resource "kubectl_manifest" "Task_python-coverage" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: python-coverage labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Code Quality tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/tags: python, coverage tekton.dev/displayName: python coverage tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le namespace: ${var.namespace} spec: description: This task can be used to measure code coverage of Python projects. workspaces: - name: source params: - name: PYTHON description: The used Python version, more precisely the tag for the Python image type: string default: latest - name: ARGS description: The additional arguments to be used with pytest type: string default: '' - name: SOURCE_PATH description: The path to the source code default: . - name: REQUIREMENTS_FILE description: The name of the requirements file inside the source location default: requirements.txt steps: - name: code-coverage image: docker.io/python:$(inputs.params.PYTHON) workingDir: $(workspaces.source.path) script: |- export PATH=$PATH:$HOME/.local/bin if [ -n "$(inputs.params.REQUIREMENTS_FILE)" ] && [ -e "$(inputs.params.REQUIREMENTS_FILE)" ];then pip install -r $(inputs.params.SOURCE_PATH)/$(inputs.params.REQUIREMENTS_FILE) pip show pytest || { echo "###\nWarning: Pytest is missing in your requirements\n###"; pip install pytest } pip show coverage || { echo "###\nWarning: Coverage is missing in your requirements\n###"; pip install coverage } else pip install pytest coverage fi coverage run -m pytest $(inputs.params.ARGS) $(inputs.params.SOURCE_PATH) coverage report -m EOF } resource "kubectl_manifest" "Task_npm" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: npm labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/categories: Build Tools tekton.dev/tags: build-tool tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le namespace: ${var.namespace} spec: description: |- This task can be used to run npm goals on a project. This task can be used to run npm goals on a project where package.json is present and has some pre-defined npm scripts. workspaces: - name: source params: - name: PATH_CONTEXT type: string default: . description: The path where package.json of the project is defined. - name: ARGS type: array default: - version description: The npm goals you want to run. - name: IMAGE type: string default: docker.io/library/node:12-alpine@sha256:dfbebf17bfb014e1e7068e76325a117bccf8679c68aec6a28514184a209c8bae description: The node image you want to use. steps: - name: npm-run image: $(params.IMAGE) command: - npm args: - $(params.ARGS) workingDir: $(workspaces.source.path)/$(params.PATH_CONTEXT) env: - name: CI value: 'true' EOF } resource "kubectl_manifest" "Task_pytest" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: pytest labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Testing tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/tags: python, pytest tekton.dev/displayName: pytest tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le namespace: ${var.namespace} spec: description: This task will run pytest on the provided input. workspaces: - name: source - description: The workspace consisting of the custom pip settings. name: pip-conf optional: true params: - name: PYTHON_IMAGE description: The used Python image type: string default: docker.io/python:3.11.1-bullseye - name: ARGS description: The additional arguments to be used with pytest type: string default: '' - name: SOURCE_PATH description: The path to the source code default: . - name: REQUIREMENTS_FILE description: The name of the requirements file inside the source location, with fallback to the requirements file in the root location default: requirements.txt - name: PIP_CONF_FILE description: The name of the custom pip config file. default: pip.conf steps: - name: unit-test image: $(params.PYTHON_IMAGE) workingDir: $(workspaces.source.path) env: - name: PARAM_PIP_CONF_FILE value: $(params.PIP_CONF_FILE) - name: WORKSPACE_PIP_CONF_BOUND value: $(workspaces.pip-conf.bound) - name: WORKSPACE_PIP_CONF_PATH value: $(workspaces.pip-conf.path) script: |- export PATH=$PATH:$HOME/.local/bin if [ "$${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then export PIP_CONFIG_FILE="$${WORKSPACE_PIP_CONF_PATH}/$${PARAM_PIP_CONF_FILE}" fi if [ -e "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" ]; then pip install -r "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" pip show pytest || { printf "###\nWarning: Pytest is missing in your test requirements file\n###"; pip install pytest } else if [ -e "$(params.REQUIREMENTS_FILE)" ]; then pip install -r "$(params.REQUIREMENTS_FILE)" fi pip install pytest fi if [ -z "$(params.ARGS)" ]; then pytest "$(params.SOURCE_PATH)" else pytest "$(params.ARGS)" "$(params.SOURCE_PATH)" fi EOF } resource "kubectl_manifest" "Task_shellcheck" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: shellcheck labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality tekton.dev/tags: linter tekton.dev/displayName: Shellcheck tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: This task can be used to perform lint check on Shell Script files workspaces: - name: shared-workspace description: A workspace that contains the fetched git repository. params: - name: args type: array description: extra args needs to append default: - --help steps: - name: lint-shell image: docker.io/koalaman/shellcheck:v0.7.1@sha256:ad95c140f7bf5cc66e50e19da7d72c398583ba24c5866ac32c882eb3ddc153ee workingDir: $(workspaces.shared-workspace.path) command: - /bin/shellcheck args: - $(params.args) EOF } resource "kubectl_manifest" "Task_markdown-lint" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: markdown-lint labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality tekton.dev/tags: linter tekton.dev/displayName: Markdown linter tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: This task can be used to perform lint check on Markdown files workspaces: - name: shared-workspace description: A workspace that contains the fetched git repository. params: - name: args type: array description: extra args needs to append default: - --help steps: - name: lint-markdown-files image: docker.io/markdownlint/markdownlint:0.11.0@sha256:399a199c92f89f42cf3a0a1159bd86ca5cdc293fcfd39f87c0669ddee9767724 workingDir: $(workspaces.shared-workspace.path) command: - mdl args: - $(params.args) EOF } resource "kubectl_manifest" "Task_black" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: black labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality tekton.dev/tags: formatter, python, black tekton.dev/displayName: Python Black tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: This task can be used to format Python code workspaces: - name: shared-workspace description: The workspace containing python source code which we want to format. params: - name: image description: The container image to use black in default: docker.io/cytopia/black:latest-0.2@sha256:2ec766f1c7e42e6b59c0873ce066fa0a2aa2bf8a80dbc1c40f1566bb539303e0 - name: requirements_file description: The name of the requirements file inside the source location default: requirements.txt - name: args type: array description: extra args that needs to be appended default: - --help steps: - name: format-python-code image: $(params.image) workingDir: $(workspaces.shared-workspace.path) script: | export HOME=/tmp/python export PATH=$PATH:/tmp/python/.local/bin if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then python -mpip install --user -r $(params.requirements_file) fi black $@ args: - $(params.args) EOF } resource "kubectl_manifest" "Task_kube-linter" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: kube-linter labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality tekton.dev/tags: Kubernetes, Misconfiguration tekton.dev/displayName: Kube-Linter tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: |- This task makes it possible to use kube-linter within Tekton Pipeline. The KubeLinter tool by StackRox is an open-source command-line interface to identify misconfigurations in Kubernetes objects. KubeLinter offers the ability to integrate checks on Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. With 31 standard built-in checks and the room to configure your own, you get immediate feedback about misconfigurations and Kubernetes security violations. workspaces: - name: source description: A workspace that contains fetched git repo. params: - name: config_file_url type: string description: url from where the config file would be fetched. default: '' - name: config_file_path type: string description: path to config file. default: '' - name: manifest type: string description: path to manifest files or manifest directory to be checked. default: . - name: includelist type: string description: A string with comma separated checks to be included default: '' - name: excludelist type: string description: A string with comma separated checks to be excluded default: '' - name: default_option type: string description: 'provides two options (adding all built-in checks or disabling all default checks): add-all-built-in and/do-not-auto-add-defaults' default: '' - name: output_format type: string description: format in which report will be generated. (json|sarif|plain) (default:"json") default: json - name: args type: array description: args default: [] steps: - name: fetch-config-file image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 workingDir: $(workspaces.source.path) script: | #!/usr/bin/env bash set -e if [ -n "$(params.config_file_url)" ] then curl "$(params.config_file_url)" --output "$(params.config_file_path)" echo "Fetched the config file from given ($(params.config_file_url)) URL and successfully saved at $(workspaces.source.path)/$(params.config_file_path)" else echo "No config file url was set" fi - name: lint-yaml image: docker.io/stackrox/kube-linter:0.2.2-2-g7d10a69154-alpine@sha256:e520e9d8d3a2dfa611914836536545b135845e7bda9f1df34b060e116232dbf0 workingDir: $(workspaces.source.path) script: | mv ../../kube-linter ../../bin; if [ -n "$(params.config_file_path)" ] then kube-linter lint "$(params.manifest)" --config "$(params.config_file_path)" --format "$(params.output_format)" "$@" else if [ -n "$(params.default_option)" ] then kube-linter lint "$(params.manifest)" --"$(params.default_option)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@" else kube-linter lint "$(params.manifest)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@" fi fi args: - $(params.args) EOF } resource "kubectl_manifest" "Task_yaml-lint" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: yaml-lint labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality tekton.dev/tags: linter tekton.dev/displayName: YAML linter tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: This task can be used to perform lint check on YAML files workspaces: - name: shared-workspace description: A workspace that contains the fetched git repository. params: - name: args type: array description: extra args needs to append default: - --help steps: - name: lint-yaml-files image: docker.io/cytopia/yamllint:1.23@sha256:e9deea51bbdc35950cacf6594dab94100d9bbf5c987540b8874167d58e6bdce2 workingDir: $(workspaces.shared-workspace.path) command: - yamllint args: - $(params.args) EOF } resource "kubectl_manifest" "Task_buildpacks-phases" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: buildpacks-phases labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Image Build, Security tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/tags: image-build tekton.dev/displayName: Buildpacks (phases) tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: The Buildpacks-Phases task builds source into a container image and pushes it to a registry, using Cloud Native Buildpacks. This task separately calls the aspects of the Cloud Native Buildpacks lifecycle, to provide increased security via container isolation. workspaces: - name: source description: Directory where application source is located. - name: cache description: Directory where cache is stored (when no cache image is provided). optional: true params: - name: APP_IMAGE description: The name of where to store the app image. - name: BUILDER_IMAGE description: The image on which builds will run (must include lifecycle and compatible buildpacks). - name: SOURCE_SUBPATH description: A subpath within the `source` input where the source to build is located. default: '' - name: ENV_VARS type: array description: Environment variables to set during _build-time_. default: [] - name: PROCESS_TYPE description: The default process type to set on the image. default: web - name: RUN_IMAGE description: Reference to a run image to use. default: '' - name: CACHE_IMAGE description: The name of the persistent app cache image (if no cache workspace is provided). default: '' - name: USER_ID description: The user ID of the builder image user. default: '1000' - name: GROUP_ID description: The group ID of the builder image user. default: '1000' - name: PLATFORM_DIR description: The name of the platform directory. default: empty-dir - name: LIFECYCLE_IMAGE description: The image to use when executing sensitive phases. default: docker.io/buildpacksio/lifecycle:0.10.2@sha256:1bf8d3fc41d2fdf0ee4abdad50038ab8902ef58c74f5bcfc432c26767d889ed0 - name: USER_HOME description: Absolute path to the user's home directory. default: /tekton/home results: - name: APP_IMAGE_DIGEST description: The digest of the built `APP_IMAGE`. stepTemplate: env: - name: CNB_PLATFORM_API value: '0.4' - name: HOME value: $(params.USER_HOME) steps: - name: prepare image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 args: - --env-vars - $(params.ENV_VARS[*]) script: | #!/usr/bin/env bash set -e if [[ "$(workspaces.cache.bound)" == "true" ]]; then echo "> Setting permissions on '$(workspaces.cache.path)'..." chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)" fi for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do echo "> Setting permissions on '$path'..." chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path" done echo "> Parsing additional configuration..." parsing_flag="" envs=() for arg in "$@"; do if [[ "$arg" == "--env-vars" ]]; then echo "-> Parsing env variables..." parsing_flag="env-vars" elif [[ "$parsing_flag" == "env-vars" ]]; then envs+=("$arg") fi done echo "> Processing any environment variables..." ENV_DIR="/platform/env" echo "--> Creating 'env' directory: $ENV_DIR" mkdir -p "$ENV_DIR" for env in "$${envs[@]}"; do IFS='=' read -r key value string <<< "$env" if [[ "$key" != "" && "$value" != "" ]]; then path="$${ENV_DIR}/$${key}" echo "--> Writing $${path}..." echo -n "$value" > "$path" fi done volumeMounts: - name: layers-dir mountPath: /layers - name: $(params.PLATFORM_DIR) mountPath: /platform securityContext: privileged: true - name: copy-stack-toml image: $(params.BUILDER_IMAGE) imagePullPolicy: Always command: - /bin/sh args: - -c - | cp /cnb/stack.toml /layers/ volumeMounts: - name: layers-dir mountPath: /layers - name: detect image: $(params.BUILDER_IMAGE) imagePullPolicy: Always command: - /cnb/lifecycle/detector args: - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - -group=/layers/group.toml - -plan=/layers/plan.toml volumeMounts: - name: layers-dir mountPath: /layers - name: $(params.PLATFORM_DIR) mountPath: /platform - name: empty-dir mountPath: /tekton/home - name: analyze image: $(params.LIFECYCLE_IMAGE) imagePullPolicy: Always command: - /cnb/lifecycle/analyzer args: - -layers=/layers - -group=/layers/group.toml - -cache-dir=$(workspaces.cache.path) - -cache-image=$(params.CACHE_IMAGE) - -uid=$(params.USER_ID) - -gid=$(params.GROUP_ID) - $(params.APP_IMAGE) volumeMounts: - name: layers-dir mountPath: /layers - name: restore image: $(params.LIFECYCLE_IMAGE) imagePullPolicy: Always command: - /cnb/lifecycle/restorer args: - -group=/layers/group.toml - -layers=/layers - -cache-dir=$(workspaces.cache.path) - -cache-image=$(params.CACHE_IMAGE) - -uid=$(params.USER_ID) - -gid=$(params.GROUP_ID) volumeMounts: - name: layers-dir mountPath: /layers - name: build image: $(params.BUILDER_IMAGE) imagePullPolicy: Always command: - /cnb/lifecycle/builder args: - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - -layers=/layers - -group=/layers/group.toml - -plan=/layers/plan.toml volumeMounts: - name: layers-dir mountPath: /layers - name: $(params.PLATFORM_DIR) mountPath: /platform - name: empty-dir mountPath: /tekton/home - name: export image: $(params.LIFECYCLE_IMAGE) imagePullPolicy: Always command: - /cnb/lifecycle/exporter args: - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - -layers=/layers - -group=/layers/group.toml - -cache-dir=$(workspaces.cache.path) - -cache-image=$(params.CACHE_IMAGE) - -report=/layers/report.toml - -process-type=$(params.PROCESS_TYPE) - -uid=$(params.USER_ID) - -gid=$(params.GROUP_ID) - -stack=/layers/stack.toml - -run-image=$(params.RUN_IMAGE) - $(params.APP_IMAGE) volumeMounts: - name: layers-dir mountPath: /layers - name: results image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 script: | #!/usr/bin/env bash set -e cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path) volumeMounts: - name: layers-dir mountPath: /layers volumes: - name: empty-dir emptyDir: {} - name: layers-dir emptyDir: {} EOF } resource "kubectl_manifest" "Task_sonarqube-scanner" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: sonarqube-scanner labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/deprecated: 'true' tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/categories: Security tekton.dev/tags: security tekton.dev/displayName: sonarqube scanner tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: |- The following task can be used to perform static analysis on the source code provided the SonarQube server is hosted SonarQube is the leading tool for continuously inspecting the Code Quality and Security of your codebases, all while empowering development teams. Analyze over 25 popular programming languages including C#, VB.Net, JavaScript, TypeScript and C++. It detects bugs, vulnerabilities and code smells across project branches and pull requests. workspaces: - name: source description: Workspace containing the code which needs to be scanned by SonarQube - name: sonar-settings description: Optional workspace where SonarQube properties can be mounted optional: true - name: sonar-credentials description: | A workspace containing a login or password for use within sonarqube. optional: true params: - name: SONAR_HOST_URL description: SonarQube server URL default: '' - name: SONAR_PROJECT_KEY description: Project's unique key default: '' - name: PROJECT_VERSION description: 'Version of the project. Default: 1.0' default: '1.0' - name: SOURCE_TO_SCAN description: Comma-separated paths to directories containing main source files default: . - name: SONAR_ORGANIZATION description: The organization in sonarqube where the project exists default: '' - name: SONAR_SCANNER_IMAGE description: The sonarqube scanner CLI image which will run the scan default: docker.io/sonarsource/sonar-scanner-cli:4.6@sha256:7a976330a8bad1beca6584c1c118e946e7a25fdc5b664d5c0a869a6577d81b4f - name: SONAR_LOGIN_KEY description: Name of the file of the login within the sonarqube credentials workspace default: login - name: SONAR_PASSWORD_KEY description: Name of the file of the password within the sonarqube credentials workspace default: password steps: - name: sonar-properties-create image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 workingDir: $(workspaces.source.path) env: - name: SONAR_HOST_URL value: $(params.SONAR_HOST_URL) - name: SONAR_PROJECT_KEY value: $(params.SONAR_PROJECT_KEY) - name: PROJECT_VERSION value: $(params.PROJECT_VERSION) - name: SOURCE_TO_SCAN value: $(params.SOURCE_TO_SCAN) - name: SONAR_ORGANIZATION value: $(params.SONAR_ORGANIZATION) script: | #!/usr/bin/env bash replaceValues() { filename=$1 thekey=$2 newvalue=$3 if ! grep -R "^[#]*\s*$${thekey}=.*" $filename >/dev/null; then echo "APPENDING because '$${thekey}' not found" echo "" >>$filename echo "$thekey=$newvalue" >>$filename else echo "SETTING because '$${thekey}' found already" sed -ir "s|^[#]*\s*$${thekey}=.*|$thekey=$newvalue|" $filename fi } if [[ "$(workspaces.sonar-settings.bound)" == "true" ]]; then if [[ -f $(workspaces.sonar-settings.path)/sonar-project.properties ]]; then echo "using user provided sonar-project.properties file" cp -RL $(workspaces.sonar-settings.path)/sonar-project.properties $(workspaces.source.path)/sonar-project.properties fi fi if [[ -f $(workspaces.source.path)/sonar-project.properties ]]; then if [[ -n "$${SONAR_HOST_URL}" ]]; then echo "replacing sonar host URL" replaceValues $(workspaces.source.path)/sonar-project.properties sonar.host.url "$${SONAR_HOST_URL}" fi if [[ -n "$${SONAR_PROJECT_KEY}" ]]; then echo "replacing sonar project key" replaceValues $(workspaces.source.path)/sonar-project.properties sonar.projectKey "$${SONAR_PROJECT_KEY}" fi echo "Values in sonar-project.properties file replaced successfully..." else echo "Creating sonar-project.properties file..." touch sonar-project.properties [[ -n "$${SONAR_PROJECT_KEY}" ]] && { echo "sonar.projectKey=$${SONAR_PROJECT_KEY}" >> sonar-project.properties } || { echo "missing property SONAR_PROJECT_KEY" exit 1 } [[ -n "$${SONAR_HOST_URL}" ]] && { echo "sonar.host.url=$${SONAR_HOST_URL}" >> sonar-project.properties } || { echo "missing property SONAR_HOST_URL" exit 1 } [[ -n "$${PROJECT_VERSION}" ]] && { echo "sonar.projectVersion=$${PROJECT_VERSION}" >> sonar-project.properties } || { echo "missing property PROJECT_VERSION" exit 1 } [[ -n "$${SONAR_ORGANIZATION}" ]] && { echo "sonar.organization=$${SONAR_ORGANIZATION}" >> sonar-project.properties } || { echo "missing property SONAR_ORGANIZATION" exit 1 } echo "sonar.sources=$${SOURCE_TO_SCAN}" >> sonar-project.properties echo "---------------------------" cat $(workspaces.source.path)/sonar-project.properties fi if [[ "$(workspaces.sonar-credentials.bound)" == "true" ]]; then if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY) ]]; then SONAR_PASSWORD=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY)` replaceValues $(workspaces.source.path)/sonar-project.properties sonar.password "$${SONAR_PASSWORD}" fi if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY) ]]; then SONAR_LOGIN=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY)` replaceValues $(workspaces.source.path)/sonar-project.properties sonar.login "$${SONAR_LOGIN}" fi fi - name: sonar-scan image: $(params.SONAR_SCANNER_IMAGE) workingDir: $(workspaces.source.path) command: - sonar-scanner EOF } resource "kubectl_manifest" "Task_check-make" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: check-make labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality tekton.dev/tags: linter tekton.dev/displayName: Makefile linter tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: This task can be used to perform lint check on Makefiles workspaces: - name: shared-workspace description: A workspace that contains the fetched git repository. params: - name: args type: array description: extra args needs to append default: - --help steps: - name: lint-makefile image: docker.io/cytopia/checkmake:0.1.0@sha256:50957311f1ae25fd5925e1a45798d323cf00b3654cd1eede8db7814c72cec41d workingDir: $(workspaces.shared-workspace.path) command: - checkmake args: - $(params.args) EOF } resource "kubectl_manifest" "Task_gitea-set-status" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: gitea-set-status labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Git tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/tags: gitea tekton.dev/displayName: set gitea status tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le namespace: ${var.namespace} spec: description: |- This task will set the status of the CI job to the specified value along with a link to the specified target URL where developers can follow the progress of the CI job. The `gitea-set-status` task allows external services to mark Gitea commits with an `error`, `failure`, `pending`, or `success` state, which is then reflected in pull requests involving those commits. Statuses include as well a `description` and a `target_url`, to give the user informations about the CI statuses or a direct link to the full log. params: - name: GITEA_HOST_URL description: | The Gitea host, e.g: git.yourcompany.com. Can include port. type: string - name: GITEA_HTTPS_OR_HTTP description: | If we should connect with HTTP or HTTPS. Use "http" or "https" here. type: string default: https - name: API_PATH_PREFIX description: | The API path prefix of Gitea, default: /api/v1 default: /api/v1 type: string - name: REPO_FULL_NAME description: | The Gitea repository full name, e.g.: tektoncd/catalog type: string - name: GITEA_TOKEN_SECRET_NAME description: | The name of the kubernetes secret that contains the Gitea token, default: gitea type: string default: gitea - name: GITEA_TOKEN_SECRET_KEY description: | The key within the kubernetes secret that contains the Gitea token, default: token type: string default: token - name: SHA description: | Commit SHA to set the status for. type: string - name: TARGET_URL description: | The target URL to associate with this status. This URL will be linked from the Gitea UI to allow users to easily see the source of the status. type: string - name: DESCRIPTION description: | A short description of the status. type: string - name: CONTEXT description: | The Gitea context, A string label to differentiate this status from the status of other systems. ie: "continuous-integration/tekton" default: continuous-integration/tekton type: string - name: STATE description: | The state of the status. Can be one of the following `error`, `failure`, `pending`, `warning` or `success`. type: string - name: IMAGE description: | Image providing the python binary which this task uses. type: string default: python:3.10.1-alpine3.15@sha256:affe0faa14e7553fc570beec3864e74b5e36f8c19b2bb49ae8ba79c0e9e7236e - name: SHEBANG description: | Python path. Depends on the image. type: string default: /usr/bin/env python volumes: - name: giteatoken secret: secretName: $(params.GITEA_TOKEN_SECRET_NAME) steps: - name: set-status volumeMounts: - name: giteatoken mountPath: /etc/gitea-set-status image: $(params.IMAGE) script: |- #!$(params.SHEBANG) """This script will set the CI status on a Gitea commit""" import json import sys import http.client gitea_token = open("/etc/gitea-set-status/$(params.GITEA_TOKEN_SECRET_KEY)", "r").read() status_url = "$(params.API_PATH_PREFIX)" + "/repos/$(params.REPO_FULL_NAME)/" + \ "statuses/$(params.SHA)" data = { "state": "$(params.STATE)", "target_url": "$(params.TARGET_URL)", "description": "$(params.DESCRIPTION)", "context": "$(params.CONTEXT)" } print("Sending this data to Gitea: ") print(data) authHeader = "token " + gitea_token if "$(params.GITEA_HTTPS_OR_HTTP)" == "https": conn = http.client.HTTPSConnection("$(params.GITEA_HOST_URL)") else: conn = http.client.HTTPConnection("$(params.GITEA_HOST_URL)") conn.request( "POST", status_url, body=json.dumps(data), headers={ "User-Agent": "TektonCD, the peaceful cat", "Authorization": authHeader, "Accept": "application/json", "Content-Type": "application/json", }) resp = conn.getresponse() if not str(resp.status).startswith("2"): print("Error: %d" % (resp.status)) print(resp.read()) sys.exit(1) else: print("Gitea status '$(params.STATE)' has been set on " "$(params.REPO_FULL_NAME)#$(params.SHA) ") EOF } resource "kubectl_manifest" "Task_hadolint" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: annotations: tekton.dev/categories: Code Quality tekton.dev/displayName: Hadolint tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/platforms: linux/amd64 tekton.dev/tags: Kubernetes, Misconfiguration name: hadolint labels: ${jsonencode(local.common_labels)} namespace: ${var.namespace} spec: description: |- This task makes it possible to use Hadolint within Tekton Pipeline. A smarter Dockerfile linter that helps you build best practice Docker images. The linter parses the Dockerfile into an AST and performs rules on top of the AST params: - default: '' description: ignore rules. name: ignore-rules type: string - default: ./Dockerfile description: Dockerfile path. name: dockerfile-path type: string - default: tty description: The output format for the results [tty | json | checkstyle | codeclimate | gitlab_codeclimate | codacy] (default tty). name: output-format type: string steps: - image: ghcr.io/hadolint/hadolint:v2.8.0-debian@sha256:50b0e60aa2b4aba5a26eeb4ad08c96ed7a828fca996632e29114aabea18345f4 name: lint-dockerfile script: | #!/bin/bash set -e if [ -n "$RULES" ] then IFS="," read -a RULES <<< "$RULES" for rule in $${RULES[@]}; do ignore_rules="--ignore $rule $ignore_rules"; done command_to_run="hadolint $${ignore_rules}" else command_to_run="hadolint" fi $command_to_run "$DOCKERFILE" -f "$OFORMAT" env: - name: RULES value: $(params.ignore-rules) - name: DOCKERFILE value: $(params.dockerfile-path) - name: OFORMAT value: $(params.output-format) workingDir: $(workspaces.source.path) workspaces: - description: A workspace that contains fetched git repo. name: source EOF } resource "kubectl_manifest" "Task_hugo" { yaml_body = <<-EOF apiVersion: tekton.dev/v1 kind: Task metadata: name: hugo labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Build Tools, Cloud tekton.dev/tags: buildtools, cloud tekton.dev/displayName: Hugo tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: |- A Task that builds a Hugo site. This task uses the Hugo static site generator to build a static site from the content in the specified directory. workspaces: - name: work-dir params: - name: content-dir type: string description: The directory where the content is located default: '' - name: minify type: string description: Minify the output e.g. HTML, CSS, JS, XML default: 'false' - name: base-url type: string description: The base URL for the Hugo site. By default reads from the hugo.toml or hugo.yaml default: '' - name: verbose type: string description: Verbose output default: 'false' results: - name: output description: generated static site steps: - name: build env: - name: HUGO_MINIFY value: $(params.minify) - name: HUGO_BASEURL value: $(params.base-url) - name: HUGO_VERBOSE value: $(params.verbose) - name: HUGO_CONTENT_DIR value: $(params.content-dir) image: docker.io/hugomods/hugo:0.122.0@sha256:e90f2e6786969463f3475c7d5e7f031cb5dbf75a8394687d52f99d6c9d0eda0d script: |- export HUGOCMD="hugo" if [ "$HUGO_MINIFY" = 'true' ]; then export HUGOCMD="$${HUGOCMD} --minify" fi if [ "$HUGO_BASEURL" != '' ]; then export HUGOCMD="$${HUGOCMD} --baseURL $HUGO_BASEURL" fi if [ "$HUGO_VERBOSE" = 'true' ]; then export HUGOCMD="$${HUGOCMD} --verbose" fi if [ "$HUGO_CONTENT_DIR" != '' ]; then export HUGOCMD="$${HUGOCMD} --contentDir $${HUGO_CONTENT_DIR}" fi cd "$(workspaces.work-dir.path)" || exit $HUGOCMD printf "%s/public" "$(workspaces.work-dir.path)" | tee /tekton/results/output EOF } resource "kubectl_manifest" "Task_buildah" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: buildah labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Image Build tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/tags: image-build tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 tekton.dev/displayName: buildah namespace: ${var.namespace} spec: description: |- Buildah task builds source into a container image and then pushes it to a container registry. Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry. params: - name: IMAGE description: Reference of the image buildah will produce. - name: BUILDER_IMAGE description: The location of the buildah builder image. default: quay.io/buildah/stable:v1 - name: STORAGE_DRIVER description: Set buildah storage driver default: overlay - name: DOCKERFILE description: Path to the Dockerfile to build. default: ./Dockerfile - name: CONTEXT description: Path to the directory to use as context. default: . - name: TLSVERIFY description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) default: 'true' - name: FORMAT description: The format of the built container, oci or docker default: oci - name: BUILD_EXTRA_ARGS description: Extra parameters passed for the build command when building images. default: '' - name: PUSH_EXTRA_ARGS description: Extra parameters passed for the push command when pushing images. type: string default: '' - name: SKIP_PUSH description: Skip pushing the built image default: 'false' workspaces: - name: source - name: sslcertdir optional: true - name: dockerconfig description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json. optional: true results: - name: IMAGE_DIGEST description: Digest of the image just built. - name: IMAGE_URL description: Image repository where the built image would be pushed to steps: - name: build-and-push image: $(params.BUILDER_IMAGE) workingDir: $(workspaces.source.path) script: | [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)" [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args) # shellcheck disable=SC2046,SC2086 buildah $${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \ "--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \ -f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)" [ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0 # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args) # shellcheck disable=SC2046,SC2086 buildah $${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \ "--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \ "docker://$(params.IMAGE)" tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)" volumeMounts: - name: varlibcontainers mountPath: /var/lib/containers securityContext: privileged: true volumes: - name: varlibcontainers emptyDir: {} EOF } resource "kubectl_manifest" "Task_buildpacks" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: buildpacks labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Image Build tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/tags: image-build tekton.dev/displayName: Buildpacks tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: The Buildpacks task builds source into a container image and pushes it to a registry, using Cloud Native Buildpacks. workspaces: - name: source description: Directory where application source is located. - name: cache description: Directory where cache is stored (when no cache image is provided). optional: true - name: dockerconfig description: An optional workspace that allows providing a .docker/config.json file for Buildpacks lifecycle binary to access the container registry. The file should be placed at the root of the Workspace with name config.json. optional: true params: - name: APP_IMAGE description: The name of where to store the app image. - name: BUILDER_IMAGE description: The image on which builds will run (must include lifecycle and compatible buildpacks). - name: SOURCE_SUBPATH description: A subpath within the `source` input where the source to build is located. default: '' - name: ENV_VARS type: array description: Environment variables to set during _build-time_. default: [] - name: PROCESS_TYPE description: The default process type to set on the image. default: web - name: RUN_IMAGE description: Reference to a run image to use. default: '' - name: CACHE_IMAGE description: The name of the persistent app cache image (if no cache workspace is provided). default: '' - name: SKIP_RESTORE description: Do not write layer metadata or restore cached layers. default: 'false' - name: USER_ID description: The user ID of the builder image user. default: '1000' - name: GROUP_ID description: The group ID of the builder image user. default: '1000' - name: PLATFORM_DIR description: The name of the platform directory. default: empty-dir results: - name: APP_IMAGE_DIGEST description: The digest of the built `APP_IMAGE`. - name: APP_IMAGE_URL description: The URL of the built `APP_IMAGE`. stepTemplate: env: - name: CNB_PLATFORM_API value: '0.9' steps: - name: prepare image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 args: - --env-vars - $(params.ENV_VARS[*]) script: | #!/usr/bin/env bash set -e if [[ "$(workspaces.cache.bound)" == "true" ]]; then echo "> Setting permissions on '$(workspaces.cache.path)'..." chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)" fi for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do echo "> Setting permissions on '$path'..." chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path" if [[ "$path" == "$(workspaces.source.path)" ]]; then chmod 775 "$(workspaces.source.path)" fi done echo "> Parsing additional configuration..." parsing_flag="" envs=() for arg in "$@"; do if [[ "$arg" == "--env-vars" ]]; then echo "-> Parsing env variables..." parsing_flag="env-vars" elif [[ "$parsing_flag" == "env-vars" ]]; then envs+=("$arg") fi done echo "> Processing any environment variables..." ENV_DIR="/platform/env" echo "--> Creating 'env' directory: $ENV_DIR" mkdir -p "$ENV_DIR" for env in "$${envs[@]}"; do IFS='=' read -r key value <<< "$env" if [[ "$key" != "" && "$value" != "" ]]; then path="$${ENV_DIR}/$${key}" echo "--> Writing $${path}..." echo -n "$value" > "$path" fi done volumeMounts: - name: layers-dir mountPath: /layers - name: $(params.PLATFORM_DIR) mountPath: /platform - name: create image: $(params.BUILDER_IMAGE) imagePullPolicy: Always command: - /cnb/lifecycle/creator env: - name: DOCKER_CONFIG value: $(workspaces.dockerconfig.path) args: - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) - -cache-dir=$(workspaces.cache.path) - -cache-image=$(params.CACHE_IMAGE) - -uid=$(params.USER_ID) - -gid=$(params.GROUP_ID) - -layers=/layers - -platform=/platform - -report=/layers/report.toml - -process-type=$(params.PROCESS_TYPE) - -skip-restore=$(params.SKIP_RESTORE) - -previous-image=$(params.APP_IMAGE) - -run-image=$(params.RUN_IMAGE) - $(params.APP_IMAGE) volumeMounts: - name: layers-dir mountPath: /layers - name: $(params.PLATFORM_DIR) mountPath: /platform securityContext: runAsUser: 1000 runAsGroup: 1000 - name: results image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6 script: | #!/usr/bin/env bash set -e grep "digest" /layers/report.toml | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee "$(results.APP_IMAGE_DIGEST.path)" echo -n "$(params.APP_IMAGE)" | tee "$(results.APP_IMAGE_URL.path)" volumeMounts: - name: layers-dir mountPath: /layers volumes: - name: empty-dir emptyDir: {} - name: layers-dir emptyDir: {} EOF } resource "kubectl_manifest" "Task_kubeval" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: kubeval labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/categories: Code Quality, Kubernetes tekton.dev/tags: test tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: |- This task makes it possible to use Kubeval within your Tekton pipelines. Kubeval is a tool used for validating Kubernetes configuration files. By default the task will recursively scan the provided repository for YAML files and validate them against the Kubernetes schemas. workspaces: - name: source params: - name: files default: . - name: output default: stdout - name: args type: array default: [] steps: - name: kubeval workingDir: $(workspaces.source.path) image: docker.io/garethr/kubeval:0.15.0@sha256:6962d8ecbb7839637667f66e6703e6ebaae0c29dfe93a31d9968fba4324c7b8d command: - kubeval - -d - $(params.files) - -o - $(params.output) - $(params.args) EOF } resource "kubectl_manifest" "Task_pylint" { yaml_body = <<-EOF apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: pylint labels: ${jsonencode(local.common_labels)} annotations: tekton.dev/categories: Code Quality tekton.dev/pipelines.minVersion: 0.17.0 tekton.dev/tags: python, pylint tekton.dev/displayName: pylint tekton.dev/platforms: linux/amd64 namespace: ${var.namespace} spec: description: This task will run pylint on the provided input. workspaces: - name: source - description: The workspace consisting of the custom pip settings. name: pip-conf optional: true params: - name: image description: The container image with pylint default: registry.gitlab.com/pipeline-components/pylint:0.12.0@sha256:051b701936dfab6fa27bd1ebd50ef56b19577565661bc0227e50dd1cf94a3d6e - name: path description: The path to the module which should be analysed by pylint default: . type: string - name: requirements_file description: The name of the requirements file inside the source location default: requirements.txt - name: args description: The arguments to pass to the pylint CLI. type: array default: [] - name: pip_conf_file description: The name of the custom pip config file. default: pip.conf steps: - name: pylint image: $(params.image) workingDir: $(workspaces.source.path) env: - name: HOME value: /tmp/python - name: PARAM_PIP_CONF_FILE value: $(params.pip_conf_file) - name: WORKSPACE_PIP_CONF_BOUND value: $(workspaces.pip-conf.bound) - name: WORKSPACE_PIP_CONF_PATH value: $(workspaces.pip-conf.path) script: | export PATH=$PATH:$HOME/.local/bin if [ "$${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then export PIP_CONFIG_FILE="$${WORKSPACE_PIP_CONF_PATH}/$${PARAM_PIP_CONF_FILE}" fi if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then python -mpip install --user -r "$(params.requirements_file)" fi pylint $@ "$(params.path)" args: - $(params.args) EOF }