From 87e526306fc7abda9c93afed4ecb7e3421f0df7d Mon Sep 17 00:00:00 2001 From: Brad Beck Date: Wed, 3 Jan 2024 15:11:50 -0600 Subject: [PATCH] Run all the example pipelines Signed-off-by: Brad Beck --- .github/workflows/install-frsca.yaml | 87 ++++++++++++++++++++++++---- 1 file changed, 77 insertions(+), 10 deletions(-) diff --git a/.github/workflows/install-frsca.yaml b/.github/workflows/install-frsca.yaml index 184ef538..0330acd8 100644 --- a/.github/workflows/install-frsca.yaml +++ b/.github/workflows/install-frsca.yaml @@ -46,15 +46,10 @@ jobs: - name: Try the cluster ! run: kubectl get pods -A - name: Initialize FRSCA - env: - REGISTRY: "registry.registry" run: | make setup-frsca - name: Run buildpacks pipeline - env: - REGISTRY: "registry.registry" run: | - make registry-proxy >/dev/null & ./platform/wait-for-pipelinerun.sh -m example-buildpacks -n example-buildpacks- # tail PipelineRun logs tkn pr logs --last -f @@ -83,12 +78,8 @@ jobs: tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]' cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" - kill %?registry-proxy - name: Run sample pipeline to test kyverno - env: - REGISTRY: "registry.registry" run: | - make registry-proxy >/dev/null & ./platform/wait-for-pipelinerun.sh -m example-sample-pipeline -n example-sample-pipeline- # tail PipelineRun logs tkn pr logs --last -f @@ -119,4 +110,80 @@ jobs: cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" kubectl wait --timeout=5m --for=condition=ready pods -l app=picalc -n prod - kill %?registry-proxy + - name: Run go pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-golang-pipeline -n example-golang- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + export IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value') + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + - name: Run IBM tutorial pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-ibm-tutorial -n example-ibm-tutorial- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + export IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value') + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + - name: Run gradle pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-gradle-pipeline -n example-gradle- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + export IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value') + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + - name: Run maven pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-maven -n example-maven- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + - name: Run cosign pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-cosign -n ko-pipelinerun- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + export IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value') + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + export TASK_RUN=$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name | match("IMAGE_URL$")) | .k') + + tkn tr describe "${TASK_RUN}" -o jsonpath='{.metadata.annotations.chains\.tekton\.dev/signed}' + + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"