1511 lines
55 KiB
HCL
1511 lines
55 KiB
HCL
resource "kubectl_manifest" "Task_python-coverage" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: python-coverage
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/tags: python, coverage
|
|
tekton.dev/displayName: python coverage
|
|
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task can be used to measure code coverage of Python projects.
|
|
workspaces:
|
|
- name: source
|
|
params:
|
|
- name: PYTHON
|
|
description: The used Python version, more precisely the tag for the Python image
|
|
type: string
|
|
default: latest
|
|
- name: ARGS
|
|
description: The additional arguments to be used with pytest
|
|
type: string
|
|
default: ''
|
|
- name: SOURCE_PATH
|
|
description: The path to the source code
|
|
default: .
|
|
- name: REQUIREMENTS_FILE
|
|
description: The name of the requirements file inside the source location
|
|
default: requirements.txt
|
|
steps:
|
|
- name: code-coverage
|
|
image: docker.io/python:$(inputs.params.PYTHON)
|
|
workingDir: $(workspaces.source.path)
|
|
script: |-
|
|
export PATH=$PATH:$HOME/.local/bin
|
|
if [ -n "$(inputs.params.REQUIREMENTS_FILE)" ] && [ -e "$(inputs.params.REQUIREMENTS_FILE)" ];then
|
|
pip install -r $(inputs.params.SOURCE_PATH)/$(inputs.params.REQUIREMENTS_FILE)
|
|
pip show pytest || {
|
|
echo "###\nWarning: Pytest is missing in your requirements\n###";
|
|
pip install pytest
|
|
}
|
|
pip show coverage || {
|
|
echo "###\nWarning: Coverage is missing in your requirements\n###";
|
|
pip install coverage
|
|
}
|
|
else
|
|
pip install pytest coverage
|
|
fi
|
|
coverage run -m pytest $(inputs.params.ARGS) $(inputs.params.SOURCE_PATH)
|
|
coverage report -m
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_npm" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: npm
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/categories: Build Tools
|
|
tekton.dev/tags: build-tool
|
|
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
This task can be used to run npm goals on a project.
|
|
This task can be used to run npm goals on a project where package.json is present and has some pre-defined npm scripts.
|
|
workspaces:
|
|
- name: source
|
|
params:
|
|
- name: PATH_CONTEXT
|
|
type: string
|
|
default: .
|
|
description: The path where package.json of the project is defined.
|
|
- name: ARGS
|
|
type: array
|
|
default:
|
|
- version
|
|
description: The npm goals you want to run.
|
|
- name: IMAGE
|
|
type: string
|
|
default: docker.io/library/node:12-alpine@sha256:dfbebf17bfb014e1e7068e76325a117bccf8679c68aec6a28514184a209c8bae
|
|
description: The node image you want to use.
|
|
steps:
|
|
- name: npm-run
|
|
image: $(params.IMAGE)
|
|
command:
|
|
- npm
|
|
args:
|
|
- $(params.ARGS)
|
|
workingDir: $(workspaces.source.path)/$(params.PATH_CONTEXT)
|
|
env:
|
|
- name: CI
|
|
value: 'true'
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_pytest" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: pytest
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Testing
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/tags: python, pytest
|
|
tekton.dev/displayName: pytest
|
|
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task will run pytest on the provided input.
|
|
workspaces:
|
|
- name: source
|
|
- description: The workspace consisting of the custom pip settings.
|
|
name: pip-conf
|
|
optional: true
|
|
params:
|
|
- name: PYTHON_IMAGE
|
|
description: The used Python image
|
|
type: string
|
|
default: docker.io/python:3.11.1-bullseye
|
|
- name: ARGS
|
|
description: The additional arguments to be used with pytest
|
|
type: string
|
|
default: ''
|
|
- name: SOURCE_PATH
|
|
description: The path to the source code
|
|
default: .
|
|
- name: REQUIREMENTS_FILE
|
|
description: The name of the requirements file inside the source location, with fallback to the requirements file in the root location
|
|
default: requirements.txt
|
|
- name: PIP_CONF_FILE
|
|
description: The name of the custom pip config file.
|
|
default: pip.conf
|
|
steps:
|
|
- name: unit-test
|
|
image: $(params.PYTHON_IMAGE)
|
|
workingDir: $(workspaces.source.path)
|
|
env:
|
|
- name: PARAM_PIP_CONF_FILE
|
|
value: $(params.PIP_CONF_FILE)
|
|
- name: WORKSPACE_PIP_CONF_BOUND
|
|
value: $(workspaces.pip-conf.bound)
|
|
- name: WORKSPACE_PIP_CONF_PATH
|
|
value: $(workspaces.pip-conf.path)
|
|
script: |-
|
|
export PATH=$PATH:$HOME/.local/bin
|
|
|
|
if [ "$${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then
|
|
export PIP_CONFIG_FILE="$${WORKSPACE_PIP_CONF_PATH}/$${PARAM_PIP_CONF_FILE}"
|
|
fi
|
|
|
|
if [ -e "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)" ];
|
|
then
|
|
pip install -r "$(params.SOURCE_PATH)"/"$(params.REQUIREMENTS_FILE)"
|
|
pip show pytest || {
|
|
printf "###\nWarning: Pytest is missing in your test requirements file\n###";
|
|
pip install pytest
|
|
}
|
|
else
|
|
if [ -e "$(params.REQUIREMENTS_FILE)" ];
|
|
then
|
|
pip install -r "$(params.REQUIREMENTS_FILE)"
|
|
fi
|
|
pip install pytest
|
|
fi
|
|
if [ -z "$(params.ARGS)" ]; then
|
|
pytest "$(params.SOURCE_PATH)"
|
|
else
|
|
pytest "$(params.ARGS)" "$(params.SOURCE_PATH)"
|
|
fi
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_shellcheck" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: shellcheck
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/tags: linter
|
|
tekton.dev/displayName: Shellcheck
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task can be used to perform lint check on Shell Script files
|
|
workspaces:
|
|
- name: shared-workspace
|
|
description: A workspace that contains the fetched git repository.
|
|
params:
|
|
- name: args
|
|
type: array
|
|
description: extra args needs to append
|
|
default:
|
|
- --help
|
|
steps:
|
|
- name: lint-shell
|
|
image: docker.io/koalaman/shellcheck:v0.7.1@sha256:ad95c140f7bf5cc66e50e19da7d72c398583ba24c5866ac32c882eb3ddc153ee
|
|
workingDir: $(workspaces.shared-workspace.path)
|
|
command:
|
|
- /bin/shellcheck
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_markdown-lint" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: markdown-lint
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/tags: linter
|
|
tekton.dev/displayName: Markdown linter
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task can be used to perform lint check on Markdown files
|
|
workspaces:
|
|
- name: shared-workspace
|
|
description: A workspace that contains the fetched git repository.
|
|
params:
|
|
- name: args
|
|
type: array
|
|
description: extra args needs to append
|
|
default:
|
|
- --help
|
|
steps:
|
|
- name: lint-markdown-files
|
|
image: docker.io/markdownlint/markdownlint:0.11.0@sha256:399a199c92f89f42cf3a0a1159bd86ca5cdc293fcfd39f87c0669ddee9767724
|
|
workingDir: $(workspaces.shared-workspace.path)
|
|
command:
|
|
- mdl
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_black" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: black
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/tags: formatter, python, black
|
|
tekton.dev/displayName: Python Black
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task can be used to format Python code
|
|
workspaces:
|
|
- name: shared-workspace
|
|
description: The workspace containing python source code which we want to format.
|
|
params:
|
|
- name: image
|
|
description: The container image to use black in
|
|
default: docker.io/cytopia/black:latest-0.2@sha256:2ec766f1c7e42e6b59c0873ce066fa0a2aa2bf8a80dbc1c40f1566bb539303e0
|
|
- name: requirements_file
|
|
description: The name of the requirements file inside the source location
|
|
default: requirements.txt
|
|
- name: args
|
|
type: array
|
|
description: extra args that needs to be appended
|
|
default:
|
|
- --help
|
|
steps:
|
|
- name: format-python-code
|
|
image: $(params.image)
|
|
workingDir: $(workspaces.shared-workspace.path)
|
|
script: |
|
|
export HOME=/tmp/python
|
|
export PATH=$PATH:/tmp/python/.local/bin
|
|
if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then
|
|
python -mpip install --user -r $(params.requirements_file)
|
|
fi
|
|
black $@
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_kube-linter" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: kube-linter
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/tags: Kubernetes, Misconfiguration
|
|
tekton.dev/displayName: Kube-Linter
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
This task makes it possible to use kube-linter within Tekton Pipeline.
|
|
The KubeLinter tool by StackRox is an open-source command-line interface to identify misconfigurations in Kubernetes objects. KubeLinter offers the ability to integrate checks on Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. With 31 standard built-in checks and the room to configure your own, you get immediate feedback about misconfigurations and Kubernetes security violations.
|
|
workspaces:
|
|
- name: source
|
|
description: A workspace that contains fetched git repo.
|
|
params:
|
|
- name: config_file_url
|
|
type: string
|
|
description: url from where the config file would be fetched.
|
|
default: ''
|
|
- name: config_file_path
|
|
type: string
|
|
description: path to config file.
|
|
default: ''
|
|
- name: manifest
|
|
type: string
|
|
description: path to manifest files or manifest directory to be checked.
|
|
default: .
|
|
- name: includelist
|
|
type: string
|
|
description: A string with comma separated checks to be included
|
|
default: ''
|
|
- name: excludelist
|
|
type: string
|
|
description: A string with comma separated checks to be excluded
|
|
default: ''
|
|
- name: default_option
|
|
type: string
|
|
description: 'provides two options (adding all built-in checks or disabling all default checks): add-all-built-in and/do-not-auto-add-defaults'
|
|
default: ''
|
|
- name: output_format
|
|
type: string
|
|
description: format in which report will be generated. (json|sarif|plain) (default:"json")
|
|
default: json
|
|
- name: args
|
|
type: array
|
|
description: args
|
|
default: []
|
|
steps:
|
|
- name: fetch-config-file
|
|
image: registry.access.redhat.com/ubi8/ubi-minimal:8.2
|
|
workingDir: $(workspaces.source.path)
|
|
script: |
|
|
#!/usr/bin/env bash
|
|
set -e
|
|
|
|
if [ -n "$(params.config_file_url)" ]
|
|
then
|
|
curl "$(params.config_file_url)" --output "$(params.config_file_path)"
|
|
echo "Fetched the config file from given ($(params.config_file_url)) URL and successfully saved at $(workspaces.source.path)/$(params.config_file_path)"
|
|
else
|
|
echo "No config file url was set"
|
|
fi
|
|
- name: lint-yaml
|
|
image: docker.io/stackrox/kube-linter:0.2.2-2-g7d10a69154-alpine@sha256:e520e9d8d3a2dfa611914836536545b135845e7bda9f1df34b060e116232dbf0
|
|
workingDir: $(workspaces.source.path)
|
|
script: |
|
|
mv ../../kube-linter ../../bin;
|
|
|
|
if [ -n "$(params.config_file_path)" ]
|
|
then
|
|
kube-linter lint "$(params.manifest)" --config "$(params.config_file_path)" --format "$(params.output_format)" "$@"
|
|
else
|
|
if [ -n "$(params.default_option)" ]
|
|
then
|
|
kube-linter lint "$(params.manifest)" --"$(params.default_option)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@"
|
|
else
|
|
kube-linter lint "$(params.manifest)" --include "$(params.includelist)" --exclude "$(params.excludelist)" --format "$(params.output_format)" "$@"
|
|
fi
|
|
fi
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_yaml-lint" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: yaml-lint
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/tags: linter
|
|
tekton.dev/displayName: YAML linter
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task can be used to perform lint check on YAML files
|
|
workspaces:
|
|
- name: shared-workspace
|
|
description: A workspace that contains the fetched git repository.
|
|
params:
|
|
- name: args
|
|
type: array
|
|
description: extra args needs to append
|
|
default:
|
|
- --help
|
|
steps:
|
|
- name: lint-yaml-files
|
|
image: docker.io/cytopia/yamllint:1.23@sha256:e9deea51bbdc35950cacf6594dab94100d9bbf5c987540b8874167d58e6bdce2
|
|
workingDir: $(workspaces.shared-workspace.path)
|
|
command:
|
|
- yamllint
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_buildpacks-phases" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: buildpacks-phases
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Image Build, Security
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/tags: image-build
|
|
tekton.dev/displayName: Buildpacks (phases)
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: The Buildpacks-Phases task builds source into a container image and pushes it to a registry, using Cloud Native Buildpacks. This task separately calls the aspects of the Cloud Native Buildpacks lifecycle, to provide increased security via container isolation.
|
|
workspaces:
|
|
- name: source
|
|
description: Directory where application source is located.
|
|
- name: cache
|
|
description: Directory where cache is stored (when no cache image is provided).
|
|
optional: true
|
|
params:
|
|
- name: APP_IMAGE
|
|
description: The name of where to store the app image.
|
|
- name: BUILDER_IMAGE
|
|
description: The image on which builds will run (must include lifecycle and compatible buildpacks).
|
|
- name: SOURCE_SUBPATH
|
|
description: A subpath within the `source` input where the source to build is located.
|
|
default: ''
|
|
- name: ENV_VARS
|
|
type: array
|
|
description: Environment variables to set during _build-time_.
|
|
default: []
|
|
- name: PROCESS_TYPE
|
|
description: The default process type to set on the image.
|
|
default: web
|
|
- name: RUN_IMAGE
|
|
description: Reference to a run image to use.
|
|
default: ''
|
|
- name: CACHE_IMAGE
|
|
description: The name of the persistent app cache image (if no cache workspace is provided).
|
|
default: ''
|
|
- name: USER_ID
|
|
description: The user ID of the builder image user.
|
|
default: '1000'
|
|
- name: GROUP_ID
|
|
description: The group ID of the builder image user.
|
|
default: '1000'
|
|
- name: PLATFORM_DIR
|
|
description: The name of the platform directory.
|
|
default: empty-dir
|
|
- name: LIFECYCLE_IMAGE
|
|
description: The image to use when executing sensitive phases.
|
|
default: docker.io/buildpacksio/lifecycle:0.10.2@sha256:1bf8d3fc41d2fdf0ee4abdad50038ab8902ef58c74f5bcfc432c26767d889ed0
|
|
- name: USER_HOME
|
|
description: Absolute path to the user's home directory.
|
|
default: /tekton/home
|
|
results:
|
|
- name: APP_IMAGE_DIGEST
|
|
description: The digest of the built `APP_IMAGE`.
|
|
stepTemplate:
|
|
env:
|
|
- name: CNB_PLATFORM_API
|
|
value: '0.4'
|
|
- name: HOME
|
|
value: $(params.USER_HOME)
|
|
steps:
|
|
- name: prepare
|
|
image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6
|
|
args:
|
|
- --env-vars
|
|
- $(params.ENV_VARS[*])
|
|
script: |
|
|
#!/usr/bin/env bash
|
|
set -e
|
|
|
|
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
|
|
echo "> Setting permissions on '$(workspaces.cache.path)'..."
|
|
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
|
|
fi
|
|
|
|
for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do
|
|
echo "> Setting permissions on '$path'..."
|
|
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path"
|
|
done
|
|
|
|
echo "> Parsing additional configuration..."
|
|
parsing_flag=""
|
|
envs=()
|
|
for arg in "$@"; do
|
|
if [[ "$arg" == "--env-vars" ]]; then
|
|
echo "-> Parsing env variables..."
|
|
parsing_flag="env-vars"
|
|
elif [[ "$parsing_flag" == "env-vars" ]]; then
|
|
envs+=("$arg")
|
|
fi
|
|
done
|
|
|
|
echo "> Processing any environment variables..."
|
|
ENV_DIR="/platform/env"
|
|
|
|
echo "--> Creating 'env' directory: $ENV_DIR"
|
|
mkdir -p "$ENV_DIR"
|
|
|
|
for env in "$${envs[@]}"; do
|
|
IFS='=' read -r key value string <<< "$env"
|
|
if [[ "$key" != "" && "$value" != "" ]]; then
|
|
path="$${ENV_DIR}/$${key}"
|
|
echo "--> Writing $${path}..."
|
|
echo -n "$value" > "$path"
|
|
fi
|
|
done
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: $(params.PLATFORM_DIR)
|
|
mountPath: /platform
|
|
securityContext:
|
|
privileged: true
|
|
- name: copy-stack-toml
|
|
image: $(params.BUILDER_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /bin/sh
|
|
args:
|
|
- -c
|
|
- |
|
|
cp /cnb/stack.toml /layers/
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: detect
|
|
image: $(params.BUILDER_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /cnb/lifecycle/detector
|
|
args:
|
|
- -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)
|
|
- -group=/layers/group.toml
|
|
- -plan=/layers/plan.toml
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: $(params.PLATFORM_DIR)
|
|
mountPath: /platform
|
|
- name: empty-dir
|
|
mountPath: /tekton/home
|
|
- name: analyze
|
|
image: $(params.LIFECYCLE_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /cnb/lifecycle/analyzer
|
|
args:
|
|
- -layers=/layers
|
|
- -group=/layers/group.toml
|
|
- -cache-dir=$(workspaces.cache.path)
|
|
- -cache-image=$(params.CACHE_IMAGE)
|
|
- -uid=$(params.USER_ID)
|
|
- -gid=$(params.GROUP_ID)
|
|
- $(params.APP_IMAGE)
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: restore
|
|
image: $(params.LIFECYCLE_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /cnb/lifecycle/restorer
|
|
args:
|
|
- -group=/layers/group.toml
|
|
- -layers=/layers
|
|
- -cache-dir=$(workspaces.cache.path)
|
|
- -cache-image=$(params.CACHE_IMAGE)
|
|
- -uid=$(params.USER_ID)
|
|
- -gid=$(params.GROUP_ID)
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: build
|
|
image: $(params.BUILDER_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /cnb/lifecycle/builder
|
|
args:
|
|
- -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)
|
|
- -layers=/layers
|
|
- -group=/layers/group.toml
|
|
- -plan=/layers/plan.toml
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: $(params.PLATFORM_DIR)
|
|
mountPath: /platform
|
|
- name: empty-dir
|
|
mountPath: /tekton/home
|
|
- name: export
|
|
image: $(params.LIFECYCLE_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /cnb/lifecycle/exporter
|
|
args:
|
|
- -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)
|
|
- -layers=/layers
|
|
- -group=/layers/group.toml
|
|
- -cache-dir=$(workspaces.cache.path)
|
|
- -cache-image=$(params.CACHE_IMAGE)
|
|
- -report=/layers/report.toml
|
|
- -process-type=$(params.PROCESS_TYPE)
|
|
- -uid=$(params.USER_ID)
|
|
- -gid=$(params.GROUP_ID)
|
|
- -stack=/layers/stack.toml
|
|
- -run-image=$(params.RUN_IMAGE)
|
|
- $(params.APP_IMAGE)
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: results
|
|
image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6
|
|
script: |
|
|
#!/usr/bin/env bash
|
|
set -e
|
|
cat /layers/report.toml | grep "digest" | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee $(results.APP_IMAGE_DIGEST.path)
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
volumes:
|
|
- name: empty-dir
|
|
emptyDir: {}
|
|
- name: layers-dir
|
|
emptyDir: {}
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_sonarqube-scanner" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: sonarqube-scanner
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/deprecated: 'true'
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/categories: Security
|
|
tekton.dev/tags: security
|
|
tekton.dev/displayName: sonarqube scanner
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
The following task can be used to perform static analysis on the source code provided the SonarQube server is hosted
|
|
SonarQube is the leading tool for continuously inspecting the Code Quality and Security of your codebases, all while empowering development teams. Analyze over 25 popular programming languages including C#, VB.Net, JavaScript, TypeScript and C++. It detects bugs, vulnerabilities and code smells across project branches and pull requests.
|
|
workspaces:
|
|
- name: source
|
|
description: Workspace containing the code which needs to be scanned by SonarQube
|
|
- name: sonar-settings
|
|
description: Optional workspace where SonarQube properties can be mounted
|
|
optional: true
|
|
- name: sonar-credentials
|
|
description: |
|
|
A workspace containing a login or password for use within sonarqube.
|
|
optional: true
|
|
params:
|
|
- name: SONAR_HOST_URL
|
|
description: SonarQube server URL
|
|
default: ''
|
|
- name: SONAR_PROJECT_KEY
|
|
description: Project's unique key
|
|
default: ''
|
|
- name: PROJECT_VERSION
|
|
description: 'Version of the project. Default: 1.0'
|
|
default: '1.0'
|
|
- name: SOURCE_TO_SCAN
|
|
description: Comma-separated paths to directories containing main source files
|
|
default: .
|
|
- name: SONAR_ORGANIZATION
|
|
description: The organization in sonarqube where the project exists
|
|
default: ''
|
|
- name: SONAR_SCANNER_IMAGE
|
|
description: The sonarqube scanner CLI image which will run the scan
|
|
default: docker.io/sonarsource/sonar-scanner-cli:4.6@sha256:7a976330a8bad1beca6584c1c118e946e7a25fdc5b664d5c0a869a6577d81b4f
|
|
- name: SONAR_LOGIN_KEY
|
|
description: Name of the file of the login within the sonarqube credentials workspace
|
|
default: login
|
|
- name: SONAR_PASSWORD_KEY
|
|
description: Name of the file of the password within the sonarqube credentials workspace
|
|
default: password
|
|
steps:
|
|
- name: sonar-properties-create
|
|
image: registry.access.redhat.com/ubi8/ubi-minimal:8.2
|
|
workingDir: $(workspaces.source.path)
|
|
env:
|
|
- name: SONAR_HOST_URL
|
|
value: $(params.SONAR_HOST_URL)
|
|
- name: SONAR_PROJECT_KEY
|
|
value: $(params.SONAR_PROJECT_KEY)
|
|
- name: PROJECT_VERSION
|
|
value: $(params.PROJECT_VERSION)
|
|
- name: SOURCE_TO_SCAN
|
|
value: $(params.SOURCE_TO_SCAN)
|
|
- name: SONAR_ORGANIZATION
|
|
value: $(params.SONAR_ORGANIZATION)
|
|
script: |
|
|
#!/usr/bin/env bash
|
|
|
|
replaceValues() {
|
|
filename=$1
|
|
thekey=$2
|
|
newvalue=$3
|
|
|
|
if ! grep -R "^[#]*\s*$${thekey}=.*" $filename >/dev/null; then
|
|
echo "APPENDING because '$${thekey}' not found"
|
|
echo "" >>$filename
|
|
echo "$thekey=$newvalue" >>$filename
|
|
else
|
|
echo "SETTING because '$${thekey}' found already"
|
|
sed -ir "s|^[#]*\s*$${thekey}=.*|$thekey=$newvalue|" $filename
|
|
fi
|
|
}
|
|
|
|
if [[ "$(workspaces.sonar-settings.bound)" == "true" ]]; then
|
|
if [[ -f $(workspaces.sonar-settings.path)/sonar-project.properties ]]; then
|
|
echo "using user provided sonar-project.properties file"
|
|
cp -RL $(workspaces.sonar-settings.path)/sonar-project.properties $(workspaces.source.path)/sonar-project.properties
|
|
fi
|
|
fi
|
|
|
|
if [[ -f $(workspaces.source.path)/sonar-project.properties ]]; then
|
|
if [[ -n "$${SONAR_HOST_URL}" ]]; then
|
|
echo "replacing sonar host URL"
|
|
replaceValues $(workspaces.source.path)/sonar-project.properties sonar.host.url "$${SONAR_HOST_URL}"
|
|
fi
|
|
if [[ -n "$${SONAR_PROJECT_KEY}" ]]; then
|
|
echo "replacing sonar project key"
|
|
replaceValues $(workspaces.source.path)/sonar-project.properties sonar.projectKey "$${SONAR_PROJECT_KEY}"
|
|
fi
|
|
echo "Values in sonar-project.properties file replaced successfully..."
|
|
else
|
|
echo "Creating sonar-project.properties file..."
|
|
touch sonar-project.properties
|
|
[[ -n "$${SONAR_PROJECT_KEY}" ]] && {
|
|
echo "sonar.projectKey=$${SONAR_PROJECT_KEY}" >> sonar-project.properties
|
|
} || {
|
|
echo "missing property SONAR_PROJECT_KEY"
|
|
exit 1
|
|
}
|
|
|
|
[[ -n "$${SONAR_HOST_URL}" ]] && {
|
|
echo "sonar.host.url=$${SONAR_HOST_URL}" >> sonar-project.properties
|
|
} || {
|
|
echo "missing property SONAR_HOST_URL"
|
|
exit 1
|
|
}
|
|
|
|
[[ -n "$${PROJECT_VERSION}" ]] && {
|
|
echo "sonar.projectVersion=$${PROJECT_VERSION}" >> sonar-project.properties
|
|
} || {
|
|
echo "missing property PROJECT_VERSION"
|
|
exit 1
|
|
}
|
|
|
|
[[ -n "$${SONAR_ORGANIZATION}" ]] && {
|
|
echo "sonar.organization=$${SONAR_ORGANIZATION}" >> sonar-project.properties
|
|
} || {
|
|
echo "missing property SONAR_ORGANIZATION"
|
|
exit 1
|
|
}
|
|
echo "sonar.sources=$${SOURCE_TO_SCAN}" >> sonar-project.properties
|
|
echo "---------------------------"
|
|
cat $(workspaces.source.path)/sonar-project.properties
|
|
fi
|
|
|
|
if [[ "$(workspaces.sonar-credentials.bound)" == "true" ]]; then
|
|
if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY) ]]; then
|
|
SONAR_PASSWORD=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY)`
|
|
replaceValues $(workspaces.source.path)/sonar-project.properties sonar.password "$${SONAR_PASSWORD}"
|
|
fi
|
|
if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY) ]]; then
|
|
SONAR_LOGIN=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY)`
|
|
replaceValues $(workspaces.source.path)/sonar-project.properties sonar.login "$${SONAR_LOGIN}"
|
|
fi
|
|
fi
|
|
- name: sonar-scan
|
|
image: $(params.SONAR_SCANNER_IMAGE)
|
|
workingDir: $(workspaces.source.path)
|
|
command:
|
|
- sonar-scanner
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_check-make" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: check-make
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/tags: linter
|
|
tekton.dev/displayName: Makefile linter
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task can be used to perform lint check on Makefiles
|
|
workspaces:
|
|
- name: shared-workspace
|
|
description: A workspace that contains the fetched git repository.
|
|
params:
|
|
- name: args
|
|
type: array
|
|
description: extra args needs to append
|
|
default:
|
|
- --help
|
|
steps:
|
|
- name: lint-makefile
|
|
image: docker.io/cytopia/checkmake:0.1.0@sha256:50957311f1ae25fd5925e1a45798d323cf00b3654cd1eede8db7814c72cec41d
|
|
workingDir: $(workspaces.shared-workspace.path)
|
|
command:
|
|
- checkmake
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_gitea-set-status" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: gitea-set-status
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Git
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/tags: gitea
|
|
tekton.dev/displayName: set gitea status
|
|
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
This task will set the status of the CI job to the specified value along with a link to the specified target URL where developers can follow the progress of the CI job.
|
|
The `gitea-set-status` task allows external services to mark Gitea commits with an `error`, `failure`, `pending`, or `success` state, which is then reflected in pull requests involving those commits. Statuses include as well a `description` and a `target_url`, to give the user informations about the CI statuses or a direct link to the full log.
|
|
params:
|
|
- name: GITEA_HOST_URL
|
|
description: |
|
|
The Gitea host, e.g: git.yourcompany.com. Can include port.
|
|
type: string
|
|
default: gitea-http.${var.domain}-ci.svc:3000
|
|
- name: GITEA_HTTPS_OR_HTTP
|
|
description: |
|
|
If we should connect with HTTP or HTTPS. Use "http" or "https" here.
|
|
type: string
|
|
default: http
|
|
- name: API_PATH_PREFIX
|
|
description: |
|
|
The API path prefix of Gitea, default: /api/v1
|
|
default: /api/v1
|
|
type: string
|
|
- name: REPO_FULL_NAME
|
|
description: |
|
|
The Gitea repository full name, e.g.: tektoncd/catalog
|
|
type: string
|
|
- name: GITEA_TOKEN_SECRET_NAME
|
|
description: |
|
|
The name of the kubernetes secret that contains the Gitea token, default: gitea
|
|
type: string
|
|
default: gitea
|
|
- name: GITEA_TOKEN_SECRET_KEY
|
|
description: |
|
|
The key within the kubernetes secret that contains the Gitea token, default: token
|
|
type: string
|
|
default: token
|
|
- name: SHA
|
|
description: |
|
|
Commit SHA to set the status for.
|
|
type: string
|
|
- name: TARGET_URL
|
|
description: |
|
|
The target URL to associate with this status. This URL will be linked
|
|
from the Gitea UI to allow users to easily see the source of the
|
|
status.
|
|
type: string
|
|
- name: DESCRIPTION
|
|
description: |
|
|
A short description of the status.
|
|
type: string
|
|
- name: CONTEXT
|
|
description: |
|
|
The Gitea context, A string label to differentiate this status from
|
|
the status of other systems. ie: "continuous-integration/tekton"
|
|
default: continuous-integration/tekton
|
|
type: string
|
|
- name: STATE
|
|
description: |
|
|
The state of the status. Can be one of the following `error`,
|
|
`failure`, `pending`, `warning` or `success`.
|
|
type: string
|
|
- name: IMAGE
|
|
description: |
|
|
Image providing the python binary which this task uses.
|
|
type: string
|
|
default: python:3.10.1-alpine3.15@sha256:affe0faa14e7553fc570beec3864e74b5e36f8c19b2bb49ae8ba79c0e9e7236e
|
|
- name: SHEBANG
|
|
description: |
|
|
Python path. Depends on the image.
|
|
type: string
|
|
default: /usr/bin/env python
|
|
volumes:
|
|
- name: giteatoken
|
|
secret:
|
|
secretName: $(params.GITEA_TOKEN_SECRET_NAME)
|
|
steps:
|
|
- name: set-status
|
|
volumeMounts:
|
|
- name: giteatoken
|
|
mountPath: /etc/gitea-set-status
|
|
image: $(params.IMAGE)
|
|
script: |-
|
|
#!$(params.SHEBANG)
|
|
|
|
"""This script will set the CI status on a Gitea commit"""
|
|
|
|
import json
|
|
import sys
|
|
import http.client
|
|
|
|
gitea_token = open("/etc/gitea-set-status/$(params.GITEA_TOKEN_SECRET_KEY)", "r").read()
|
|
|
|
status_url = "$(params.API_PATH_PREFIX)" + "/repos/$(params.REPO_FULL_NAME)/" + \
|
|
"statuses/$(params.SHA)"
|
|
|
|
data = {
|
|
"state": "$(params.STATE)",
|
|
"target_url": "$(params.TARGET_URL)",
|
|
"description": "$(params.DESCRIPTION)",
|
|
"context": "$(params.CONTEXT)"
|
|
}
|
|
print("Sending this data to Gitea: ")
|
|
print(data)
|
|
|
|
authHeader = "token " + gitea_token
|
|
|
|
if "$(params.GITEA_HTTPS_OR_HTTP)" == "https":
|
|
conn = http.client.HTTPSConnection("$(params.GITEA_HOST_URL)")
|
|
else:
|
|
conn = http.client.HTTPConnection("$(params.GITEA_HOST_URL)")
|
|
|
|
conn.request(
|
|
"POST",
|
|
status_url,
|
|
body=json.dumps(data),
|
|
headers={
|
|
"User-Agent": "TektonCD, the peaceful cat",
|
|
"Authorization": authHeader,
|
|
"Accept": "application/json",
|
|
"Content-Type": "application/json",
|
|
})
|
|
resp = conn.getresponse()
|
|
if not str(resp.status).startswith("2"):
|
|
print("Error: %d" % (resp.status))
|
|
print(resp.read())
|
|
sys.exit(1)
|
|
else:
|
|
print("Gitea status '$(params.STATE)' has been set on "
|
|
"$(params.REPO_FULL_NAME)#$(params.SHA) ")
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_hadolint" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
annotations:
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/displayName: Hadolint
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/platforms: linux/amd64
|
|
tekton.dev/tags: Kubernetes, Misconfiguration
|
|
name: hadolint
|
|
labels: ${jsonencode(local.common_labels)}
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
This task makes it possible to use Hadolint within Tekton Pipeline.
|
|
A smarter Dockerfile linter that helps you build best practice Docker images. The linter parses the Dockerfile into an AST and performs rules on top of the AST
|
|
params:
|
|
- default: ''
|
|
description: ignore rules.
|
|
name: ignore-rules
|
|
type: string
|
|
- default: ./Dockerfile
|
|
description: Dockerfile path.
|
|
name: dockerfile-path
|
|
type: string
|
|
- default: tty
|
|
description: The output format for the results [tty | json | checkstyle | codeclimate | gitlab_codeclimate | codacy] (default tty).
|
|
name: output-format
|
|
type: string
|
|
steps:
|
|
- image: ghcr.io/hadolint/hadolint:v2.8.0-debian@sha256:50b0e60aa2b4aba5a26eeb4ad08c96ed7a828fca996632e29114aabea18345f4
|
|
name: lint-dockerfile
|
|
script: |
|
|
#!/bin/bash
|
|
set -e
|
|
if [ -n "$RULES" ]
|
|
then
|
|
IFS="," read -a RULES <<< "$RULES"
|
|
for rule in $${RULES[@]}; do ignore_rules="--ignore $rule $ignore_rules"; done
|
|
command_to_run="hadolint $${ignore_rules}"
|
|
else
|
|
command_to_run="hadolint"
|
|
fi
|
|
$command_to_run "$DOCKERFILE" -f "$OFORMAT"
|
|
env:
|
|
- name: RULES
|
|
value: $(params.ignore-rules)
|
|
- name: DOCKERFILE
|
|
value: $(params.dockerfile-path)
|
|
- name: OFORMAT
|
|
value: $(params.output-format)
|
|
workingDir: $(workspaces.source.path)
|
|
workspaces:
|
|
- description: A workspace that contains fetched git repo.
|
|
name: source
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_hugo" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1
|
|
kind: Task
|
|
metadata:
|
|
name: hugo
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Build Tools, Cloud
|
|
tekton.dev/tags: buildtools, cloud
|
|
tekton.dev/displayName: Hugo
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
A Task that builds a Hugo site.
|
|
This task uses the Hugo static site generator to build a static site from the content in the specified directory.
|
|
workspaces:
|
|
- name: work-dir
|
|
params:
|
|
- name: content-dir
|
|
type: string
|
|
description: The directory where the content is located
|
|
default: ''
|
|
- name: minify
|
|
type: string
|
|
description: Minify the output e.g. HTML, CSS, JS, XML
|
|
default: 'false'
|
|
- name: base-url
|
|
type: string
|
|
description: The base URL for the Hugo site. By default reads from the hugo.toml or hugo.yaml
|
|
default: ''
|
|
- name: verbose
|
|
type: string
|
|
description: Verbose output
|
|
default: 'false'
|
|
results:
|
|
- name: output
|
|
description: generated static site
|
|
steps:
|
|
- name: build
|
|
env:
|
|
- name: HUGO_MINIFY
|
|
value: $(params.minify)
|
|
- name: HUGO_BASEURL
|
|
value: $(params.base-url)
|
|
- name: HUGO_VERBOSE
|
|
value: $(params.verbose)
|
|
- name: HUGO_CONTENT_DIR
|
|
value: $(params.content-dir)
|
|
image: docker.io/hugomods/hugo:0.122.0@sha256:e90f2e6786969463f3475c7d5e7f031cb5dbf75a8394687d52f99d6c9d0eda0d
|
|
script: |-
|
|
export HUGOCMD="hugo"
|
|
|
|
|
|
if [ "$HUGO_MINIFY" = 'true' ]; then
|
|
export HUGOCMD="$${HUGOCMD} --minify"
|
|
fi
|
|
|
|
if [ "$HUGO_BASEURL" != '' ]; then
|
|
export HUGOCMD="$${HUGOCMD} --baseURL $HUGO_BASEURL"
|
|
fi
|
|
|
|
if [ "$HUGO_VERBOSE" = 'true' ]; then
|
|
export HUGOCMD="$${HUGOCMD} --verbose"
|
|
fi
|
|
|
|
if [ "$HUGO_CONTENT_DIR" != '' ]; then
|
|
export HUGOCMD="$${HUGOCMD} --contentDir $${HUGO_CONTENT_DIR}"
|
|
fi
|
|
|
|
cd "$(workspaces.work-dir.path)" || exit
|
|
$HUGOCMD
|
|
|
|
printf "%s/public" "$(workspaces.work-dir.path)" | tee /tekton/results/output
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_buildah" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: buildah
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Image Build
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/tags: image-build
|
|
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
|
|
tekton.dev/displayName: buildah
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
Buildah task builds source into a container image and then pushes it to a container registry.
|
|
Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.
|
|
params:
|
|
- name: IMAGE
|
|
description: Reference of the image buildah will produce.
|
|
- name: BUILDER_IMAGE
|
|
description: The location of the buildah builder image.
|
|
default: quay.io/buildah/stable:v1
|
|
- name: STORAGE_DRIVER
|
|
description: Set buildah storage driver
|
|
default: overlay
|
|
- name: DOCKERFILE
|
|
description: Path to the Dockerfile to build.
|
|
default: ./Dockerfile
|
|
- name: CONTEXT
|
|
description: Path to the directory to use as context.
|
|
default: .
|
|
- name: TLSVERIFY
|
|
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
|
|
default: 'true'
|
|
- name: FORMAT
|
|
description: The format of the built container, oci or docker
|
|
default: oci
|
|
- name: BUILD_EXTRA_ARGS
|
|
description: Extra parameters passed for the build command when building images.
|
|
default: ''
|
|
- name: PUSH_EXTRA_ARGS
|
|
description: Extra parameters passed for the push command when pushing images.
|
|
type: string
|
|
default: ''
|
|
- name: SKIP_PUSH
|
|
description: Skip pushing the built image
|
|
default: 'false'
|
|
workspaces:
|
|
- name: source
|
|
- name: sslcertdir
|
|
optional: true
|
|
- name: dockerconfig
|
|
description: An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json.
|
|
optional: true
|
|
results:
|
|
- name: IMAGE_DIGEST
|
|
description: Digest of the image just built.
|
|
- name: IMAGE_URL
|
|
description: Image repository where the built image would be pushed to
|
|
steps:
|
|
- name: build-and-push
|
|
image: $(params.BUILDER_IMAGE)
|
|
workingDir: $(workspaces.source.path)
|
|
script: |
|
|
[ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)"
|
|
[ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG
|
|
# build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args)
|
|
# shellcheck disable=SC2046,SC2086
|
|
buildah $${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \
|
|
"--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \
|
|
-f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)"
|
|
[ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0
|
|
# push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args)
|
|
# shellcheck disable=SC2046,SC2086
|
|
buildah $${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \
|
|
"--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \
|
|
"docker://$(params.IMAGE)"
|
|
tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest
|
|
printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)"
|
|
volumeMounts:
|
|
- name: varlibcontainers
|
|
mountPath: /var/lib/containers
|
|
securityContext:
|
|
privileged: true
|
|
volumes:
|
|
- name: varlibcontainers
|
|
emptyDir: {}
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_buildpacks" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: buildpacks
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Image Build
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/tags: image-build
|
|
tekton.dev/displayName: Buildpacks
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: The Buildpacks task builds source into a container image and pushes it to a registry, using Cloud Native Buildpacks.
|
|
workspaces:
|
|
- name: source
|
|
description: Directory where application source is located.
|
|
- name: cache
|
|
description: Directory where cache is stored (when no cache image is provided).
|
|
optional: true
|
|
- name: dockerconfig
|
|
description: An optional workspace that allows providing a .docker/config.json file for Buildpacks lifecycle binary to access the container registry. The file should be placed at the root of the Workspace with name config.json.
|
|
optional: true
|
|
params:
|
|
- name: APP_IMAGE
|
|
description: The name of where to store the app image.
|
|
- name: BUILDER_IMAGE
|
|
description: The image on which builds will run (must include lifecycle and compatible buildpacks).
|
|
- name: SOURCE_SUBPATH
|
|
description: A subpath within the `source` input where the source to build is located.
|
|
default: ''
|
|
- name: ENV_VARS
|
|
type: array
|
|
description: Environment variables to set during _build-time_.
|
|
default: []
|
|
- name: PROCESS_TYPE
|
|
description: The default process type to set on the image.
|
|
default: web
|
|
- name: RUN_IMAGE
|
|
description: Reference to a run image to use.
|
|
default: ''
|
|
- name: CACHE_IMAGE
|
|
description: The name of the persistent app cache image (if no cache workspace is provided).
|
|
default: ''
|
|
- name: SKIP_RESTORE
|
|
description: Do not write layer metadata or restore cached layers.
|
|
default: 'false'
|
|
- name: USER_ID
|
|
description: The user ID of the builder image user.
|
|
default: '1000'
|
|
- name: GROUP_ID
|
|
description: The group ID of the builder image user.
|
|
default: '1000'
|
|
- name: PLATFORM_DIR
|
|
description: The name of the platform directory.
|
|
default: empty-dir
|
|
results:
|
|
- name: APP_IMAGE_DIGEST
|
|
description: The digest of the built `APP_IMAGE`.
|
|
- name: APP_IMAGE_URL
|
|
description: The URL of the built `APP_IMAGE`.
|
|
stepTemplate:
|
|
env:
|
|
- name: CNB_PLATFORM_API
|
|
value: '0.9'
|
|
steps:
|
|
- name: prepare
|
|
image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6
|
|
args:
|
|
- --env-vars
|
|
- $(params.ENV_VARS[*])
|
|
script: |
|
|
#!/usr/bin/env bash
|
|
set -e
|
|
|
|
if [[ "$(workspaces.cache.bound)" == "true" ]]; then
|
|
echo "> Setting permissions on '$(workspaces.cache.path)'..."
|
|
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$(workspaces.cache.path)"
|
|
fi
|
|
|
|
for path in "/tekton/home" "/layers" "$(workspaces.source.path)"; do
|
|
echo "> Setting permissions on '$path'..."
|
|
chown -R "$(params.USER_ID):$(params.GROUP_ID)" "$path"
|
|
|
|
if [[ "$path" == "$(workspaces.source.path)" ]]; then
|
|
chmod 775 "$(workspaces.source.path)"
|
|
fi
|
|
done
|
|
|
|
echo "> Parsing additional configuration..."
|
|
parsing_flag=""
|
|
envs=()
|
|
for arg in "$@"; do
|
|
if [[ "$arg" == "--env-vars" ]]; then
|
|
echo "-> Parsing env variables..."
|
|
parsing_flag="env-vars"
|
|
elif [[ "$parsing_flag" == "env-vars" ]]; then
|
|
envs+=("$arg")
|
|
fi
|
|
done
|
|
|
|
echo "> Processing any environment variables..."
|
|
ENV_DIR="/platform/env"
|
|
|
|
echo "--> Creating 'env' directory: $ENV_DIR"
|
|
mkdir -p "$ENV_DIR"
|
|
|
|
for env in "$${envs[@]}"; do
|
|
IFS='=' read -r key value <<< "$env"
|
|
if [[ "$key" != "" && "$value" != "" ]]; then
|
|
path="$${ENV_DIR}/$${key}"
|
|
echo "--> Writing $${path}..."
|
|
echo -n "$value" > "$path"
|
|
fi
|
|
done
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: $(params.PLATFORM_DIR)
|
|
mountPath: /platform
|
|
- name: create
|
|
image: $(params.BUILDER_IMAGE)
|
|
imagePullPolicy: Always
|
|
command:
|
|
- /cnb/lifecycle/creator
|
|
env:
|
|
- name: DOCKER_CONFIG
|
|
value: $(workspaces.dockerconfig.path)
|
|
args:
|
|
- -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)
|
|
- -cache-dir=$(workspaces.cache.path)
|
|
- -cache-image=$(params.CACHE_IMAGE)
|
|
- -uid=$(params.USER_ID)
|
|
- -gid=$(params.GROUP_ID)
|
|
- -layers=/layers
|
|
- -platform=/platform
|
|
- -report=/layers/report.toml
|
|
- -process-type=$(params.PROCESS_TYPE)
|
|
- -skip-restore=$(params.SKIP_RESTORE)
|
|
- -previous-image=$(params.APP_IMAGE)
|
|
- -run-image=$(params.RUN_IMAGE)
|
|
- $(params.APP_IMAGE)
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
- name: $(params.PLATFORM_DIR)
|
|
mountPath: /platform
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
- name: results
|
|
image: docker.io/library/bash:5.1.4@sha256:b208215a4655538be652b2769d82e576bc4d0a2bb132144c060efc5be8c3f5d6
|
|
script: |
|
|
#!/usr/bin/env bash
|
|
set -e
|
|
grep "digest" /layers/report.toml | cut -d'"' -f2 | cut -d'"' -f2 | tr -d '\n' | tee "$(results.APP_IMAGE_DIGEST.path)"
|
|
echo -n "$(params.APP_IMAGE)" | tee "$(results.APP_IMAGE_URL.path)"
|
|
volumeMounts:
|
|
- name: layers-dir
|
|
mountPath: /layers
|
|
volumes:
|
|
- name: empty-dir
|
|
emptyDir: {}
|
|
- name: layers-dir
|
|
emptyDir: {}
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_kubeval" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: kubeval
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/pipelines.minVersion: 0.12.1
|
|
tekton.dev/categories: Code Quality, Kubernetes
|
|
tekton.dev/tags: test
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: |-
|
|
This task makes it possible to use Kubeval within your Tekton pipelines.
|
|
Kubeval is a tool used for validating Kubernetes configuration files. By default the task will recursively scan the provided repository for YAML files and validate them against the Kubernetes schemas.
|
|
workspaces:
|
|
- name: source
|
|
params:
|
|
- name: files
|
|
default: .
|
|
- name: output
|
|
default: stdout
|
|
- name: args
|
|
type: array
|
|
default: []
|
|
steps:
|
|
- name: kubeval
|
|
workingDir: $(workspaces.source.path)
|
|
image: docker.io/garethr/kubeval:0.15.0@sha256:6962d8ecbb7839637667f66e6703e6ebaae0c29dfe93a31d9968fba4324c7b8d
|
|
command:
|
|
- kubeval
|
|
- -d
|
|
- $(params.files)
|
|
- -o
|
|
- $(params.output)
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|
|
resource "kubectl_manifest" "Task_pylint" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: pylint
|
|
labels: ${jsonencode(local.common_labels)}
|
|
annotations:
|
|
tekton.dev/categories: Code Quality
|
|
tekton.dev/pipelines.minVersion: 0.17.0
|
|
tekton.dev/tags: python, pylint
|
|
tekton.dev/displayName: pylint
|
|
tekton.dev/platforms: linux/amd64
|
|
namespace: ${var.namespace}
|
|
spec:
|
|
description: This task will run pylint on the provided input.
|
|
workspaces:
|
|
- name: source
|
|
- description: The workspace consisting of the custom pip settings.
|
|
name: pip-conf
|
|
optional: true
|
|
params:
|
|
- name: image
|
|
description: The container image with pylint
|
|
default: registry.gitlab.com/pipeline-components/pylint:0.12.0@sha256:051b701936dfab6fa27bd1ebd50ef56b19577565661bc0227e50dd1cf94a3d6e
|
|
- name: path
|
|
description: The path to the module which should be analysed by pylint
|
|
default: .
|
|
type: string
|
|
- name: requirements_file
|
|
description: The name of the requirements file inside the source location
|
|
default: requirements.txt
|
|
- name: args
|
|
description: The arguments to pass to the pylint CLI.
|
|
type: array
|
|
default: []
|
|
- name: pip_conf_file
|
|
description: The name of the custom pip config file.
|
|
default: pip.conf
|
|
steps:
|
|
- name: pylint
|
|
image: $(params.image)
|
|
workingDir: $(workspaces.source.path)
|
|
env:
|
|
- name: HOME
|
|
value: /tmp/python
|
|
- name: PARAM_PIP_CONF_FILE
|
|
value: $(params.pip_conf_file)
|
|
- name: WORKSPACE_PIP_CONF_BOUND
|
|
value: $(workspaces.pip-conf.bound)
|
|
- name: WORKSPACE_PIP_CONF_PATH
|
|
value: $(workspaces.pip-conf.path)
|
|
script: |
|
|
export PATH=$PATH:$HOME/.local/bin
|
|
|
|
if [ "$${WORKSPACE_PIP_CONF_BOUND}" = "true" ] ; then
|
|
export PIP_CONFIG_FILE="$${WORKSPACE_PIP_CONF_PATH}/$${PARAM_PIP_CONF_FILE}"
|
|
fi
|
|
|
|
if [ -n "$(params.requirements_file)" ] && [ -e "$(params.requirements_file)" ];then
|
|
python -mpip install --user -r "$(params.requirements_file)"
|
|
fi
|
|
pylint $@ "$(params.path)"
|
|
args:
|
|
- $(params.args)
|
|
EOF
|
|
}
|
|
|