From 15f69b61c8fc59c9c2790315ac3e9e5c6bd6617a Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Mon, 20 May 2024 16:47:56 -0400 Subject: [PATCH] Switch Pipelines to use Trusted Artifact This commit changes the push and pull-request Pipelines for the various components to use Trusted Artifacts stored in the OCI registry. It also modifies the go-unit-test Task so it can be used via the Pipeline as Code resolver[1] removing the need to create a Tekton bundle for it. [1] https://docs.openshift.com/pipelines/1.11/pac/using-pac-resolver.html Signed-off-by: Luiz Carvalho --- .tekton/logsigner-pull-request.yaml | 80 ++++++++++++----------------- .tekton/logsigner-push.yaml | 80 ++++++++++++----------------- .tekton/trillian-unit-test.yaml | 31 ++++++++--- 3 files changed, 90 insertions(+), 101 deletions(-) diff --git a/.tekton/logsigner-pull-request.yaml b/.tekton/logsigner-pull-request.yaml index c32a36e2d1..4b62abd895 100644 --- a/.tekton/logsigner-pull-request.yaml +++ b/.tekton/logsigner-pull-request.yaml @@ -8,6 +8,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "go.mod".pathChanged() || "go.sum".pathChanged() || ".tekton/logsigner-pull-request.yaml".pathChanged() || "Dockerfile.logsigner.rh".pathChanged() || "cmd/trillian_log_signer/***".pathChanged() || "trigger-konflux-builds.txt".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/trillian-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: trillian @@ -162,14 +163,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:c18dc89b0c35f425a5dd10aa48a7e5177deb6addcc06db99646df17fcdde5a2d - name: kind value: task resolver: bundles @@ -179,22 +184,26 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:fe351ee58ed07d7455b32a01dddecf7512dc56506b6260c17fa9a1b4513d02dc - name: kind value: task resolver: bundles @@ -203,9 +212,6 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-container params: - name: IMAGE @@ -222,14 +228,18 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4fe8b5f597759bce6c71979dec50e07e5831c493f10d7c9035c61a2b87cfa9eb - name: kind value: task resolver: bundles @@ -238,23 +248,24 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) - name: BASE_IMAGES value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:1f62eaf64a188fcf61f808ad78a15ebf9a8f7f51c644266ad195718b6a2dd372 + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:ae12b84e22d77cc1112c03b2182dcc14bb7da6a9fdbebab00be57c725d0ef4cf - name: kind value: task resolver: bundles @@ -267,9 +278,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: BASE_IMAGES_DIGESTS @@ -317,14 +325,17 @@ spec: values: - "false" - name: sast-snyk-check + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - clone-repository taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:9ec1e2dea3dad0af7f84858eb5b177f1a7244a2bf71e625a429d44ff5a9359ce - name: kind value: task resolver: bundles @@ -333,9 +344,6 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - name: clamav-scan params: - name: image-digest @@ -384,34 +392,12 @@ spec: runAfter: - prefetch-dependencies taskRef: - params: - - name: name - value: go-unit-test - - name: bundle - value: quay.io/securesign/trillian-unit-test@sha256:56557b0303473a81a9326c3f64575941879bd1dc2c15360c7a3cee9eb7ad25ad - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + name: go-unit-test workspaces: - - name: workspace - name: git-auth optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/logsigner-push.yaml b/.tekton/logsigner-push.yaml index d332f3e81b..c98c49ebe1 100644 --- a/.tekton/logsigner-push.yaml +++ b/.tekton/logsigner-push.yaml @@ -7,6 +7,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" + pipelinesascode.tekton.dev/task: "[.tekton/trillian-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: trillian @@ -159,14 +160,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:c18dc89b0c35f425a5dd10aa48a7e5177deb6addcc06db99646df17fcdde5a2d - name: kind value: task resolver: bundles @@ -176,22 +181,26 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:fe351ee58ed07d7455b32a01dddecf7512dc56506b6260c17fa9a1b4513d02dc - name: kind value: task resolver: bundles @@ -200,9 +209,6 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-container params: - name: IMAGE @@ -219,14 +225,18 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4fe8b5f597759bce6c71979dec50e07e5831c493f10d7c9035c61a2b87cfa9eb - name: kind value: task resolver: bundles @@ -235,23 +245,24 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) - name: BASE_IMAGES value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:1f62eaf64a188fcf61f808ad78a15ebf9a8f7f51c644266ad195718b6a2dd372 + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:ae12b84e22d77cc1112c03b2182dcc14bb7da6a9fdbebab00be57c725d0ef4cf - name: kind value: task resolver: bundles @@ -264,9 +275,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: BASE_IMAGES_DIGESTS @@ -314,14 +322,17 @@ spec: values: - "false" - name: sast-snyk-check + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - clone-repository taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:9ec1e2dea3dad0af7f84858eb5b177f1a7244a2bf71e625a429d44ff5a9359ce - name: kind value: task resolver: bundles @@ -330,9 +341,6 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - name: clamav-scan params: - name: image-digest @@ -381,34 +389,12 @@ spec: runAfter: - prefetch-dependencies taskRef: - params: - - name: name - value: go-unit-test - - name: bundle - value: quay.io/securesign/trillian-unit-test@sha256:56557b0303473a81a9326c3f64575941879bd1dc2c15360c7a3cee9eb7ad25ad - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + name: go-unit-test workspaces: - - name: workspace - name: git-auth optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/trillian-unit-test.yaml b/.tekton/trillian-unit-test.yaml index 54e35d8ecf..55d6c2b84a 100644 --- a/.tekton/trillian-unit-test.yaml +++ b/.tekton/trillian-unit-test.yaml @@ -5,17 +5,34 @@ metadata: annotations: tekton.dev/title: "Go Unit Test Task" spec: - workspaces: - - name: source + params: + - description: The trusted artifact URI containing the application source code. + name: SOURCE_ARTIFACT + type: string + # TODO: Probably want to pass in the cachi2 artifact to speed up the testing a bit? + # - description: The trusted artifact URI containing the prefetched dependencies. + # name: CACHI2_ARTIFACT + # type: string + # default: "" + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir steps: + - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: use-trusted-artifact + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + # - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: run-tests image: registry.access.redhat.com/ubi9/go-toolset@sha256:15e7344d24e3d191c6595fe043323bde27c25e1220f8cc77cd6c5cd5d1ff10c2 - workingDir: $(workspaces.source.path)/source + workingDir: /var/workdir/source script: | #!/usr/bin/env sh + # TODO: May need to set env vars to point to the cachi2 directory? go mod vendor go test $(go list ./... | grep -v /storage/ | grep -v /client/ ) - -# This file bundles the unit tests for trillian. -# If any changes are made to this file, it must be pushed to Quay using the following command: -# 'tkn bundle push quay.io/securesign/trillian-unit-test:latest -f .tekton/trillian-unit-test.yaml'. \ No newline at end of file + volumes: + - name: workdir + emptyDir: {}