle, to provide increased security via container isolation. + + workspaces: + - name: source + description: Directory where application source is located. + - name: cache + description: Directory where cache is stored (when no cache image is provided). + optional: true + + params: + - name: APP_IMAGE + description: The name of where to store the app image. + - name: BUILDER_IMAGE + description: The image on which builds will run (must include lifecycle and compatible buildpacks). + - name: SOURCE_SUBPATH + description: A subpath within the `source` input where the source to build is located. + default: "" + - name: ENV_VARS + type: array + description: Environment variables to set during _build-time_. + default: [] + - name: PROCESS_TYPE + description: The default process type to set on the image. + default: "web" + - name: RUN_IMAGE + description: Reference to a run image to use. + default: "" + - name: CACHE_IMAGE + description: The name of the persistent app cache image (if no cache workspace is provided). + default: "" + - name: USER_ID + description: The user ID of the builder image user. + default: "1000" + - name: GROUP_ID + description: The group ID of the builder image user. + default: "1000" + - name: PLATFORM_DIR + description: The name of the platform directory. + default: empty-dir + - name: LIFECYCLE_IMAGE + description: The image to use when executing sensitive phases. + default: docker.io/buildpacksio/lifecycle:0.10.2@sha256:1bf8d3fc41d2fdf0ee4abdad50038ab8902ef58c74f5bcfc432c26767d889ed0 + - name: USER_HOME + description: Absolute path to the user's home directory. + default: /tekton/home + + results: + - name: APP_IMAGE_DIGEST + description: The digest of the built `APP_IMAGE`. + + stepTemplate: + env: + - name: CNB_PLATFORM_API + value: "0.4" + - name: HOME + value: $(params.USER_HOME) + + steps: + - name: prepare + image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 + args: + - "--env-vars" + - "$(params.ENV_VARS[*])" + script: | + #!/usr/bin/env bash + set -e + + if [[ "$(workspaces.cache.bound)" == "true" ]]; then + echo "> Setting permissions on '$(workspaces.cache.path)'..." + chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)" + fi + + for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do + echo "> Setting permissions on '$path'..." + chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path" + done + + echo "> Parsing additional configuration..." + parsing_flag="" + envs=() + for arg in "$@"; do + if [[ "$arg" == "--env-vars" ]]; then + echo "-> Parsing env variables..." + parsing_flag="env-vars" + elif [[ "$parsing_flag" == "env-vars" ]]; then + envs+=("$arg") + fi + done + + echo "> Processing any environment variables..." + ENV_DIR="/platform/env" + + echo "--> Creating 'env' directory: $ENV_DIR" + mkdir -p "$ENV_DIR" + + for env in "${envs[@]}"; do + IFS='=' read -r key value string <<< "$env" + if [[ "$key" != "" && "$value" != "" ]]; then + path="${ENV_DIR}/${key}" + echo "--> Writing ${path}..." + echo -n "$value" > "$path" + fi + done + volumeMounts: + - name: layers-dir + mountPath: /layers + - name: $(params.PLATFORM_DIR) + mountPath: /platform + securityContext: + privileged: true + + # Copy stack.toml so that it will be accessible to the exporter, since the lifecycle image will not contain it. + - name: copy-stack-toml + image: $(params.BUILDER_IMAGE) + imagePullPolicy: Always + command: ["/bin/sh"] + args: + - "-c" + - > + cp /cnb/stack.toml /layers/ + volumeMounts: + - name: layers-dir + mountPath: /layers + + - name: detect + image: $(params.BUILDER_IMAGE) + imagePullPolicy: Always + command: ["/cnb/lifecycle/detector"] + args: + - "-app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)" + - "-group=/layers/group.toml" + - "-plan=/layers/plan.toml" + volumeMounts: + - name: layers-dir + mountPath: /layers + - name: $(params.PLATFORM_DIR) + mountPath: /platform + - name: empty-dir + mountPath: /tekton/home + + - name: analyze + image: $(params.LIFECYCLE_IMAGE) + imagePullPolicy: Always + command: ["/cnb/lifecycle/analyzer"] + args: + - "-layers=/layers" + - "-group=/layers/group.toml" + - "-cache-dir=$(workspaces.cache.path)" + - "-cache-image=$(params.CACHE_IMAGE)" + - "-uid=$(params.USER_ID)" + - "-gid=$(params.GROUP_ID)" + - "$(params.APP_IMAGE)" + volumeMounts: + - name: layers-dir + mountPath: /layers + + - name: restore + image: $(params.LIFECYCLE_IMAGE) + imagePullPolicy: Always + command: ["/cnb/lifecycle/restorer"] + args: + - "-group=/layers/group.toml" + - "-layers=/layers" + - "-cache-dir=$(workspaces.cache.path)" + - "-cache-image=$(params.CACHE_IMAGE)" + - "-uid=$(params.USER_ID)" + - "-gid=$(params.GROUP_ID)" + volumeMounts: + - name: layers-dir + mountPath: /layers + + - name: build + image: $(params.BUILDER_IMAGE) + imagePullPolicy: Always + command: ["/cnb/lifecycle/builder"] + args: + - "-app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)" + - "-layers=/layers" + - "-group=/layers/group.toml" + - "-plan=/layers/plan.toml" + volumeMounts: + - name: layers-dir + mountPath: /layers + - name: $(params.PLATFORM_DIR) + mountPath: /platform + - name: empty-dir + mountPath: /tekton/home + + - name: export + image: $(params.LIFECYCLE_IMAGE) + imagePullPolicy: Always + command: ["/cnb/lifecycle/exporter"] + args: + - "-app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)" + - "-layers=/layers" + - "-group=/layers/group.toml" + - "-cache-dir=$(workspaces.cache.path)" + - "-cache-image=$(params.CACHE_IMAGE)" + - "-report=/layers/report.toml" + - "-process-type=$(params.PROCESS_TYPE)" + - "-uid=$(params.USER_ID)" + - "-gid=$(params.GROUP_ID)" + - "-stack=/layers/stack.toml" + - "-run-image=$(params.RUN_IMAGE)" + - "$(params.APP_IMAGE)" + volumeMounts: + - name: layers-dir + mountPath: /layers + + - name: results + image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 + script: | + #!/usr/bin/env bash + set -e + cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path) + volumeMounts: + - name: layers-dir + mountPath: /layers + + volumes: + - name: empty-dir + emptyDir: {} + - name: layers-dir + emptyDir: {} \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks.yaml new file mode 100644 index 0000000..6ad768b --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_buildpacks.yaml @@ -0,0 +1,178 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: buildpacks + labels: + app.kubernetes.io/version: "0.6" + annotations: + tekton.dev/categories: Image Build + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: image-build + tekton.dev/displayName: "Buildpacks" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + The Buildpacks task builds source into a container image and pushes it to a registry, + using Cloud Native Buildpacks. + + workspaces: + - name: source + description: Directory where application source is located. + - name: cache + description: Directory where cache is stored (when no cache image is provided). + optional: true + - name: dockerconfig + description: >- + An optional workspace that allows providing a .docker/config.json file + for Buildpacks lifecycle binary to access the container registry. + The file should be placed at the root of the Workspace with name config.json. + optional: true + + params: + - name: APP_IMAGE + description: The name of where to store the app image. + - name: BUILDER_IMAGE + description: The image on which builds will run (must include lifecycle and compatible buildpacks). + - name: SOURCE_SUBPATH + description: A subpath within the `source` input where the source to build is located. + default: "" + - name: ENV_VARS + type: array + description: Environment variables to set during _build-time_. + default: [] + - name: PROCESS_TYPE + description: The default process type to set on the image. + default: "web" + - name: RUN_IMAGE + description: Reference to a run image to use. + default: "" + - name: CACHE_IMAGE + description: The name of the persistent app cache image (if no cache workspace is provided). + default: "" + - name: SKIP_RESTORE + description: Do not write layer metadata or restore cached layers. + default: "false" + - name: USER_ID + description: The user ID of the builder image user. + default: "1000" + - name: GROUP_ID + description: The group ID of the builder image user. + default: "1000" + - name: PLATFORM_DIR + description: The name of the platform directory. + default: empty-dir + + results: + - name: APP_IMAGE_DIGEST + description: The digest of the built `APP_IMAGE`. + - name: APP_IMAGE_URL + description: The URL of the built `APP_IMAGE`. + + stepTemplate: + env: + - name: CNB_PLATFORM_API + value: "0.9" + + steps: + - name: prepare + image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 + args: + - "--env-vars" + - "$(params.ENV_VARS[*])" + script: | + #!/usr/bin/env bash + set -e + + if [[ "$(workspaces.cache.bound)" == "true" ]]; then + echo "> Setting permissions on '$(workspaces.cache.path)'..." + chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)" + fi + + for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do + echo "> Setting permissions on '$path'..." + chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path" + + if [[ "$path" == "$(workspaces.source.path)" ]]; then + chmod 775 "$(workspaces.source.path)" + fi + done + + echo "> Parsing additional configuration..." + parsing_flag="" + envs=() + for arg in "$@"; do + if [[ "$arg" == "--env-vars" ]]; then + echo "-> Parsing env variables..." + parsing_flag="env-vars" + elif [[ "$parsing_flag" == "env-vars" ]]; then + envs+=("$arg") + fi + done + + echo "> Processing any environment variables..." + ENV_DIR="/platform/env" + + echo "--> Creating 'env' directory: $ENV_DIR" + mkdir -p "$ENV_DIR" + + for env in "${envs[@]}"; do + IFS='=' read -r key value <<< "$env" + if [[ "$key" != "" && "$value" != "" ]]; then + path="${ENV_DIR}/${key}" + echo "--> Writing ${path}..." + echo -n "$value" > "$path" + fi + done + volumeMounts: + - name: layers-dir + mountPath: /layers + - name: $(params.PLATFORM_DIR) + mountPath: /platform + + - name: create + image: $(params.BUILDER_IMAGE) + imagePullPolicy: Always + command: ["/cnb/lifecycle/creator"] + env: + - name: DOCKER_CONFIG + value: $(workspaces.dockerconfig.path) + args: + - "-app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)" + - "-cache-dir=$(workspaces.cache.path)" + - "-cache-image=$(params.CACHE_IMAGE)" + - "-uid=$(params.USER_ID)" + - "-gid=$(params.GROUP_ID)" + - "-layers=/layers" + - "-platform=/platform" + - "-report=/layers/report.toml" + - "-process-type=$(params.PROCESS_TYPE)" + - "-skip-restore=$(params.SKIP_RESTORE)" + - "-previous-image=$(params.APP_IMAGE)" + - "-run-image=$(params.RUN_IMAGE)" + - "$(params.APP_IMAGE)" + volumeMounts: + - name: layers-dir + mountPath: /layers + - name: $(params.PLATFORM_DIR) + mountPath: /platform + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + + - name: results + image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 + script: | + #!/usr/bin/env bash + set -e + grep "digest" /layers/report.toml | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee "$(results.APP_IMAGE_DIGEST.path)" + echo -n "$(params.APP_IMAGE)" | tee "$(results.APP_IMAGE_URL.path)" + volumeMounts: + - name: layers-dir + mountPath: /layers + + volumes: + - name: empty-dir + emptyDir: {} + - name: layers-dir + emptyDir: {} \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_check-make.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_check-make.yaml new file mode 100644 index 0000000..56f8200 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_check-make.yaml @@ -0,0 +1,31 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: check-make + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: linter + tekton.dev/displayName: "Makefile linter" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to perform lint check on Makefiles + workspaces: + - name: shared-workspace + description: A workspace that contains the fetched git repository. + params: + - name: args + type: array + description: extra args needs to append + default: ["--help"] + steps: + - name: lint-makefile + image: docker.io/cytopia/checkmake:0.1.0@sha256:50957311f1ae25fd5925e1a45798d323cf00b3654cd1eede8db7814c72cec41d #tag: 0.1.0 + workingDir: $(workspaces.shared-workspace.path) + command: + - checkmake + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_curl.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_curl.yaml new file mode 100644 index 0000000..ccf5785 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_curl.yaml @@ -0,0 +1,32 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: curl + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: CLI + tekton.dev/tags: search + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" +spec: + description: >- + This task performs curl operation to transfer data from internet. + + params: + - name: url + description: URL to curl'ed + type: string + - name: options + description: options of url + type: array + default: [] + - name: curl-image + description: option of curl image + type: string + default: "docker.io/curlimages/curl:7.72.0@sha256:bd5bbd35f89b867c1dccbc84b8be52f3f74dea20b46c5fe0db3780e040afcb6f" #tag: 7.72.0 + steps: + - name: curl + image: "$(params.curl-image)" + command: [curl] + args: ["$(params.options[*])", "$(params.url)"] \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_docker-build.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_docker-build.yaml new file mode 100644 index 0000000..55606a9 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_docker-build.yaml @@ -0,0 +1,113 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: docker-build + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Image Build + tekton.dev/tags: docker, build-image, push-image, dind + tekton.dev/displayName: docker-build + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task will build and push an image using docker. + The task will build an out image out of a Dockerfile. + This image will be pushed to an image registry. + The image will be built and pushed using a dind sidecar over TCP+TLS. + params: + - name: image + description: Reference of the image docker will produce. + - name: builder_image + description: The location of the docker builder image. + default: docker.io/library/docker:stable@sha256:18ff92d3d31725b53fa6633d60bed323effb6d5d4588be7b547078d384e0d4bf #tag: stable + - name: dind_image + description: The location of the docker-in-docker image. + default: docker:dind + - name: dockerfile + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: context + description: Path to the directory to use as context. + default: . + - name: build_extra_args + description: Extra parameters passed for the build command when building images. + default: "" + - name: push_extra_args + description: Extra parameters passed for the push command when pushing images. + default: "" + - name: insecure_registry + description: Allows the user to push to an insecure registry that has been specified + default: "" + workspaces: + - name: source + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + steps: + - name: docker-build + image: $(params.builder_image) + env: + # Connect to the sidecar over TCP, with TLS. + - name: DOCKER_HOST + value: tcp://localhost:2376 + # Verify TLS. + - name: DOCKER_TLS_VERIFY + value: '1' + # Use the certs generated by the sidecar daemon. + - name: DOCKER_CERT_PATH + value: /certs/client + workingDir: $(workspaces.source.path) + script: | + docker build \ + $(params.build_extra_args) \ + --no-cache \ + -f $(params.dockerfile) -t $(params.image) $(params.context) + volumeMounts: + - mountPath: /certs/client + name: dind-certs + - name: docker-push + image: $(params.builder_image) + env: + # Connect to the sidecar over TCP, with TLS. + - name: DOCKER_HOST + value: tcp://localhost:2376 + # Verify TLS. + - name: DOCKER_TLS_VERIFY + value: '1' + # Use the certs generated by the sidecar daemon. + - name: DOCKER_CERT_PATH + value: /certs/client + workingDir: $(workspaces.source.path) + script: | + docker push $(params.push_extra_args) $(params.image) + volumeMounts: + - mountPath: /certs/client + name: dind-certs + sidecars: + - image: $(params.dind_image) + name: server + args: + - --storage-driver=vfs + - --userland-proxy=false + - --debug + - --insecure-registry=$(params.insecure_registry) + securityContext: + privileged: true + env: + # Write generated certs to the path shared with the client. + - name: DOCKER_TLS_CERTDIR + value: /certs + volumeMounts: + - mountPath: /certs/client + name: dind-certs + # Wait for the dind daemon to generate the certs it will share with the + # client. + readinessProbe: + periodSeconds: 1 + exec: + command: ['ls', '/certs/client/ca.pem'] + volumes: + - name: dind-certs + emptyDir: {} \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_generate-build-id.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_generate-build-id.yaml new file mode 100644 index 0000000..14b7c0c --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_generate-build-id.yaml @@ -0,0 +1,42 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: generate-build-id + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Build Tools + tekton.dev/tags: build-tool + tekton.dev/displayName: "buildid" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" +spec: + description: >- + Given a base version, this task generates a unique build id by appending + the base-version to the current timestamp. + + params: + - name: base-version + description: Base product version + type: string + default: "1.0" + results: + - name: timestamp + description: Current timestamp + - name: build-id + description: ID of the current build + steps: + - name: get-timestamp + image: docker.io/library/bash:5.0.18@sha256:879f94a9da53dc064779e7a68339aecd60a9028ff884cacaa47ae752ca690404 #tag: 5.0.18 + script: | + #!/usr/bin/env bash + ts=`date "+%Y%m%d-%H%M%S"` + echo "Current Timestamp: ${ts}" + echo ${ts} | tr -d "\n" | tee $(results.timestamp.path) + - name: get-buildid + image: docker.io/library/bash:5.0.18@sha256:879f94a9da53dc064779e7a68339aecd60a9028ff884cacaa47ae752ca690404 #tag: 5.0.18 + script: | + #!/usr/bin/env bash + ts=`cat $(results.timestamp.path)` + buildId=$(inputs.params.base-version)-${ts} + echo ${buildId} | tr -d "\n" | tee $(results.build-id.path) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-clone.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-clone.yaml new file mode 100644 index 0000000..050b135 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-clone.yaml @@ -0,0 +1,242 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git-clone + labels: + app.kubernetes.io/version: "0.9" + annotations: + tekton.dev/pipelines.minVersion: "0.38.0" + tekton.dev/categories: Git + tekton.dev/tags: git + tekton.dev/displayName: "git clone" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" +spec: + description: >- + These Tasks are Git tasks to work with repositories used by other tasks + in your Pipeline. + + The git-clone Task will clone a repo from the provided url into the + output Workspace. By default the repo will be cloned into the root of + your Workspace. You can clone into a subdirectory by setting this Task's + subdirectory param. This Task also supports sparse checkouts. To perform + a sparse checkout, pass a list of comma separated directory patterns to + this Task's sparseCheckoutDirectories param. + workspaces: + - name: output + description: The git repo will be cloned onto the volume backing this Workspace. + - name: ssh-directory + optional: true + description: | + A .ssh directory with private key, known_hosts, config, etc. Copied to + the user's home before git commands are executed. Used to authenticate + with the git remote when performing the clone. Binding a Secret to this + Workspace is strongly recommended over other volume types. + - name: basic-auth + optional: true + description: | + A Workspace containing a .gitconfig and .git-credentials file. These + will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + - name: ssl-ca-directory + optional: true + description: | + A workspace containing CA certificates, this will be used by Git to + verify the peer with when fetching or pushing over HTTPS. + params: + - name: url + description: Repository URL to clone from. + type: string + - name: revision + description: Revision to checkout. (branch, tag, sha, ref, etc...) + type: string + default: "" + - name: refspec + description: Refspec to fetch before checking out revision. + default: "" + - name: submodules + description: Initialize and fetch git submodules. + type: string + default: "true" + - name: depth + description: Perform a shallow clone, fetching only the most recent N commits. + type: string + default: "1" + - name: sslVerify + description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. + type: string + default: "true" + - name: crtFileName + description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt. + type: string + default: "ca-bundle.crt" + - name: subdirectory + description: Subdirectory inside the `output` Workspace to clone the repo into. + type: string + default: "" + - name: sparseCheckoutDirectories + description: Define the directory patterns to match or exclude when performing a sparse checkout. + type: string + default: "" + - name: deleteExisting + description: Clean out the contents of the destination directory if it already exists before cloning. + type: string + default: "true" + - name: httpProxy + description: HTTP proxy server for non-SSL requests. + type: string + default: "" + - name: httpsProxy + description: HTTPS proxy server for SSL requests. + type: string + default: "" + - name: noProxy + description: Opt out of proxying HTTP/HTTPS requests. + type: string + default: "" + - name: verbose + description: Log the commands that are executed during `git-clone`'s operation. + type: string + default: "true" + - name: gitInitImage + description: The image providing the git-init binary that this Task runs. + type: string + default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2" + - name: userHome + description: | + Absolute path to the user's home directory. + type: string + default: "/home/git" + results: + - name: commit + description: The precise commit SHA that was fetched by this Task. + - name: url + description: The precise URL that was fetched by this Task. + - name: committer-date + description: The epoch timestamp of the commit that was fetched by this Task. + steps: + - name: clone + image: "$(params.gitInitImage)" + env: + - name: HOME + value: "$(params.userHome)" + - name: PARAM_URL + value: $(params.url) + - name: PARAM_REVISION + value: $(params.revision) + - name: PARAM_REFSPEC + value: $(params.refspec) + - name: PARAM_SUBMODULES + value: $(params.submodules) + - name: PARAM_DEPTH + value: $(params.depth) + - name: PARAM_SSL_VERIFY + value: $(params.sslVerify) + - name: PARAM_CRT_FILENAME + value: $(params.crtFileName) + - name: PARAM_SUBDIRECTORY + value: $(params.subdirectory) + - name: PARAM_DELETE_EXISTING + value: $(params.deleteExisting) + - name: PARAM_HTTP_PROXY + value: $(params.httpProxy) + - name: PARAM_HTTPS_PROXY + value: $(params.httpsProxy) + - name: PARAM_NO_PROXY + value: $(params.noProxy) + - name: PARAM_VERBOSE + value: $(params.verbose) + - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES + value: $(params.sparseCheckoutDirectories) + - name: PARAM_USER_HOME + value: $(params.userHome) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND + value: $(workspaces.ssl-ca-directory.bound) + - name: WORKSPACE_SSL_CA_DIRECTORY_PATH + value: $(workspaces.ssl-ca-directory.path) + securityContext: + runAsNonRoot: true + runAsUser: 65532 + script: | + #!/usr/bin/env sh + set -eu + + if [ "${PARAM_VERBOSE}" = "true" ] ; then + set -x + fi + + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh + chmod 700 "${PARAM_USER_HOME}"/.ssh + chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* + fi + + if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then + export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" + if [ "${PARAM_CRT_FILENAME}" != "" ] ; then + export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" + fi + fi + CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" + + cleandir() { + # Delete any existing contents of the repo directory if it exists. + # + # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" + # or the root of a mounted volume. + if [ -d "${CHECKOUT_DIR}" ] ; then + # Delete non-hidden files and directories + rm -rf "${CHECKOUT_DIR:?}"/* + # Delete files and directories starting with . but excluding .. + rm -rf "${CHECKOUT_DIR}"/.[!.]* + # Delete files and directories starting with .. plus any other character + rm -rf "${CHECKOUT_DIR}"/..?* + fi + } + + if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then + cleandir || true + fi + + test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" + test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" + test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" + + git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" + /ko-app/git-init \ + -url="${PARAM_URL}" \ + -revision="${PARAM_REVISION}" \ + -refspec="${PARAM_REFSPEC}" \ + -path="${CHECKOUT_DIR}" \ + -sslVerify="${PARAM_SSL_VERIFY}" \ + -submodules="${PARAM_SUBMODULES}" \ + -depth="${PARAM_DEPTH}" \ + -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" + cd "${CHECKOUT_DIR}" + RESULT_SHA="$(git rev-parse HEAD)" + EXIT_CODE="$?" + if [ "${EXIT_CODE}" != 0 ] ; then + exit "${EXIT_CODE}" + fi + RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" + printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" + printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "${PARAM_URL}" > "$(results.url.path)" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-version.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-version.yaml new file mode 100644 index 0000000..3e071a6 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_git-version.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git-version + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.0" + tekton.dev/displayName: "git version" + tekton.dev/categories: Git + tekton.dev/tags: git + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to create a version from git history + params: + - description: branch to checkout to create a version for e.g. "develop" + name: branch + type: string + results: + - description: The calculated git version you could use for git tagging e.g. "0.1.0-tektonize.1-188" + name: gitVersion + - description: A normalized version for use in container images e.g. "0.1.0-tektonize.1-188" + name: packageVersion + steps: + - image: mcr.microsoft.com/dotnet/sdk:3.1-focal@sha256:1d31e2582f69920c3a6ea9498bb7da285baffbca7ea84d90d9e5b545604cc92d + name: set-git-version + workingDir: $(workspaces.source.path) + securityContext: + runAsUser: 0 + env: + - name: PARAM_BRANCH + value: $(params.branch) + script: | + #!/usr/bin/env bash + export PATH="$PATH:/tekton/home/.dotnet/tools" + dotnet tool install GitVersion.Tool --version 5.5.0 --tool-path "/tekton/home/.dotnet/tools" + + git checkout "${PARAM_BRANCH}" + + export GITVERSION=$(dotnet gitversion /showvariable FullSemVer) + echo -n "${GITVERSION}" | tee $(results.gitVersion.path) + + # normalize a bit because + # image tags can only contain `abcdefghijklmnopqrstuvwxyz0123456789_-.ABCDEFGHIJKLMNOPQRSTUVWXYZ` + export PACKAGEVERSION=$(echo -n $GITVERSION | sed 's/[^-._0-9A-Za-z]/-/g') + echo -n "${PACKAGEVERSION}" | tee $(results.packageVersion.path) + workspaces: + - name: source + description: A workspace that contains the fetched git repository to create a version for. \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_gitea-set-status.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_gitea-set-status.yaml new file mode 100644 index 0000000..0bff09b --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_gitea-set-status.yaml @@ -0,0 +1,162 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: gitea-set-status + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/categories: Git + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: gitea + tekton.dev/displayName: "set gitea status" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" +spec: + description: >- + This task will set the status of the CI job to the specified value along + with a link to the specified target URL where developers can follow the + progress of the CI job. + + The `gitea-set-status` task allows external services to mark Gitea commits + with an `error`, `failure`, `pending`, or `success` state, which is then + reflected in pull requests involving those commits. Statuses include as well a + `description` and a `target_url`, to give the user informations about the CI + statuses or a direct link to the full log. + + params: + - name: GITEA_HOST_URL + description: | + The Gitea host, e.g: git.yourcompany.com. Can include port. + type: string + + - name: GITEA_HTTPS_OR_HTTP + description: | + If we should connect with HTTP or HTTPS. Use "http" or "https" here. + type: string + default: https + + - name: API_PATH_PREFIX + description: | + The API path prefix of Gitea, default: /api/v1 + default: "/api/v1" + type: string + + - name: REPO_FULL_NAME + description: | + The Gitea repository full name, e.g.: tektoncd/catalog + type: string + + - name: GITEA_TOKEN_SECRET_NAME + description: | + The name of the kubernetes secret that contains the Gitea token, default: gitea + type: string + default: gitea + + - name: GITEA_TOKEN_SECRET_KEY + description: | + The key within the kubernetes secret that contains the Gitea token, default: token + type: string + default: token + + - name: SHA + description: | + Commit SHA to set the status for. + type: string + + - name: TARGET_URL + description: | + The target URL to associate with this status. This URL will be linked + from the Gitea UI to allow users to easily see the source of the + status. + type: string + + - name: DESCRIPTION + description: | + A short description of the status. + type: string + + - name: CONTEXT + description: | + The Gitea context, A string label to differentiate this status from + the status of other systems. ie: "continuous-integration/tekton" + default: "continuous-integration/tekton" + type: string + + - name: STATE + description: | + The state of the status. Can be one of the following `error`, + `failure`, `pending`, `warning` or `success`. + type: string + + - name: IMAGE + description: | + Image providing the python binary which this task uses. + type: string + default: python:3.10.1-alpine3.15@sha256:affe0faa14e7553fc570beec3864e74b5e36f8c19b2bb49ae8ba79c0e9e7236e + + - name: SHEBANG + description: | + Python path. Depends on the image. + type: string + default: /usr/bin/env python + + volumes: + - name: giteatoken + secret: + secretName: $(params.GITEA_TOKEN_SECRET_NAME) + + steps: + - name: set-status + volumeMounts: + - name: giteatoken + mountPath: /etc/gitea-set-status + + image: $(params.IMAGE) + script: | + #!$(params.SHEBANG) + + """This script will set the CI status on a Gitea commit""" + + import json + import sys + import http.client + + gitea_token = open("/etc/gitea-set-status/$(params.GITEA_TOKEN_SECRET_KEY)", "r").read() + + status_url = "$(params.API_PATH_PREFIX)" + "/repos/$(params.REPO_FULL_NAME)/" + \ + "statuses/$(params.SHA)" + + data = { + "state": "$(params.STATE)", + "target_url": "$(params.TARGET_URL)", + "description": "$(params.DESCRIPTION)", + "context": "$(params.CONTEXT)" + } + print("Sending this data to Gitea: ") + print(data) + + authHeader = "token " + gitea_token + + if "$(params.GITEA_HTTPS_OR_HTTP)" == "https": + conn = http.client.HTTPSConnection("$(params.GITEA_HOST_URL)") + else: + conn = http.client.HTTPConnection("$(params.GITEA_HOST_URL)") + + conn.request( + "POST", + status_url, + body=json.dumps(data), + headers={ + "User-Agent": "TektonCD, the peaceful cat", + "Authorization": authHeader, + "Accept": "application/json", + "Content-Type": "application/json", + }) + resp = conn.getresponse() + if not str(resp.status).startswith("2"): + print("Error: %d" % (resp.status)) + print(resp.read()) + sys.exit(1) + else: + print("Gitea status '$(params.STATE)' has been set on " + "$(params.REPO_FULL_NAME)#$(params.SHA) ") \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_hadolint.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_hadolint.yaml new file mode 100644 index 0000000..1b2b257 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_hadolint.yaml @@ -0,0 +1,60 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + annotations: + tekton.dev/categories: Code Quality + tekton.dev/displayName: Hadolint + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/platforms: linux/amd64 + tekton.dev/tags: 'Kubernetes, Misconfiguration' + name: hadolint + labels: + app.kubernetes.io/version: '0.1' +spec: + description: >- + This task makes it possible to use Hadolint within Tekton Pipeline. + + A smarter Dockerfile linter that helps you build best practice Docker + images. The linter parses the Dockerfile into an AST and performs rules on + top of the AST + params: + - default: '' + description: ignore rules. + name: ignore-rules + type: string + - default: './Dockerfile' + description: Dockerfile path. + name: dockerfile-path + type: string + - default: tty + description: >- + The output format for the results [tty | json | checkstyle | codeclimate + | gitlab_codeclimate | codacy] (default tty). + name: output-format + type: string + steps: + - image: 'ghcr.io/hadolint/hadolint:v2.8.0-debian@sha256:50b0e60aa2b4aba5a26eeb4ad08c96ed7a828fca996632e29114aabea18345f4' + name: lint-dockerfile + script: | + #!/bin/bash + set -e + if [ -n "$RULES" ] + then + IFS="," read -a RULES <<< "$RULES" + for rule in ${RULES[@]}; do ignore_rules="--ignore $rule $ignore_rules"; done + command_to_run="hadolint ${ignore_rules}" + else + command_to_run="hadolint" + fi + $command_to_run "$DOCKERFILE" -f "$OFORMAT" + env: + - name: RULES + value: "$(params.ignore-rules)" + - name: DOCKERFILE + value: "$(params.dockerfile-path)" + - name: OFORMAT + value: "$(params.output-format)" + workingDir: $(workspaces.source.path) + workspaces: + - description: A workspace that contains fetched git repo. + name: source \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kaniko.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kaniko.yaml new file mode 100644 index 0000000..68eab0b --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kaniko.yaml @@ -0,0 +1,65 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kaniko + labels: + app.kubernetes.io/version: "0.6" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "Build and upload container image using Kaniko" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le" +spec: + description: >- + This Task builds a simple Dockerfile with kaniko and pushes to a registry. + This Task stores the image name and digest as results, allowing Tekton Chains to pick up + that an image was built & sign it. + params: + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [] + - name: BUILDER_IMAGE + description: The image on which builds will run (default is v1.5.1) + default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5 + workspaces: + - name: source + description: Holds the context and Dockerfile + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + - name: IMAGE_URL + description: URL of the image just built. + steps: + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. + - --destination=$(params.IMAGE) + - --digest-file=$(results.IMAGE_DIGEST.path) + # kaniko assumes it is running as root, which means this example fails on platforms + # that default to run containers as random uid (like OpenShift). Adding this securityContext + # makes it explicit that it needs to run as root. + securityContext: + runAsUser: 0 + - name: write-url + image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9 + script: | + set -e + image="$(params.IMAGE)" + echo -n "${image}" | tee "$(results.IMAGE_URL.path)" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kube-linter.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kube-linter.yaml new file mode 100644 index 0000000..fed9040 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kube-linter.yaml @@ -0,0 +1,90 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kube-linter + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: Kubernetes, Misconfiguration + tekton.dev/displayName: "Kube-Linter" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task makes it possible to use kube-linter within Tekton Pipeline. + + The KubeLinter tool by StackRox is an open-source command-line interface to identify misconfigurations in Kubernetes objects. + KubeLinter offers the ability to integrate checks on Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. + With 31 standard built-in checks and the room to configure your own, you get immediate feedback about misconfigurations and Kubernetes security violations. + workspaces: + - name: source + description: A workspace that contains fetched git repo. + params: + - name: config_file_url + type: string + description: url from where the config file would be fetched. + default: "" + - name: config_file_path + type: string + description: path to config file. + default: "" + - name: manifest + type: string + description: path to manifest files or manifest directory to be checked. + default: "." + - name: includelist + type: string + description: "A string with comma separated checks to be included" + default: "" + - name: excludelist + type: string + description: "A string with comma separated checks to be excluded" + default: "" + - name: default_option + type: string + description: "provides two options (adding all built-in checks or disabling all default checks): add-all-built-in and/do-not-auto-add-defaults" + default: "" + - name: output_format + type: string + description: format in which report will be generated. (json|sarif|plain) (default:"json") + default: json + - name: args + type: array + description: "args" + default: [] + steps: + - name: fetch-config-file + image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 + workingDir: $(workspaces.source.path) + script: | + #!/usr/bin/env bash + set -e + + if [ -n "$(params.config_file_url)" ] + then + curl "$(params.config_file_url)" --output "$(params.config_file_path)" + echo "Fetched the config file from given ($(params.config_file_url)) URL and successfully saved at $(workspaces.source.path)/$(params.config_file_path)" + else + echo "No config file url was set" + fi + + - name: lint-yaml + image: docker.io/stackrox/kube-linter:0.2.2-2-g7d10a69154-alpine@sha256:e520e9d8d3a2dfa611914836536545b135845e7bda9f1df34b060e116232dbf0 + workingDir: $(workspaces.source.path) + script: | + mv ../../kube-linter ../../bin; + + if [ -n "$(params.config_file_path)" ] + then + kube-linter lint "$(params.manifest)" --config "$(params.config_file_path)" --format "$(params.output_format)" "$@" + else + if [ -n "$(params.default_option)" ] + then + kube-linter lint "$(params.manifest)" --"$(params.default_option)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@" + else + kube-linter lint "$(params.manifest)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@" + fi + fi + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kubeval.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kubeval.yaml new file mode 100644 index 0000000..70b0d1d --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_kubeval.yaml @@ -0,0 +1,41 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kubeval + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality, Kubernetes + tekton.dev/tags: test + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task makes it possible to use Kubeval within your Tekton pipelines. + + Kubeval is a tool used for validating Kubernetes configuration files. By + default the task will recursively scan the provided repository for YAML + files and validate them against the Kubernetes schemas. + + workspaces: + - name: source + params: + - name: files + default: "." + - name: output + default: "stdout" + - name: args + type: array + default: [] + + steps: + - name: kubeval + workingDir: $(workspaces.source.path) + image: docker.io/garethr/kubeval:0.15.0@sha256:6962d8ecbb7839637667f66e6703e6ebaae0c29dfe93a31d9968fba4324c7b8d #tag: 0.15.0 + command: + - kubeval + - -d + - $(params.files) + - -o + - $(params.output) + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_markdown-lint.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_markdown-lint.yaml new file mode 100644 index 0000000..2382cba --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_markdown-lint.yaml @@ -0,0 +1,31 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: markdown-lint + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: linter + tekton.dev/displayName: "Markdown linter" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to perform lint check on Markdown files + workspaces: + - name: shared-workspace + description: A workspace that contains the fetched git repository. + params: + - name: args + type: array + description: extra args needs to append + default: ["--help"] + steps: + - name: lint-markdown-files + image: docker.io/markdownlint/markdownlint:0.11.0@sha256:399a199c92f89f42cf3a0a1159bd86ca5cdc293fcfd39f87c0669ddee9767724 #tag: 0.11.0 + workingDir: $(workspaces.shared-workspace.path) + command: + - mdl + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_npm.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_npm.yaml new file mode 100644 index 0000000..7cc844a --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_npm.yaml @@ -0,0 +1,44 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: npm + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Build Tools + tekton.dev/tags: build-tool + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" +spec: + description: >- + This task can be used to run npm goals on a project. + + This task can be used to run npm goals on a project + where package.json is present and has some pre-defined + npm scripts. + workspaces: + - name: source + params: + - name: PATH_CONTEXT + type: string + default: "." + description: The path where package.json of the project is defined. + - name: ARGS + type: array + default: ["version"] + description: The npm goals you want to run. + - name: IMAGE + type: string + default: "docker.io/library/node:12-alpine@sha256:dfbebf17bfb014e1e7068e76325a117bccf8679c68aec6a28514184a209c8bae" + description: The node image you want to use. + steps: + - name: npm-run + image: $(params.IMAGE) + command: + - "npm" + args: + - $(params.ARGS) + workingDir: $(workspaces.source.path)/$(params.PATH_CONTEXT) + env: + - name: CI + value: "true" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_prometheus-gate.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_prometheus-gate.yaml new file mode 100644 index 0000000..8d0dc9c --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_prometheus-gate.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: prometheus-gate + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/categories: Monitoring + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: gate, prometheus + tekton.dev/displayName: prometheus gate + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + A gate task which will query the prometheus API in a loop and await a matching status for N length of time. + + params: + - name: prometheus_endpoint + type: string + description: Prometheus API endpoint + - name: range_query + type: string + description: range query to use to define SLO + - name: range_time + type: string + description: time we want to assert fits the SLO + default: "-10m" + - name: target_value + type: string + description: value we will use as threshold + default: "1" + - name: target_strategy + type: string + description: The target_strategy is min,max or equal + default: "min" + - name: timeout + type: string + description: timeout of the gate + default: "3600" + - name: tick_time + type: string + description: how often to draw data from prometheus + default: "1m" + steps: + - name: gate + image: docker.io/iancoffey/prometheus-gate-cf7c3e662ede0a4e9bc24d37d2af86d6@sha256:c3df9d8400aef7acb76f409d1e347c5ecaa6f28a69df50981c14bfe87add85d7 + env: + - name: "PROMETHEUS_ENDPOINT" + value: $(params.prometheus_endpoint) + - name: "RANGE_QUERY" + value: $(params.range_query) + - name: "RANGE_TIME" + value: $(params.range_time) + - name: "TARGET_VALUE" + value: $(params.target_value) + - name: "TARGET_STRATEGY" + value: $(params.target_strategy) + - name: "TIMEOUT" + value: $(params.timeout) + - name: "TICK_TIME" + value: $(params.tick_time) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_pylint.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_pylint.yaml new file mode 100644 index 0000000..5747174 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_pylint.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: pylint + labels: + app.kubernetes.io/version: "0.3" + annotations: + tekton.dev/categories: Code Quality + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: python, pylint + tekton.dev/displayName: pylint + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task will run pylint on the provided input. + + workspaces: + - name: source + - description: The workspace consisting of the custom pip settings. + name: pip-conf + optional: true + params: + - name: image + description: The container image with pylint + default: registry.gitlab.com/pipeline-components/pylint:0.12.0@sha256:051b701936dfab6fa27bd1ebd50ef56b19577565661bc0227e50dd1cf94a3d6e + - name: path + description: The path to the module which should be analysed by pylint + default: "." + type: string + - name: requirements_file + description: The name of the requirements file inside the source location + default: "requirements.txt" + - name: args + description: The arguments to pass to the pylint CLI. + type: array + default: [] + - name: pip_conf_file + description: The name of the custom pip config file. + default: "pip.conf" + steps: + - name: pylint + image: $(params.image) + workingDir: $(workspaces.source.path) + env: + - name: HOME + value: /tmp/python + - name: PARAM_PIP_CONF_FILE + value: $(params.pip_conf_file) + - name: WORKSPACE_PIP_CONF_BOUND + value: $(workspaces.pip-conf.bound) + - name: WORKSPACE_PIP_CONF_PATH + value: $(workspaces.pip-conf.path) + script: | + export PATH=$PATH:$HOME/.local/bin + + if [ "${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then + export PIP_CONFIG_FILE="${WORKSPACE_PIP_CONF_PATH}/${PARAM_PIP_CONF_FILE}" + fi + + if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then + python -mpip install --user -r "$(params.requirements_file)" + fi + pylint $@ "$(params.path)" + args: + - "$(params.args)" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_pytest.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_pytest.yaml new file mode 100644 index 0000000..1f54808 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_pytest.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: pytest + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/categories: Testing + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: python, pytest + tekton.dev/displayName: pytest + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" +spec: + description: >- + This task will run pytest on the provided input. + + workspaces: + - name: source + - description: The workspace consisting of the custom pip settings. + name: pip-conf + optional: true + params: + - name: PYTHON_IMAGE + description: The used Python image + type: string + default: "docker.io/python:3.11.1-bullseye" + - name: ARGS + description: The additional arguments to be used with pytest + type: string + default: "" + - name: SOURCE_PATH + description: The path to the source code + default: "." + - name: REQUIREMENTS_FILE + description: The name of the requirements file inside the source location, with fallback to the requirements file in the root location + default: "requirements.txt" + - name: PIP_CONF_FILE + description: The name of the custom pip config file. + default: "pip.conf" + steps: + - name: unit-test + image: $(params.PYTHON_IMAGE) + workingDir: $(workspaces.source.path) + env: + - name: PARAM_PIP_CONF_FILE + value: $(params.PIP_CONF_FILE) + - name: WORKSPACE_PIP_CONF_BOUND + value: $(workspaces.pip-conf.bound) + - name: WORKSPACE_PIP_CONF_PATH + value: $(workspaces.pip-conf.path) + script: | + export PATH=$PATH:$HOME/.local/bin + + if [ "${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then + export PIP_CONFIG_FILE="${WORKSPACE_PIP_CONF_PATH}/${PARAM_PIP_CONF_FILE}" + fi + + if [ -e "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" ]; + then + pip install -r "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" + pip show pytest || { + printf "###\nWarning: Pytest is missing in your test requirements file\n###"; + pip install pytest + } + else + if [ -e "$(params.REQUIREMENTS_FILE)" ]; + then + pip install -r "$(params.REQUIREMENTS_FILE)" + fi + pip install pytest + fi + if [ -z "$(params.ARGS)" ]; then + pytest "$(params.SOURCE_PATH)" + else + pytest "$(params.ARGS)" "$(params.SOURCE_PATH)" + fi \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_python-coverage.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_python-coverage.yaml new file mode 100644 index 0000000..e3e101d --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_python-coverage.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: python-coverage + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/categories: Code Quality + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: python, coverage + tekton.dev/displayName: python coverage + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" +spec: + description: >- + This task can be used to measure code coverage of Python projects. + + workspaces: + - name: source + params: + - name: PYTHON + description: The used Python version, more precisely the tag for the Python image + type: string + default: "latest" + - name: ARGS + description: The additional arguments to be used with pytest + type: string + default: "" + - name: SOURCE_PATH + description: The path to the source code + default: "." + - name: REQUIREMENTS_FILE + description: The name of the requirements file inside the source location + default: "requirements.txt" + steps: + - name: code-coverage + image: docker.io/python:$(inputs.params.PYTHON) + workingDir: $(workspaces.source.path) + script: | + export PATH=$PATH:$HOME/.local/bin + if [ -n "$(inputs.params.REQUIREMENTS_FILE)" ] && [ -e "$(inputs.params.REQUIREMENTS_FILE)" ];then + pip install -r $(inputs.params.SOURCE_PATH)/$(inputs.params.REQUIREMENTS_FILE) + pip show pytest || { + echo "###\nWarning: Pytest is missing in your requirements\n###"; + pip install pytest + } + pip show coverage || { + echo "###\nWarning: Coverage is missing in your requirements\n###"; + pip install coverage + } + else + pip install pytest coverage + fi + coverage run -m pytest $(inputs.params.ARGS) $(inputs.params.SOURCE_PATH) + coverage report -m \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_shellcheck.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_shellcheck.yaml new file mode 100644 index 0000000..1f43b45 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_shellcheck.yaml @@ -0,0 +1,31 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: shellcheck + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: linter + tekton.dev/displayName: "Shellcheck" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to perform lint check on Shell Script files + workspaces: + - name: shared-workspace + description: A workspace that contains the fetched git repository. + params: + - name: args + type: array + description: extra args needs to append + default: ["--help"] + steps: + - name: lint-shell + image: docker.io/koalaman/shellcheck:v0.7.1@sha256:ad95c140f7bf5cc66e50e19da7d72c398583ba24c5866ac32c882eb3ddc153ee #tag: v0.7.1 + workingDir: $(workspaces.shared-workspace.path) + command: + - /bin/shellcheck + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_skopeo-copy.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_skopeo-copy.yaml new file mode 100644 index 0000000..29a98f2 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_skopeo-copy.yaml @@ -0,0 +1,79 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: skopeo-copy + labels: + app.kubernetes.io/version: "0.3" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: CLI + tekton.dev/tags: cli + tekton.dev/displayName: "skopeo copy" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" +spec: + description: >- + Skopeo is a command line tool for working with remote image registries. + + Skopeo doesn’t require a daemon to be running while performing its operations. + In particular, the handy skopeo command called copy will ease the whole image + copy operation. The copy command will take care of copying the image from + internal.registry to production.registry. If your production registry requires + credentials to login in order to push the image, skopeo can handle that as well. + + workspaces: + - name: images-url + params: + - name: srcImageURL + description: URL of the image to be copied to the destination registry + type: string + default: "" + - name: destImageURL + description: URL of the image where the image from source should be copied to + type: string + default: "" + - name: srcTLSverify + description: Verify the TLS on the src registry endpoint + type: string + default: "true" + - name: destTLSverify + description: Verify the TLS on the dest registry endpoint + type: string + default: "true" + steps: + - name: skopeo-copy + env: + - name: HOME + value: /tekton/home + image: quay.io/skopeo/stable:v1 + script: | + # Function to copy multiple images. + # + copyimages() { + filename="$(workspaces.images-url.path)/url.txt" + while IFS= read -r line || [ -n "$line" ] + do + cmd="" + for url in $line + do + # echo $url + cmd="$cmd \ + $url" + done + read -ra sourceDest <<<"${cmd}" + skopeo copy "${sourceDest[@]}" --src-tls-verify="$(params.srcTLSverify)" --dest-tls-verify="$(params.destTLSverify)" + echo "$cmd" + done < "$filename" + } + # + # If single image is to be copied then, it can be passed through + # params in the taskrun. + if [ "$(params.srcImageURL)" != "" ] && [ "$(params.destImageURL)" != "" ] ; then + skopeo copy "$(params.srcImageURL)" "$(params.destImageURL)" --src-tls-verify="$(params.srcTLSverify)" --dest-tls-verify="$(params.destTLSverify)" + else + # If file is provided as a configmap in the workspace then multiple images can be copied. + # + copyimages + fi + securityContext: + runAsNonRoot: true + runAsUser: 65532 \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_sonarqube-scanner.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_sonarqube-scanner.yaml new file mode 100644 index 0000000..f2a2387 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_sonarqube-scanner.yaml @@ -0,0 +1,158 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: sonarqube-scanner + labels: + app.kubernetes.io/version: "0.4" + annotations: + tekton.dev/deprecated: "true" + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Security + tekton.dev/tags: security + tekton.dev/displayName: "sonarqube scanner" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + The following task can be used to perform static analysis on the source code + provided the SonarQube server is hosted + + SonarQube is the leading tool for continuously inspecting the Code Quality and Security + of your codebases, all while empowering development teams. Analyze over 25 popular + programming languages including C#, VB.Net, JavaScript, TypeScript and C++. It detects + bugs, vulnerabilities and code smells across project branches and pull requests. + + workspaces: + - name: source + description: "Workspace containing the code which needs to be scanned by SonarQube" + - name: sonar-settings + description: "Optional workspace where SonarQube properties can be mounted" + optional: true + - name: sonar-credentials + description: | + A workspace containing a login or password for use within sonarqube. + optional: true + params: + - name: SONAR_HOST_URL + description: SonarQube server URL + default: "" + - name: SONAR_PROJECT_KEY + description: Project's unique key + default: "" + - name: PROJECT_VERSION + description: "Version of the project. Default: 1.0" + default: "1.0" + - name: SOURCE_TO_SCAN + description: "Comma-separated paths to directories containing main source files" + default: "." + - name: SONAR_ORGANIZATION + description: "The organization in sonarqube where the project exists" + default: "" + - name: SONAR_SCANNER_IMAGE + description: "The sonarqube scanner CLI image which will run the scan" + default: "docker.io/sonarsource/sonar-scanner-cli:4.6@sha256:7a976330a8bad1beca6584c1c118e946e7a25fdc5b664d5c0a869a6577d81b4f" + - name: SONAR_LOGIN_KEY + description: Name of the file of the login within the sonarqube credentials workspace + default: "login" + - name: SONAR_PASSWORD_KEY + description: Name of the file of the password within the sonarqube credentials workspace + default: "password" + steps: + - name: sonar-properties-create + image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 + workingDir: $(workspaces.source.path) + env: + - name: SONAR_HOST_URL + value: $(params.SONAR_HOST_URL) + - name: SONAR_PROJECT_KEY + value: $(params.SONAR_PROJECT_KEY) + - name: PROJECT_VERSION + value: $(params.PROJECT_VERSION) + - name: SOURCE_TO_SCAN + value: $(params.SOURCE_TO_SCAN) + - name: SONAR_ORGANIZATION + value: $(params.SONAR_ORGANIZATION) + script: | + #!/usr/bin/env bash + + replaceValues() { + filename=$1 + thekey=$2 + newvalue=$3 + + if ! grep -R "^[#]*\s*${thekey}=.*" $filename >/dev/null; then + echo "APPENDING because '${thekey}' not found" + echo "" >>$filename + echo "$thekey=$newvalue" >>$filename + else + echo "SETTING because '${thekey}' found already" + sed -ir "s|^[#]*\s*${thekey}=.*|$thekey=$newvalue|" $filename + fi + } + + if [[ "$(workspaces.sonar-settings.bound)" == "true" ]]; then + if [[ -f $(workspaces.sonar-settings.path)/sonar-project.properties ]]; then + echo "using user provided sonar-project.properties file" + cp -RL $(workspaces.sonar-settings.path)/sonar-project.properties $(workspaces.source.path)/sonar-project.properties + fi + fi + + if [[ -f $(workspaces.source.path)/sonar-project.properties ]]; then + if [[ -n "${SONAR_HOST_URL}" ]]; then + echo "replacing sonar host URL" + replaceValues $(workspaces.source.path)/sonar-project.properties sonar.host.url "${SONAR_HOST_URL}" + fi + if [[ -n "${SONAR_PROJECT_KEY}" ]]; then + echo "replacing sonar project key" + replaceValues $(workspaces.source.path)/sonar-project.properties sonar.projectKey "${SONAR_PROJECT_KEY}" + fi + echo "Values in sonar-project.properties file replaced successfully..." + else + echo "Creating sonar-project.properties file..." + touch sonar-project.properties + [[ -n "${SONAR_PROJECT_KEY}" ]] && { + echo "sonar.projectKey=${SONAR_PROJECT_KEY}" >> sonar-project.properties + } || { + echo "missing property SONAR_PROJECT_KEY" + exit 1 + } + + [[ -n "${SONAR_HOST_URL}" ]] && { + echo "sonar.host.url=${SONAR_HOST_URL}" >> sonar-project.properties + } || { + echo "missing property SONAR_HOST_URL" + exit 1 + } + + [[ -n "${PROJECT_VERSION}" ]] && { + echo "sonar.projectVersion=${PROJECT_VERSION}" >> sonar-project.properties + } || { + echo "missing property PROJECT_VERSION" + exit 1 + } + + [[ -n "${SONAR_ORGANIZATION}" ]] && { + echo "sonar.organization=${SONAR_ORGANIZATION}" >> sonar-project.properties + } || { + echo "missing property SONAR_ORGANIZATION" + exit 1 + } + echo "sonar.sources=${SOURCE_TO_SCAN}" >> sonar-project.properties + echo "---------------------------" + cat $(workspaces.source.path)/sonar-project.properties + fi + + if [[ "$(workspaces.sonar-credentials.bound)" == "true" ]]; then + if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY) ]]; then + SONAR_PASSWORD=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY)` + replaceValues $(workspaces.source.path)/sonar-project.properties sonar.password "${SONAR_PASSWORD}" + fi + if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY) ]]; then + SONAR_LOGIN=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY)` + replaceValues $(workspaces.source.path)/sonar-project.properties sonar.login "${SONAR_LOGIN}" + fi + fi + - name: sonar-scan + image: $(params.SONAR_SCANNER_IMAGE) + workingDir: $(workspaces.source.path) + command: + - sonar-scanner \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ts-lint.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ts-lint.yaml new file mode 100644 index 0000000..cddd991 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_ts-lint.yaml @@ -0,0 +1,31 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ts-lint + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: linter + tekton.dev/displayName: "TypeScript linter" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to perform lint check on TypeScript files + workspaces: + - name: shared-workspace + description: A workspace that contains the fetched git repository. + params: + - name: args + type: array + description: extra args needs to append + default: ["--help"] + steps: + - name: lint-typescript + image: docker.io/pipelinecomponents/tslint:0.14.1@sha256:85c7dd3f2b6d411fd01b8ad489afd20fb6ac4b2560f29ca506782c1f1a8d9b45 #tag: 0.14.1 + workingDir: $(workspaces.shared-workspace.path) + command: + - tslint + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_write-file.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_write-file.yaml new file mode 100644 index 0000000..e1847a1 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_write-file.yaml @@ -0,0 +1,57 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: write-file + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Developer Tools + tekton.dev/tags: generic + tekton.dev/displayName: Write a file + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" +spec: + description: >- + Write a file to a workspace + + This task can be used to write a file onto the output workspace. + Use parameter expansion to insert variable content into the written + file. It can also set specific permissions on the file. + params: + - name: path + type: string + description: > + Relative path to create within the workspace. Directories will + be created as necessary. + - name: contents + type: string + description: > + Contents of the file to create. + - name: mode + type: string + default: "0755" + description: > + chmod-style permission string to apply to the file. Note that + octal numbers need quoting in YAML. Mode will not be applied + to created directories. + workspaces: + - name: output + description: Workspace onto which the file is written. + steps: + - name: write-file + image: docker.io/library/alpine:3.12@sha256:36553b10a4947067b9fbb7d532951066293a68eae893beba1d9235f7d11a20ad + workingDir: $(workspaces.output.path) + env: + - name: PARAM_PATH + value: $(params.path) + - name: PARAM_MODE + value: $(params.mode) + - name: PARAM_CONTENTS + value: $(params.contents) + script: | + #!/bin/sh + set -eu + DIRNAME=$(dirname "${PARAM_PATH}") + mkdir -p "$DIRNAME" + printf '%s' "${PARAM_CONTENTS}" > "./${PARAM_PATH}" + chmod "${PARAM_MODE}" "./${PARAM_PATH}" \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_yaml-lint.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_yaml-lint.yaml new file mode 100644 index 0000000..f90b408 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_yaml-lint.yaml @@ -0,0 +1,31 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: yaml-lint + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Code Quality + tekton.dev/tags: linter + tekton.dev/displayName: "YAML linter" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to perform lint check on YAML files + workspaces: + - name: shared-workspace + description: A workspace that contains the fetched git repository. + params: + - name: args + type: array + description: extra args needs to append + default: ["--help"] + steps: + - name: lint-yaml-files + image: docker.io/cytopia/yamllint:1.23@sha256:e9deea51bbdc35950cacf6594dab94100d9bbf5c987540b8874167d58e6bdce2 #tag: 1.23 + workingDir: $(workspaces.shared-workspace.path) + command: + - yamllint + args: + - $(params.args) \ No newline at end of file diff --git a/share/gitea-tekton-org/tekton.dev_v1beta1_Task_yq.yaml b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_yq.yaml new file mode 100644 index 0000000..b032441 --- /dev/null +++ b/share/gitea-tekton-org/tekton.dev_v1beta1_Task_yq.yaml @@ -0,0 +1,57 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: yq + labels: + app.kubernetes.io/version: "0.4" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/categories: Developer Tools + tekton.dev/tags: yq + tekton.dev/displayName: "YQ" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This task can be used to replace fields in YAML files. For example for altering helm charts on GitOps repos. + workspaces: + - name: source + description: A workspace that contains the file which needs to be altered. + params: + - name: SCRIPT + type: string + description: The yq script to execute. Can be multiple lines for complex tasks. + default: "" + - name: image + type: string + description: The yq image to use. + default: docker.io/mikefarah/yq:4.27.5@sha256:2be3626ed633fbe1fc33ee9343a1256a6be53334412b2251b9a859f8c145bb53 + - name: files + type: array + description: (deprecated, use SCRIPT instead) A list of files to execute the expression on. Needs to be relative to the source workspace. + default: [] + - name: expression + type: string + description: (deprecated, use SCRIPT instead) The yq expression to apply. Can be used to replace yaml fields. + default: "" + results: + - name: yq + description: The result from your yq command. You can write to it using `$(results.yq.path)` + steps: + - name: yq-script + image: $(params.image) + workingDir: $(workspaces.source.path) + args: ["$(params.files[*])"] + script: | + /usr/bin/env sh + set -e + + # For backwards compatibility with previous versions + if [ "$(params.SCRIPT)" = "" ]; then + for var in "$@" + do + /usr/bin/yq eval -i "$(params.expression)" "$var" + done + exit $? + fi + + $(params.SCRIPT) \ No newline at end of file diff --git a/share/organisation/ci-space.tf b/share/organisation/ci-space.tf new file mode 100644 index 0000000..debaf7d --- /dev/null +++ b/share/organisation/ci-space.tf @@ -0,0 +1,66 @@ +resource "kubernetes_namespace_v1" "ns-tekton" { + count = var.haveGitea && var.haveTekton?1:0 + metadata { + annotations = local.annotations + labels = merge(local.common-labels, local.annotations) + name = "${var.domain}-ci-${var.instance}" + } +} + +resource "kubectl_manifest" "tekton" { + count = var.haveGitea && var.haveTekton?1:0 + depends_on = [kubernetes_namespace_v1.ns-tekton] + yaml_body = <<-EOF + apiVersion: "vynil.solidite.fr/v1" + kind: "Install" + metadata: + name: "tekton-base" + namespace: "${var.domain}-ci-${var.instance}" + labels: ${jsonencode(local.common-labels)} + spec: + distrib: "${var.distributions.domain}" + category: "share" + component: "gitea-tekton-org" + options: + domain: "${var.domain}" + organization: "${trimprefix(var.instance,"org-")}" + EOF +} + +resource "kubectl_manifest" "ci-ssh-creds" { + depends_on = [kubernetes_namespace_v1.ns-tekton] + count = var.haveGitea && var.haveTekton?1:0 + yaml_body = <<-EOF + apiVersion: "secretgenerator.mittwald.de/v1alpha1" + kind: "SSHKeyPair" + metadata: + name: "ssh-credentials" + namespace: "${var.domain}-ci-${var.instance}" + labels: ${jsonencode(local.common-labels)} + spec: + length: "2048" + forceRegenerate: false + data: + known_hosts: "${data.local_file.known_host[0].content}" + EOF + lifecycle { + ignore_changes = [ + yaml_body, + ] + } +} + +data "kubernetes_secret_v1" "ci-ssh-creds-read" { + depends_on = [kubectl_manifest.ci-ssh-creds] + count = var.haveGitea && var.haveTekton?1:0 + metadata { + name = "ssh-credentials" + namespace = "${var.domain}-ci-${var.instance}" + } +} +resource "gitea_public_key" "user-ci-keys" { + count = var.haveGitea && var.haveTekton?1:0 + title = "Tekton token to read repository ${var.instance}" + username = gitea_user.user-ci[0].username + key = data.kubernetes_secret_v1.ci-ssh-creds-read[count.index].data["ssh-publickey"] +} diff --git a/share/organisation/gitea-user.tf b/share/organisation/gitea-user.tf index ece8f87..4480206 100644 --- a/share/organisation/gitea-user.tf +++ b/share/organisation/gitea-user.tf @@ -1,5 +1,6 @@ locals { - needUser = length(local.sorted-stages)>0 && var.haveGitea + needKnownHost = var.haveGitea && (length(local.sorted-stages)>0 || var.haveTekton) + needDeploy = var.haveGitea && length(local.sorted-stages)>0 gitea_host = "http://gitea-http.${var.domain}-ci.svc:3000/" gitea_username = data.kubernetes_secret_v1.gitea.data["username"] gitea_password = data.kubernetes_secret_v1.gitea.data["password"] @@ -27,7 +28,7 @@ data "kubernetes_service" "gitea-ssh" { } resource "null_resource" "get_known" { - count = local.needUser?1:0 + count = local.needKnownHost?1:0 triggers = { always_run = "${timestamp()}" } provisioner "local-exec" { command = "ssh-keyscan -p ${data.kubernetes_service.gitea-ssh.spec.0.port.0.port} ${var.gitea-ssh-domain!=""?var.gitea-ssh-domain:data.kubernetes_ingress_v1.gitea.spec[0].rule[0].host} > ${path.module}/known_host.txt" @@ -35,14 +36,14 @@ resource "null_resource" "get_known" { } data "local_file" "known_host" { - count = local.needUser?1:0 + count = local.needKnownHost?1:0 filename = "${path.module}/known_host.txt" depends_on = [null_resource.get_known] } resource "kubectl_manifest" "ssh-creds" { depends_on = [kubernetes_namespace_v1.ns] - count = local.needUser?length(local.sorted-stages):0 + count = var.haveGitea?length(local.sorted-stages):0 yaml_body = <<-EOF apiVersion: "secretgenerator.mittwald.de/v1alpha1" kind: "SSHKeyPair" @@ -65,7 +66,7 @@ resource "kubectl_manifest" "ssh-creds" { data "kubernetes_secret_v1" "ssh-creds-read" { depends_on = [kubectl_manifest.ssh-creds] - count = local.needUser?length(local.sorted-stages):0 + count = var.haveGitea?length(local.sorted-stages):0 metadata { name = "ssh-credentials" namespace = "${local.sorted-stages[count.index].namespace}" @@ -79,7 +80,7 @@ resource "random_password" "password" { } resource "gitea_user" "user-ci" { - count = local.needUser?1:0 + count = local.needKnownHost?1:0 username = "${var.instance}-ci" login_name = "${var.instance}-ci" password = random_password.password.result @@ -88,7 +89,7 @@ resource "gitea_user" "user-ci" { } resource "gitea_public_key" "user-ci-keys" { - count = local.needUser?length(local.sorted-stages):0 + count = var.haveGitea?length(local.sorted-stages):0 title = "Stage ${local.sorted-stages[count.index].name} for organisation ${var.instance}" username = gitea_user.user-ci[0].username key = data.kubernetes_secret_v1.ssh-creds-read[count.index].data["ssh-publickey"] @@ -100,23 +101,32 @@ resource "gitea_org" "orga" { } resource "gitea_repository" "deploy" { - count = local.needUser?1:0 + count = local.needDeploy?1:0 username = gitea_org.orga[0].name name = "deploy" private = true } -resource "gitea_team" "ci-team" { - count = local.needUser?1:0 - name = "Automation" +resource "gitea_team" "cd-team" { + count = local.needDeploy?1:0 + name = "Deployment" organisation = gitea_org.orga[0].name - description = "Automation" + description = "Deployment" permission = "write" members = [gitea_user.user-ci[0].username] include_all_repositories = false repositories = [gitea_repository.deploy[0].name] } +resource "gitea_team" "ci-team" { + count = local.needKnownHost?1:0 + name = "Automation" + organisation = gitea_org.orga[0].name + description = "Automation" + permission = "read" + members = [gitea_user.user-ci[0].username] +} + resource "gitea_team" "dev-team" { count = var.haveGitea?1:0 name = "Devs" diff --git a/share/organisation/index.yaml b/share/organisation/index.yaml index 07da37f..d8346ab 100644 --- a/share/organisation/index.yaml +++ b/share/organisation/index.yaml @@ -88,6 +88,11 @@ options: examples: - false type: boolean + haveTekton: + default: false + examples: + - false + type: boolean ingress_class: default: traefik examples: