From 100284f39ec0a302cf9d672738d35aa0ee25ec2f Mon Sep 17 00:00:00 2001 From: Brad Beck Date: Wed, 3 Jan 2024 15:11:50 -0600 Subject: [PATCH] Run all the example pipelines Signed-off-by: Brad Beck --- .github/workflows/install-frsca.yaml | 131 ++++++++++++++++++++++++--- examples/cosign/task-ko.yaml | 3 +- examples/examples.cue | 4 +- 3 files changed, 123 insertions(+), 15 deletions(-) diff --git a/.github/workflows/install-frsca.yaml b/.github/workflows/install-frsca.yaml index 184ef538..917c61b8 100644 --- a/.github/workflows/install-frsca.yaml +++ b/.github/workflows/install-frsca.yaml @@ -46,15 +46,10 @@ jobs: - name: Try the cluster ! run: kubectl get pods -A - name: Initialize FRSCA - env: - REGISTRY: "registry.registry" run: | make setup-frsca - name: Run buildpacks pipeline - env: - REGISTRY: "registry.registry" run: | - make registry-proxy >/dev/null & ./platform/wait-for-pipelinerun.sh -m example-buildpacks -n example-buildpacks- # tail PipelineRun logs tkn pr logs --last -f @@ -83,12 +78,9 @@ jobs: tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]' cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" - kill %?registry-proxy + kubectl delete pr --all -A - name: Run sample pipeline to test kyverno - env: - REGISTRY: "registry.registry" run: | - make registry-proxy >/dev/null & ./platform/wait-for-pipelinerun.sh -m example-sample-pipeline -n example-sample-pipeline- # tail PipelineRun logs tkn pr logs --last -f @@ -114,9 +106,124 @@ jobs: echo "TASK_RUN=${TASK_RUN}" echo "IMAGE_URL=${IMAGE_URL}" crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" - cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" - kubectl wait --timeout=5m --for=condition=ready pods -l app=picalc -n prod - kill %?registry-proxy + kubectl delete pr --all -A + - name: Run go pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-golang-pipeline -n example-golang- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A + - name: Run IBM tutorial pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-ibm-tutorial -n example-ibm-tutorial- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A + - name: Run gradle pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-gradle-pipeline -n example-gradle- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A + - name: Run maven pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-maven -n example-maven- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + kubectl delete pr --all -A + - name: Run cosign pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-cosign -n ko-pipelinerun- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A diff --git a/examples/cosign/task-ko.yaml b/examples/cosign/task-ko.yaml index f478327c..67bcad5f 100644 --- a/examples/cosign/task-ko.yaml +++ b/examples/cosign/task-ko.yaml @@ -20,7 +20,7 @@ spec: default: "" - name: KO_IMAGE description: The name of the Ko image - default: "ghcr.io/google/ko:14b4fe1c7c6c3246120f271e163ca00367108c04" + default: "ghcr.io/ko-build/ko:5a95f8abc540475366126d6c34baf7014794315c" - name: SOURCE_SUBPATH description: >- A subpath within checked out source where the source to build is @@ -49,6 +49,7 @@ spec: export LDFLAGS="" export GIT_HASH="test" export GIT_VERSION="test" + export GOFLAGS="-buildvcs=false" KO_IMAGE=$(ko build \ --base-import-paths \ "$(params.SOURCE_SUBPATH)") diff --git a/examples/examples.cue b/examples/examples.cue index 14169b30..08a61c8a 100644 --- a/examples/examples.cue +++ b/examples/examples.cue @@ -43,7 +43,7 @@ for pr in frsca.pipelineRun { frsca: persistentVolumeClaim: "\(pr.metadata.generateName)source-ws-pvc": { spec: { accessModes: ["ReadWriteOnce"] - resources: requests: storage: "500Mi" + resources: requests: storage: "750Mi" } } } @@ -62,7 +62,7 @@ for name, tt in frsca.triggerTemplate { frsca: persistentVolumeClaim: "\(name)-source-ws-pvc": { spec: { accessModes: ["ReadWriteOnce"] - resources: requests: storage: "500Mi" + resources: requests: storage: "750Mi" } } }