From 716573548cfa2f63e5ac505aaf05541bab75bf4e Mon Sep 17 00:00:00 2001 From: "Randal S. Harisch" Date: Sun, 24 Sep 2023 17:05:37 -0600 Subject: [PATCH] Initial submission --- .gitignore | 2 + README.md | 1 + .../conversionengine-webhook-listener.yaml | 34 ++ .../upload-to-nextcloud-webhook-listener.yaml | 34 ++ pipeline/conversion-engine.yaml | 326 +++++++++++++++++ pipeline/upload-to-nextcloud.yaml | 327 ++++++++++++++++++ secrets/git-secret.yaml | 116 +++++++ secrets/webhook-secret.yaml | 36 ++ tasks/generate-image-tag-task.yaml | 29 ++ tasks/git-semver.yaml | 34 ++ tasks/gitea-merge-pr.yaml | 132 +++++++ tasks/golangci-lint.yaml | 81 +++++ .../openshift-ephemeral-namespace-client.yaml | 45 +++ tasks/s2i-go-debug.yaml | 107 ++++++ triggerbinding/gitea-webhook-binding.yaml | 18 + .../conversionengine-template.yaml | 88 +++++ triggertemplate/upload-to-nextcloud.yaml | 88 +++++ 17 files changed, 1498 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 eventlistener/conversionengine-webhook-listener.yaml create mode 100644 eventlistener/upload-to-nextcloud-webhook-listener.yaml create mode 100644 pipeline/conversion-engine.yaml create mode 100644 pipeline/upload-to-nextcloud.yaml create mode 100644 secrets/git-secret.yaml create mode 100644 secrets/webhook-secret.yaml create mode 100644 tasks/generate-image-tag-task.yaml create mode 100644 tasks/git-semver.yaml create mode 100644 tasks/gitea-merge-pr.yaml create mode 100644 tasks/golangci-lint.yaml create mode 100644 tasks/openshift-ephemeral-namespace-client.yaml create mode 100644 tasks/s2i-go-debug.yaml create mode 100644 triggerbinding/gitea-webhook-binding.yaml create mode 100644 triggertemplate/conversionengine-template.yaml create mode 100644 triggertemplate/upload-to-nextcloud.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..538006a --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.ssh/ +custom-scc.yaml diff --git a/README.md b/README.md new file mode 100644 index 0000000..0041e5b --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# CI/CD Pipeline for Goghvideo application diff --git a/eventlistener/conversionengine-webhook-listener.yaml b/eventlistener/conversionengine-webhook-listener.yaml new file mode 100644 index 0000000..0479b6a --- /dev/null +++ b/eventlistener/conversionengine-webhook-listener.yaml @@ -0,0 +1,34 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: EventListener +metadata: + name: conversionengine-webhook-listener + name: gighvideo-cicd-pipeline +spec: + serviceAccountName: pipeline + triggers: + - name: conversionengine-greeter-webhook + interceptors: + - name: gitea + ref: + name: gitea + kind: ClusterInterceptor + apiVersion: triggers.tekton.dev + params: + - name: secretRef + value: + secretName: webhook-secret + secretKey: sharedSecret + - name: eventTypes + value: ["pull_request", "pull_request_sync"] + - name: allow-create-and-update-only + ref: + name: cel + kind: ClusterInterceptor + params: + - name: filter + value: > + body.action in ['opened', 'synchronized'] + bindings: + - ref: gitea-binding + template: + ref: conversionengine-template diff --git a/eventlistener/upload-to-nextcloud-webhook-listener.yaml b/eventlistener/upload-to-nextcloud-webhook-listener.yaml new file mode 100644 index 0000000..d4af206 --- /dev/null +++ b/eventlistener/upload-to-nextcloud-webhook-listener.yaml @@ -0,0 +1,34 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: EventListener +metadata: + name: upload-to-nextcloud-webhook-listener + name: gighvideo-cicd-pipeline +spec: + serviceAccountName: pipeline + triggers: + - name: upload2nc-greeter-webhook + interceptors: + - name: gitea + ref: + name: gitea + kind: ClusterInterceptor + apiVersion: triggers.tekton.dev + params: + - name: secretRef + value: + secretName: webhook-secret + secretKey: sharedSecret + - name: eventTypes + value: ["pull_request", "pull_request_sync"] + - name: allow-create-and-update-only + ref: + name: cel + kind: ClusterInterceptor + params: + - name: filter + value: > + body.action in ['opened', 'synchronized'] + bindings: + - ref: gitea-binding + template: + ref: upload2nc-template diff --git a/pipeline/conversion-engine.yaml b/pipeline/conversion-engine.yaml new file mode 100644 index 0000000..980167e --- /dev/null +++ b/pipeline/conversion-engine.yaml @@ -0,0 +1,326 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ce-buildtest + namespace: learntekton +spec: + workspaces: + - name: source + - name: gitauth + - name: dockerconfig + - name: helm + - name: gitsshauth + params: + - name: git-repo-full-name + type: string + - name: git-token-secret-name + type: string + - name: git-token-secret-key + type: string + - name: git-commit-sha + type: string + - name: git-repo-url + type: string + description: Git URL to retrieve + - name: git-branch + type: string + description: branch to checkout + - name: git-pr-index + description: PR number to merge + - name: git-merge-type + description: What type of merge to do + - name: git-merge-delete-branch + description: delete the branch after merge + - name: verbose + type: string + default: "false" + - name: lint-package + type: string + - name: lint-context + type: string + description: Path to where the modules are stored + - name: lint-version + type: string + default: latest + - name: image + type: string + - name: s2i-builder-image + type: string + - name: git-helm-url + type: string + tasks: + - name: set-check-pending + taskRef: + name: gitea-set-status + params: + - name: SHA + value: $(params.git-commit-sha) + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Build started + - name: STATE + value: pending + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines/all-namespaces + - name: git-semver + runAfter: + - set-check-pending + taskRef: + name: git-semver + params: + - name: gitrepositoryurl + value: $(params.git-repo-url) + - name: gitbranch + value: $(params.git-branch) + workspaces: + - name: repo + workspace: source + - name: gitauth + workspace: gitauth + - name: golangci-lint + runAfter: + - git-semver + taskRef: + name: golangci-lint + params: + - name: package + value: $(params.lint-package) + - name: context + value: $(params.lint-context) + - name: version + value: $(params.lint-version) + workspaces: + - name: source + workspace: source + - name: generate-imagetag + runAfter: + - golangci-lint + taskRef: + name: generate-image-tag + params: + - name: version + value: $(tasks.git-semver.results.version) + - name: image + value: $(params.image) + - name: s2i-build + runAfter: + - generate-imagetag + taskRef: + name: s2i-go-debug + params: + - name: TLSVERIFY + value: false + - name: BUILDER_IMAGE + value: $(params.s2i-builder-image) + - name: PATH_CONTEXT + value: $(params.lint-context) + - name: verbose + value: true + - name: IMAGE + value: $(tasks.generate-imagetag.results.imagetag) + - name: ENV_VARS + value: + - semver=$(tasks.git-semver.results.version) + workspaces: + - name: source + workspace: source + - name: dockerconfig + workspace: dockerconfig + - name: ephemeral-ns + runAfter: + - s2i-build + taskref: + name: openshift-ephemeral-namespace-client + kind: Task + params: + - name: VERSION + value: 4.11 + - name: SCRIPT + value: | + echo "${SHELL}" + RANDOMID=$(openssl rand -hex 4) + oc new-project goghvideo-test-${RANDOMID} >/dev/null + oc label namespace goghvideo-test-${RANDOMID} app=goghvideo-test + + x=0; until [[ -n $(oc -n goghvideo-test-${RANDOMID} get secret/goghvideo-openshift-builder-pull-secret 2>/dev/null) || $x -eq 10 ]]; do echo "Waiting for secret replication" && sleep 10 && ((x++)); done + if [[ "${x}" -eq 10 ]]; then exit 1; fi + + oc -n goghvideo-test-${RANDOMID} secrets link default goghvideo-openshift-builder-pull-secret --for=pull + + oc apply -f - </dev/null ) || $x -eq 10 ]]; do echo "Waiting for operator to deploy rabbit" && sleep 5 && ((x++)); done + if [[ "${x}" -eq 10 ]]; then exit 1; fi + + oc -n goghvideo-test-${RANDOMID} adm policy add-scc-to-user anyuid -z rabbitmq-server + + x=0; until [[ $(oc -n goghvideo-test-${RANDOMID} get sts rabbitmq-server -o jsonpath="{.status.readyReplicas}") -gt 0 || $x -eq 20 ]]; do echo "Waiting for Rabbit MQ to startup" && sleep 15 && ((x++)); done + if [[ "${x}" -eq 20 ]]; then exit 1; fi + oc -n goghvideo-test-${RANDOMID} create route edge --service=rabbitmq --port=15672 + + oc -n goghvideo-test-${RANDOMID} get pods + + RABBITHOST=$(oc -n goghvideo-test-${RANDOMID} get secret/rabbitmq-default-user -o template='{{ .data.host | base64decode }}') + RABBITUSER=$(oc -n goghvideo-test-${RANDOMID} get secret/rabbitmq-default-user -o template='{{ .data.username | base64decode }}') + RABBITPASS=$(oc -n goghvideo-test-${RANDOMID} get secret/rabbitmq-default-user -o template='{{ .data.password | base64decode }}') + oc -n goghvideo-test-${RANDOMID} create secret generic amqp --from-literal=url=amqp://${RABBITUSER}:${RABBITPASS}@${RABBITHOST}/ + + curl -O http://${RABBITHOST}:15672/cli/rabbitmqadmin + chmod +x rabbitmqadmin + + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare exchange name=conversion type=topic + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare queue name=transcode durable=true queue_type=quorum + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare queue name=notification durable=true queue_type=quorum + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare queue name=upload-nextcloud durable=true queue_type=quorum + + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare binding source="conversion" destination_type="queue" destination="transcode" routing_key="transcode" + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare binding source="conversion" destination_type="queue" destination="notification" routing_key="notification" + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare binding source="conversion" destination_type="queue" destination="upload-nextcloud" routing_key="upload-nextcloud" + + echo -n "goghvideo-test-${RANDOMID}" > $(results.namespace.path) + workspaces: + - name: kubeconfig-dir + workspace: dockerconfig + - name: clone-helm-charts + runAfter: ["ephemeral-ns"] + taskRef: + name: git-clone + params: + - name: url + value: $(params.git-helm-url) + workspaces: + - name: output + workspace: helm + - name: ssh-directory + workspace: gitsshauth + - name: deploy-testver + runAfter: ["clone-helm-charts"] + taskRef: + name: helm-upgrade-from-source + params: + - name: charts_dir + value: conversion-engine + - name: release_namespace + value: $(tasks.ephemeral-ns.results.namespace) + - name: release_name + value: conversion-engine + - name: overwrite_values + value: "image.tag=$(tasks.git-semver.results.version)" + workspaces: + - name: source + workspace: helm + - name: deploy-upload-to-nextcloud + runAfter: ["clone-helm-charts"] + taskRef: + name: helm-upgrade-from-source + params: + - name: charts_dir + value: upload-to-nextcloud + - name: release_namespace + value: $(tasks.ephemeral-ns.results.namespace) + - name: release_name + value: upload-to-nextcloud + workspaces: + - name: source + workspace: helm + - name: pass-pr-check + runAfter: ["deploy-testver"] + taskRef: + name: gitea-set-status + params: + - name: SHA + value: $(params.git-commit-sha) + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Tekton CI Pipeline + - name: STATE + value: success + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines + - name: perform-merge + runAfter: ["pass-pr-check"] + taskRef: + name: gitea-merge-pr + params: + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Automatically merged by CI pipeline + - name: INDEX + value: $(params.git-pr-index) + - name: MERGETYPE + value: $(params.git-merge-type) + - name: DELETEBRANCH + value: $(params.git-merge-delete-branch) + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines + finally: + - name: fail-pr-check + when: + - input: $(tasks.status) + operator: in + values: + - Failed + taskRef: + name: gitea-set-status + params: + - name: SHA + value: $(params.git-commit-sha) + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Tekton CI Pipeline + - name: STATE + value: failure + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines diff --git a/pipeline/upload-to-nextcloud.yaml b/pipeline/upload-to-nextcloud.yaml new file mode 100644 index 0000000..25c7756 --- /dev/null +++ b/pipeline/upload-to-nextcloud.yaml @@ -0,0 +1,327 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: upload-to-nextcloud + namespace: goghvideo-cicd-pipeline +spec: + workspaces: + - name: source + - name: gitauth + - name: dockerconfig + - name: helm + - name: gitsshauth + params: + - name: git-repo-full-name + type: string + - name: git-token-secret-name + type: string + - name: git-token-secret-key + type: string + - name: git-commit-sha + type: string + - name: git-repo-url + type: string + description: Git URL to retrieve + - name: git-branch + type: string + description: branch to checkout + - name: git-pr-index + description: PR number to merge + - name: git-merge-type + description: What type of merge to do + - name: git-merge-delete-branch + description: delete the branch after merge + - name: verbose + type: string + default: "false" + - name: lint-package + type: string + - name: lint-context + type: string + description: Path to where the modules are stored + - name: lint-version + type: string + default: latest + - name: image + type: string + - name: s2i-builder-image + type: string + - name: git-helm-url + type: string + tasks: + - name: set-check-pending + taskRef: + name: gitea-set-status + params: + - name: SHA + value: $(params.git-commit-sha) + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Build started + - name: STATE + value: pending + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines/all-namespaces + - name: git-semver + runAfter: + - set-check-pending + taskRef: + name: git-semver + params: + - name: gitrepositoryurl + value: $(params.git-repo-url) + - name: gitbranch + value: $(params.git-branch) + workspaces: + - name: repo + workspace: source + - name: gitauth + workspace: gitauth + - name: golangci-lint + runAfter: + - git-semver + taskRef: + name: golangci-lint + params: + - name: package + value: $(params.lint-package) + - name: context + value: $(params.lint-context) + - name: version + value: $(params.lint-version) + workspaces: + - name: source + workspace: source + - name: generate-imagetag + runAfter: + - golangci-lint + taskRef: + name: generate-image-tag + params: + - name: version + value: $(tasks.git-semver.results.version) + - name: image + value: $(params.image) + - name: s2i-build + runAfter: + - generate-imagetag + taskRef: + name: s2i-go-debug + kind: Task + params: + - name: TLSVERIFY + value: false + - name: BUILDER_IMAGE + value: $(params.s2i-builder-image) + - name: PATH_CONTEXT + value: $(params.lint-context) + - name: verbose + value: true + - name: IMAGE + value: $(tasks.generate-imagetag.results.imagetag) + - name: ENV_VARS + value: + - semver=$(tasks.git-semver.results.version) + workspaces: + - name: source + workspace: source + - name: dockerconfig + workspace: dockerconfig + - name: ephemeral-ns + runAfter: + - s2i-build + taskref: + name: openshift-ephemeral-namespace-client + kind: Task + params: + - name: VERSION + value: 4.11 + - name: SCRIPT + value: | + echo "${SHELL}" + RANDOMID=$(openssl rand -hex 4) + oc new-project goghvideo-test-${RANDOMID} >/dev/null + oc label namespace goghvideo-test-${RANDOMID} app=goghvideo-test + + x=0; until [[ -n $(oc -n goghvideo-test-${RANDOMID} get secret/goghvideo-openshift-builder-pull-secret 2>/dev/null) || $x -eq 10 ]]; do echo "Waiting for secret replication" && sleep 10 && ((x++)); done + if [[ "${x}" -eq 10 ]]; then exit 1; fi + + oc -n goghvideo-test-${RANDOMID} secrets link default goghvideo-openshift-builder-pull-secret --for=pull + + oc apply -f - </dev/null ) || $x -eq 10 ]]; do echo "Waiting for operator to deploy rabbit" && sleep 5 && ((x++)); done + if [[ "${x}" -eq 10 ]]; then exit 1; fi + + oc -n goghvideo-test-${RANDOMID} adm policy add-scc-to-user anyuid -z rabbitmq-server + + x=0; until [[ $(oc -n goghvideo-test-${RANDOMID} get sts rabbitmq-server -o jsonpath="{.status.readyReplicas}") -gt 0 || $x -eq 20 ]]; do echo "Waiting for Rabbit MQ to startup" && sleep 15 && ((x++)); done + if [[ "${x}" -eq 20 ]]; then exit 1; fi + oc -n goghvideo-test-${RANDOMID} create route edge --service=rabbitmq --port=15672 + + oc -n goghvideo-test-${RANDOMID} get pods + + RABBITHOST=$(oc -n goghvideo-test-${RANDOMID} get secret/rabbitmq-default-user -o template='{{ .data.host | base64decode }}') + RABBITUSER=$(oc -n goghvideo-test-${RANDOMID} get secret/rabbitmq-default-user -o template='{{ .data.username | base64decode }}') + RABBITPASS=$(oc -n goghvideo-test-${RANDOMID} get secret/rabbitmq-default-user -o template='{{ .data.password | base64decode }}') + oc -n goghvideo-test-${RANDOMID} create secret generic amqp --from-literal=url=amqp://${RABBITUSER}:${RABBITPASS}@${RABBITHOST}/ + + curl -O http://${RABBITHOST}:15672/cli/rabbitmqadmin + chmod +x rabbitmqadmin + + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare exchange name=conversion type=topic + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare queue name=transcode durable=true queue_type=quorum + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare queue name=notification durable=true queue_type=quorum + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare queue name=upload-nextcloud durable=true queue_type=quorum + + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare binding source="conversion" destination_type="queue" destination="transcode" routing_key="transcode" + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare binding source="conversion" destination_type="queue" destination="notification" routing_key="notification" + ./rabbitmqadmin -H ${RABBITHOST} -u ${RABBITUSER} -p ${RABBITPASS} declare binding source="conversion" destination_type="queue" destination="upload-nextcloud" routing_key="upload-nextcloud" + + echo -n "goghvideo-test-${RANDOMID}" > $(results.namespace.path) + workspaces: + - name: kubeconfig-dir + workspace: dockerconfig + - name: clone-helm-charts + runAfter: ["ephemeral-ns"] + taskRef: + name: git-clone + params: + - name: url + value: $(params.git-helm-url) + workspaces: + - name: output + workspace: helm + - name: ssh-directory + workspace: gitsshauth + - name: deploy-testver + runAfter: ["clone-helm-charts"] + taskRef: + name: helm-upgrade-from-source + params: + - name: charts_dir + value: conversion-engine + - name: release_namespace + value: $(tasks.ephemeral-ns.results.namespace) + - name: release_name + value: conversion-engine + - name: overwrite_values + value: "image.tag=$(tasks.git-semver.results.version)" + workspaces: + - name: source + workspace: helm + - name: deploy-upload-to-nextcloud + runAfter: ["clone-helm-charts"] + taskRef: + name: helm-upgrade-from-source + params: + - name: charts_dir + value: upload-to-nextcloud + - name: release_namespace + value: $(tasks.ephemeral-ns.results.namespace) + - name: release_name + value: upload-to-nextcloud + workspaces: + - name: source + workspace: helm + - name: pass-pr-check + runAfter: ["deploy-testver"] + taskRef: + name: gitea-set-status + params: + - name: SHA + value: $(params.git-commit-sha) + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Tekton CI Pipeline + - name: STATE + value: success + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines + - name: perform-merge + runAfter: ["pass-pr-check"] + taskRef: + name: gitea-merge-pr + params: + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Automatically merged by CI pipeline + - name: INDEX + value: $(params.git-pr-index) + - name: MERGETYPE + value: $(params.git-merge-type) + - name: DELETEBRANCH + value: $(params.git-merge-delete-branch) + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines + finally: + - name: fail-pr-check + when: + - input: $(tasks.status) + operator: in + values: + - Failed + taskRef: + name: gitea-set-status + params: + - name: SHA + value: $(params.git-commit-sha) + - name: GITEA_HOST_URL + value: git.endofday.com + - name: REPO_FULL_NAME + value: $(params.git-repo-full-name) + - name: GITEA_TOKEN_SECRET_NAME + value: $(params.git-token-secret-name) + - name: GITEA_TOKEN_SECRET_KEY + value: $(params.git-token-secret-key) + - name: DESCRIPTION + value: Tekton CI Pipeline + - name: STATE + value: failure + - name: TARGET_URL + value: https://console-openshift-console.apps.ocp.endofday.com/pipelines diff --git a/secrets/git-secret.yaml b/secrets/git-secret.yaml new file mode 100644 index 0000000..36516fd --- /dev/null +++ b/secrets/git-secret.yaml @@ -0,0 +1,116 @@ +apiVersion: v1 +kind: Secret +metadata: + name: git-credentials + annotations: + tekton.dev/git-0: git-ssh.ipa.endofday.com + namespace: goghvideo-cicd-pipeline +type: kubernetes.io/ssh-auth +stringData: + known_hosts: ENC[AES256_GCM,data:jpopgIOwhOAjehFTsc85kVSdW/0qJZbgMlShlPM0hXd+GF7vZ4CxPHiRtwqPh67lwblhGoYIEC7Cwk8qnJbQtQXNUBrHjSjsxi048Dm/W5onHZfDI6UkA6trJQj3tJLBcJ/EMEfqJ6lSyE0m3l1E7o7cNFAvTZCJP8MSWY0XuB9hPfclP1k/wf7/EURV68rJVxkCAgdIUlGu2a+OVFxDgEMaVp4Y5OqZFDgAuDTWci5nwX5638Zgjeuiak7gjL/Z+HFSAUacxJAC98GX0KiBGPKCWSkhgjMQ/kA/PHE4l/iiZBCQau4JTPM5fH3zqrEhvQ/k2vND9vS72FUBXFmaQBVbca/It8SW0EEkufeCchnO33yYPPW9dMqL8BQmmF+AAKQz51hm4l3I0BH1BSym1+1NeZi6qd+9GygbVdLelbRgQnS/w+xmbPlWXgDsxP8wY6xYZJrRT1gaKBfodxjThvNZI9s1n8MED+LO9Pos7rXvMSE2VySalJ0nllJdhQ0Kfn18jCkA/Fg6lf1FMJtss9cbeAcjGYpevJI/thLuOdUSbsY2oQyiJ/NWhdRtbDmIvfZdUiGJBPxz6RDwZowXpeVb10FChBYKugpmLLKzVkKxF9Z/WhHWBQdNTAicpy/c1fPYIiCowViaImHiSAArm8uxIn56TJTvLrcBP+QltXbESroseV7IEjFBymQM0AO7oDcJDsn/NUDLUvuzRAf2yYe7o1mEueR5MOWc7V0UUKTIVRme3LJ0rXnREyDAgnSBPod1DIDv3yg1lmgZbwA/DYR/IdidszDKMIfbWgEeDb8swgxE5iVvBISG5n1FmnlWQl8pOjy/zHPQnLfpqUCpO/QJFovYsP6rCRvJJeZ4GnSuRNYPKm1NeTf4um+Ct1oncL+xGH2rofpHl7oOoCGi0jAzWEt0UXiy+9sPDlzlO1MDGjeRcQxYtllYzrUbVIJuYjAOwd2TzcHtRGrpzranic+uFs7/UqfM4cGabHeoTxatCcMi39riKZ0WqK74RFbItmN0sShfddEOUMv5bx+ntAj5MKF6E10jSsG4X8LMPpe06bXPwosXEQbB/MUCxKhODPTb3NCqbthBN5tP0OnU48GO5nkTQptbeH8jIyr0UY1TG9jgIDsyqYbe5uCM7+RJzQaCVqLGydA/mZHrZP/Tcez+HGK7KazxEj8vaF0k/Iy/ne2F2vVirCyWhmqE0TgKprshRXdXC4R0tiDUIoCrJ4MxucDJOqjO6WirgxCBbNvMtyTjYsyt5ovDNMcqBLBSRtZpo/ToYb3k0BNC0Zx1Fn9OwxuUNwJUObfUEt6fwm40zJm7lxfsHUwcVSTtXd4Y1xGfKxDeOmnnXMxNTE6d8ppYQg2g5HXaA0ewFHlccV/n8XGX72A5Hrno5k5+iA1VLSGecaEylPJO3dE1RbqRMyeDY7gpNsujOZ3uiG90xYPaDn87GtdEAzsws5TgvuCax+EFbpfbS1Gwi2RHSwPtlJwGEIRVYejbJBdGQBCdHyY1Gm5PiY4U7neNTe6bJv27nciz0YnNaniKeF/9v0qI7gI9Rpf3saRTGVBzbAK6T9OPIhI+6BNH6AF42la2miNQO0RPV7/tPeJNX4Y96XrarlH7f+sPIW9l2GVYxwaG/WOm0maLp0PmHCAZpW1CCT3ENJsgvdcPcZtExZSIOUC9k0WHtg6mVKMOWfFM6vmcgqX6o7Jp4skQKhtSuHzz7aJ0nFYEHOyGIU+ukFIceTFs++h2NLmePT8lXeLhiqOfGhwmvb/q+FYCYQr+16u4JlzIQ/hpZhyUvsw/WyzrQPe8SA==,iv:jkxx1XewwWkgMzMgaxn/LaEW/UFm8AvTw/VuRd9S5YU=,tag:ZiqGazl7Fyfb0aYOE+WcQg==,type:str] +data: + ssh-privatekey: ENC[AES256_GCM,data:k9cF7KgB1ERbI9mfqLk+w1FuE8cstq1PeMSh+Q57nxa4FGTRFzStIFyhpDN1beve+FDHuESQNgcftTCFVIvDv2YdiS4oKwudJ0qYIsHxRqFViuoXaBrdFlZgNnKpLlm2q7ZeFQHg2h2SdxUCsO21jN6KL8xfs0F1cpMbONkWb3RRikztZDfswAbtTLnUCS4uyCoeI44WtESx1qLbvlNf05eyUgUMPWe8/qKOMZKwCLYDkO+Fx0Z6GwUiBTgVeg2ggVZQwHsStNvWoKjUGCaqeaPD2peBAgnAiCPqg+R0e3RE37PnHczFf4ISe9743Nfem49app8AGS6NXqGt1YEuesbHGS4wlAhLsju/s2LuU5KCWFvCBNUCLtbklauUfMl4S6zwpoz1G7sSW9InG7cPJVyW0kWTZS85Ff1Ns7DUvxcV8//xNSTOhNuSAVGB3PyIxazZoKW1Li8e7uaiOFunDWr650hF/cJwT7U3QntX4vmJ4LU3NYda+wcCvkaiO8YxbbZueKclays2bO8QMa45CKwYmazUX4+hH7TPcO7RDap8fykFMoDtDNoCcnPDpno/byROYedAjmLFMzt+u4zj4QQhN3/npK4o7VB74RNkM5ZXlEX+PXhUXma/aHzA5d1SDMcOlGPQoyi+tj28jv20EhpF8gIvservLMW8O1hbpCIH88q99LKA0zUB1HdTvWBpHjQzGr4C2bXY7AGxyOQX1+IyC9YAOcWYNy1KAeNql3m17iV4exNVR4JwLPa7R1HDKXgMFDHkWvaMdXbPEJiV6CPkGf68pkZyciRuvzu7v6umXHWSwHprLW2pnOhYTuz2mBlFVqJ55tm/3Y0mYAk6UQ61AYylyIiFdSdFMd35mO+jvqmMjcIL37+6y787678u4OZ/wFAuDB7tqWAXpX6YQ6Rk/W1nAzy5NC+w1d9P2HX+UwcmmyFzrXy88T4QkbZWDT5mYNJ1D+7YiFDWHL4usr9ECy5tjn8iiaDgccq9rGcVkjcIFblBd1hOXXJERaDpEm6XgODYj+kAP/XjtpVJDrxn5xoUfGvaQr8WbP38ph1QtUZkg0avmGojhv5TU9AsShcp5mgg8yQ1JO3zvvwOafiIbaLLNJoh3yOisQgKR/y4k0YGypVEiA9RgCcIppkzPg2Cx+YULBrm31sa4pcmOtMD6cioW+zYJGM7LEYPSWTDB4meKQ3gLLBLwx/2msTeOOqqmQGduPnrbBmPrkxMHygkKQ44++0oK7BTOIV9Y40YDmq0zyjj56wIVP1VPkM6XzEDoAQyYvUv7Te9EkUPGryeM4X1mBsjyqB4PXxBNnk9rB8ACR1V/YsC7xxZXO6bFqwJABh6TfxPkIgEbvvUE34PHQsVKC5wtFlGDcBnt2twiACtktTS5LX2pMLwNrDJtjxmQYumr8YWaYiv/6ITw5HjNLD32S9ilKUFXW1/bxJe5hJhsuO4Uoo+J4YbXMUlZyUOgajP8BJvR/zWmT+aVXayP4Ifb7zwMdjlE7GCQ8UBIHrjRh+KzE4TUataPv+PhKQl7QkOxQeVbKeDRwxLRVs5lpqjX5xTtUunqNe74WdY1gHRqAgZxRMFgWk0Ec3wBRLQBLplTr/n7/soKaXoDGOQ5cwvwuNxF+rZWraUTM6LezpzpvZxX9RAjCXvFc4o9l8HrGiOMZw4wDh378p6RtevYnYD2pNnjeHHZ7Ao5lULsr9VLHWuP1q2t94muGKTPhLYxH7TFcI9FL+/lq9yUT+fhzXPXcGCDTHsw2nObkYd0vbafEkjLhE6BDFQDX5FjygfOVdnCHg4yJS1chwL5pqmtXwpmr8SwQAUikUmBzPUf+9waLQLCEBtujpH5LjyOeLpbYOA6nyE2k2gSwott7h5GeMsGCeLWNnFzOYG/njdmQ3XOyG9kbuFb9TrSmvCdg/jy6WmpAYOMdCCvp/4rQbL48uoWd04IXM6PLE5lAQ/bdGRCMEsZ55ruvCMF3RfiUg4enQcuw0SF69weOyc58j9Q6GN2GUX8VwQj+pA2r1CKDGNK97WeBtydGc65DcXKD7VFl090sfluR1UAYOYFKE2u7rzcJC4t198o4NWkcdnCjoimDLfs8knHnu0BJdhyf4kJsfYmIFKQU0NM0vTfWi+VEbxtd+82U4IyMSaAzylIs9uf3foiuwKZdK/dIZTg1D2SQcF5dgzP2iFH5qdZMb8uQ4WZH6cRgNIS82ULyVZoGv+si6kzj2qzJUeFLTwMmFlbNm6umZLK2/nuNUHrIYJ0aNZV/kDszWQQZ08IJ0ZVGD/HI9UBKa7ULITf89pWYylL5EZ1UgMTeHBlcVEwnWTJMNEEGQTF6dxRuAk2ksDTppDhkHiZVslxaB41FxZDewRtBu6ZohKnQgEUf1CS/9x239mSzvtQZbu3CcdQPkWFKjJUjdiN8TrirRPdbB3AmbpYITPFuaABEqi6JQLkPi9QtugaTy6QrPS1XZaafkDEm0f0QI4WQyag4D4lkiqgWZ+pmpjf8HmgFWk0IqJJljnMGwKDLCJ3Yaone5C6wSIN2Pb1KC28ZYZeXEiUeVGAuhlGZ8uR9Ziho1FdWlAx4fzsF7XiClHQFNaXhtcGtxTsodmYsYjZXlrFx9guZgqJJGmfVcK5Tc3b2FB67y33WAWzXug1Z8zbsEZvXQtbFCJ+ph5uZc1fnermZx9yp4Xhxq+mvs6n5J1GsW/uiksjo1+TGQ5lLFdp7HqH5HawCcAhFqm5vv8o9VQwcYcw1jQXRLo2s0R5iwpuqc52uu0gZnT2qs5i8a51oEBPazZH7AIQEQJUUcWuoYkFuM75Dd7jW4dPkP9t4bsO9LnerKGTNCzGk1ph9FadOsulfqJlEF3TQpZz6PvcPP7NFcSkak6gOxu1S71weNrRepCQuKR2n9Y451OLl0bUwyVSxeBUDg9IpKuA3gTtK9fu6fYvCVnZa4QNKiIIfChdFHpHkcCFXVBBSN3x+Hd3d8oEK5SCAmNKbkZ6KpRRKwagQYh69uCwhyybxv+xXkIpiUAQLzqxTXBpHaD/NzU9Er5zEFX9azYLXyUi/VQsKT+HQAv5lIgbuimesm1Y3nJtUxrAdkC/Tz/OHITISJknC0LUOo2Xb8OH7k9hZO85Yiy/Dw3+tyjaYabG4JrwCNjRkzE+yLiUHUbenKzqhIfiShhh+naQh83R5IDrtmQ+2hWAsHARu9BIp1MU4VyVW88CbZFfcjH4sikU3uPO29r/iA95t/UHcA4Od5b02CHAjJqoe2BsJMP88Tpy1HhI/l8cVki/RwongtR2ARwod/nocuJl/2U9B1qvsp5mKrV5b94aJVq7T8vJSbewGBG903DNGBa5n3LMm4IBjqQcmvNNXiK+1Jrg4TYwej+VDdXToQ3lEgUT0CZdw8nJDN5hT0o8zQ1X0ciZ+3w8185Bj0p7UVp2ncZX6qTRfnyghKzHH4WZs/388gY119Q47F9uJEjmRmPEsR9zmMdjtEXucl/cgO9TlgI71ywTEr7ovwjQLgTvSbZ/o17JQLtm7sGcgU+tm4bKlffWGRKgQpqBTCD1/yqLl61AM16NK/9NMp7SUqQdIkfrkd+qxAmNPXWPC0kmeSaYLENV4DuHXZIvTiEf1bI4ZPp1EL+DeY4KSjOPEJ3CR1R5NIeUMwua/o6y5qvWHftvlMTfbaEbJu17vpWSqTl785bFj9VfCSlbgaDj60zYCEYboD2ljV8MCec88+lW/+Be+iuRPWvvFcg08EpHURJznTeKa2NerFoynJfSxqUxYZS26TyQGNiVCsrbqCEOw59Tp+lZ05JpdzwR+zB0NRPXNH4sKyFnLBDw39Cs/Xsaa1kau8GKGmwgJRfq3lTq5HfYtyqsF3Gs38g2SLIuG/UYKLQK4S7AxkLyexbveqr74HRcyvhv5RBUEmLf6AXm1aIJhsXnAn7lSoPRPmbSEnnFQkgijYR1TfL9EWxAMG9HSo5sCerVhnBeFKj3ARHS95yMVa3sUhfiTy11/PkQs9I5K0zkmnA94En7E1kwsKVVJajP+lEXSgabXy5H1tBCpWaJs5gARacouY3j24GbvvbJMqqepcbjRwfeFJXhNeb/1XVAVnA2dsXE2j1ld6LphD79QILwJ6H0Al5eg4WmlZ80kO2kK98s+BhoTVVxpojRXfwkurOW/s5TkAgC7RmINJBD69g1atgpV4tEap2PzVKMgdD2ELhiCYe86qQHBd9Q0JkiaSerH3Sal17iJWj/9UMyN0HOPA4YxIAkr5GbupUGe5a98u6lsBVL6kJT59Sq1hIGnofZTlw9vN4HoGqQtmkvfLB4b0n4F6umBQjUKWHlrddwel1qRMep283Ft+fdCtsE8ki7ktcNte6N7k9Q6YTfbFnb0yi/17VyVn/33onMFTJwv0wIUnyIjMwObUrcG8BeVTSL9BGybShwhxt6bgxp+RRueLG4guyRh5pavMe0D+XsiNDCyXW+kFUjQBN3UwIlbXh2arhhd8wfEps5qrQzI0A8g2PnJR2afArHmrxzG6GCFmiNXsefi4TZepOg9ImBIKFI/EzJ+tx9Eub4JDD+i3YihaXL3K0SsUTBkHBGLOPS9JH8/fXHM2G/gYvKNtLrsVFzhF1WpNTOfQufAnJoCqYETlyg/TJ6BCJoz/uTylhCbuE7MT4WXDIsg==,iv:JKjKDMEYtyMZ0/H0OAob6fJfrE+v3c90nVehxV1D5vw=,tag:q30FrYBCop5tW112yNgkrA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-24T22:56:50Z" + mac: ENC[AES256_GCM,data:UqYcmRw0z3sMW8TkdUIdhFjHJ34B0k3XdN/LvAna6KhLvxta/BQZ9im97MJqeLgwgKHhFsG6zwYkgsjPi8B7nMb5esxc+A7R8ipzKjVLWNtjyEtJV3X+o++C4I98Jtd6QedHU4RHiQBB3PTwi70ObmqQrscvwUp6F7tsiMyxRhw=,iv:A+3heWAoGPVuMA85tFYVx32QqdZ2yKkYI1MvVXtD/jQ=,tag:HP9kPLUYjXnt5dcy77oxGQ==,type:str] + pgp: + - created_at: "2023-09-24T22:56:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcDMA0gtINCTAeZuAQwAqvrlHhNnorSO6wqiMfJMNto4VO26yIRktyA4B1S3eeGR + 5sZgX/xaVuGD2swf3FwRYLt/nUWIYKmiG7ktbFqx3+lN92xMq31gaT9JROQV1Bbi + RNe5Sbc8Dr6VeZVqnHGcsQU5T094PCbDaWEXkE4TyoRwDyJCEI2fsB374Q4pWfnq + W0rj4nUcdW86Q5XTgsrhsbNNIaQ6bcrb60LmZvFB3d834KTB7eOaBcjnm8VIvWEa + uT+AVR+mH2mBEJWiogSYFwdd/sOHJBJjZdVrH+AUamFewlG+CpU5+bPSDtxAQCDQ + talrZ2pNOU4M01xc3DrhjqFYvFTEN0n68E9WAFR6HwO6WkHNIetUT30lyV11s1w0 + jekndMYPJAJJDnFu+kMBLNyUh343HTBp3a2UhE80Sgflbc6mDnj9RQosKgOSBmyo + fJLHGb891ZVu3PaClPQEbjG6fSmjhjTUjh2PTB3+KIPKqr2r7EfRF5sH4rFafrL3 + ygAcqRzbGMUljJM+ECT00lEBBg7daWSQbf8oFTuLrblJmm55Vj/3zPLzifQLxDRe + 52LSnREJWBwDZO3Pgcdo4WCXCRSkr9h+jh4sacaYm+nDrPtAtUKlWmFwJboUhiWY + owo= + =d61F + -----END PGP MESSAGE----- + fp: 72E72623346EA4589F9348C8DD8DF053BEDF14D1 + encrypted_regex: ^(user.*|pass.*|.*[Bb]earer.*|.*[Kk]ey|.*[Kk]eys|salt|sentry.*|.*[Tt]oken|data.*|stringData.*)$ + version: 3.7.3 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pipeline + namespace: goghvideo-cicd-pipeline +secrets: + - name: git-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-24T22:56:50Z" + mac: ENC[AES256_GCM,data:UqYcmRw0z3sMW8TkdUIdhFjHJ34B0k3XdN/LvAna6KhLvxta/BQZ9im97MJqeLgwgKHhFsG6zwYkgsjPi8B7nMb5esxc+A7R8ipzKjVLWNtjyEtJV3X+o++C4I98Jtd6QedHU4RHiQBB3PTwi70ObmqQrscvwUp6F7tsiMyxRhw=,iv:A+3heWAoGPVuMA85tFYVx32QqdZ2yKkYI1MvVXtD/jQ=,tag:HP9kPLUYjXnt5dcy77oxGQ==,type:str] + pgp: + - created_at: "2023-09-24T22:56:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcDMA0gtINCTAeZuAQwAqvrlHhNnorSO6wqiMfJMNto4VO26yIRktyA4B1S3eeGR + 5sZgX/xaVuGD2swf3FwRYLt/nUWIYKmiG7ktbFqx3+lN92xMq31gaT9JROQV1Bbi + RNe5Sbc8Dr6VeZVqnHGcsQU5T094PCbDaWEXkE4TyoRwDyJCEI2fsB374Q4pWfnq + W0rj4nUcdW86Q5XTgsrhsbNNIaQ6bcrb60LmZvFB3d834KTB7eOaBcjnm8VIvWEa + uT+AVR+mH2mBEJWiogSYFwdd/sOHJBJjZdVrH+AUamFewlG+CpU5+bPSDtxAQCDQ + talrZ2pNOU4M01xc3DrhjqFYvFTEN0n68E9WAFR6HwO6WkHNIetUT30lyV11s1w0 + jekndMYPJAJJDnFu+kMBLNyUh343HTBp3a2UhE80Sgflbc6mDnj9RQosKgOSBmyo + fJLHGb891ZVu3PaClPQEbjG6fSmjhjTUjh2PTB3+KIPKqr2r7EfRF5sH4rFafrL3 + ygAcqRzbGMUljJM+ECT00lEBBg7daWSQbf8oFTuLrblJmm55Vj/3zPLzifQLxDRe + 52LSnREJWBwDZO3Pgcdo4WCXCRSkr9h+jh4sacaYm+nDrPtAtUKlWmFwJboUhiWY + owo= + =d61F + -----END PGP MESSAGE----- + fp: 72E72623346EA4589F9348C8DD8DF053BEDF14D1 + encrypted_regex: ^(user.*|pass.*|.*[Bb]earer.*|.*[Kk]ey|.*[Kk]eys|salt|sentry.*|.*[Tt]oken|data.*|stringData.*)$ + version: 3.7.3 +--- +apiVersion: v1 +kind: Secret +metadata: + name: goghvideo-registry-pusher + namespace: gighvideo-cicd-pipeline +type: Opaque +data: + config.json: ENC[AES256_GCM,data:LlNGwsCcdlbsHz9OubLSFOgO0E3JG/6QY5gIz1STB7fbMspjs1q8DJMsSnMRz+DjyDR0Z7Q0V1tHjEjtimXDLWltAoV31xaEmcW8kun9YdegSuSylaxjZ+lpGwcMjNkQgx3um3Ao/fd3U50WJTy8LlN7C4WS+7AmjupXUVHVxGmf9cLKV9OZOMhdriAjkrk5S/hCh4UjFFW1tFVfbC/JnGme9jT5vW9JVrxiC9HW5i97DvvzPdKuvc4/d6Ai1n7CXj0lBnEesYxJ+FHyz+VJQPpFKhkM/8evUhdbXoQamgLoXkD/21wY2jJFRzcLqDcC1RnZtYic63zoRrehf80d0RVOFeG0YF4Ir1tsMLrhRB5SGGhT8RctYyrCl1dGuMmIo8IM0T49HBM=,iv:GqKqO70KwCFFq4120d7p1oPGu9NAaOwrBjrSzO2TQ9I=,tag:Z1K8kPFInWrhxCFXFiFCKA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-24T22:56:50Z" + mac: ENC[AES256_GCM,data:UqYcmRw0z3sMW8TkdUIdhFjHJ34B0k3XdN/LvAna6KhLvxta/BQZ9im97MJqeLgwgKHhFsG6zwYkgsjPi8B7nMb5esxc+A7R8ipzKjVLWNtjyEtJV3X+o++C4I98Jtd6QedHU4RHiQBB3PTwi70ObmqQrscvwUp6F7tsiMyxRhw=,iv:A+3heWAoGPVuMA85tFYVx32QqdZ2yKkYI1MvVXtD/jQ=,tag:HP9kPLUYjXnt5dcy77oxGQ==,type:str] + pgp: + - created_at: "2023-09-24T22:56:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcDMA0gtINCTAeZuAQwAqvrlHhNnorSO6wqiMfJMNto4VO26yIRktyA4B1S3eeGR + 5sZgX/xaVuGD2swf3FwRYLt/nUWIYKmiG7ktbFqx3+lN92xMq31gaT9JROQV1Bbi + RNe5Sbc8Dr6VeZVqnHGcsQU5T094PCbDaWEXkE4TyoRwDyJCEI2fsB374Q4pWfnq + W0rj4nUcdW86Q5XTgsrhsbNNIaQ6bcrb60LmZvFB3d834KTB7eOaBcjnm8VIvWEa + uT+AVR+mH2mBEJWiogSYFwdd/sOHJBJjZdVrH+AUamFewlG+CpU5+bPSDtxAQCDQ + talrZ2pNOU4M01xc3DrhjqFYvFTEN0n68E9WAFR6HwO6WkHNIetUT30lyV11s1w0 + jekndMYPJAJJDnFu+kMBLNyUh343HTBp3a2UhE80Sgflbc6mDnj9RQosKgOSBmyo + fJLHGb891ZVu3PaClPQEbjG6fSmjhjTUjh2PTB3+KIPKqr2r7EfRF5sH4rFafrL3 + ygAcqRzbGMUljJM+ECT00lEBBg7daWSQbf8oFTuLrblJmm55Vj/3zPLzifQLxDRe + 52LSnREJWBwDZO3Pgcdo4WCXCRSkr9h+jh4sacaYm+nDrPtAtUKlWmFwJboUhiWY + owo= + =d61F + -----END PGP MESSAGE----- + fp: 72E72623346EA4589F9348C8DD8DF053BEDF14D1 + encrypted_regex: ^(user.*|pass.*|.*[Bb]earer.*|.*[Kk]ey|.*[Kk]eys|salt|sentry.*|.*[Tt]oken|data.*|stringData.*)$ + version: 3.7.3 diff --git a/secrets/webhook-secret.yaml b/secrets/webhook-secret.yaml new file mode 100644 index 0000000..6f2d65e --- /dev/null +++ b/secrets/webhook-secret.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Secret +metadata: + name: webhook-secret +type: Opaque +stringData: + sharedSecret: ENC[AES256_GCM,data:9gMFnwgpnT5zWzGvSDqlm5ngxzFGyEMuGnr81sV934I=,iv:0nw+g3kPA46NFOMLFjstt8lNvsIBpM5rjgjTVYJdTjo=,tag:hAu5FtiLG4JMOab2hM/9BQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-24T22:48:50Z" + mac: ENC[AES256_GCM,data:cRp/c6CS+oUGVDFaHR9uYHKKr3bA78zoGQmVTVTxjMNNk+Pd7M4Wj8FfrEMe0IQoQlLr9HQijL9LlANbcr4o0+drxSD9iXUN1qUcnkM9L8qaHoDtWilor7HwZf6ySl238/wkNLVoT6UKMpKZXFhI5EF7MScDR7c7SNVgoYAjaic=,iv:Palg6zpKOjqgMaCMva05FkAffTaq3VIaQVVyxPS5/YU=,tag:rZ5zk3KeNQL2H8opeH+kHA==,type:str] + pgp: + - created_at: "2023-09-24T22:48:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcDMA0gtINCTAeZuAQv/S89/a9NbXrCcw/s1Slf/jWahFi7IEcgPIA+o2axUJJJN + GiJ/fI219MHktgGmXbw8ZOUAkYA5undRh8ew5XY0JlNuu0OUHfKta+LjkeNlMByR + kFWNXTj7okObJmGieB/+awpmtQi0GNNg3K7SpMThcMBMPsvXFYR3hRMgIM08w7FL + Q4AzxbOfI5fexpWVW7CdBtKZbbfK9+SH7mKPBuDyFAOchFD+TIh1BvcZmitqVUNy + MlUE/twwxCQFGE65zgY/N568ML/cRDmmahISemVTOxkXs9Jo8xhqKh7ebFWmfLHX + dlxip+b652rvt/dIIFOyDiXka7w20zkhBSMPMDxQn7Ckc5ttstbCyhQJpdyK0YhM + d3BPqIwxtLKUTnkiKLXysMjoqxSC4kJHtpsHKQU/FNZzewEo/6LEoQ7RyBwVM71H + aymijKx9X57BHx+YX6eNLQQFSctN/+7Z3Xi05UK9VHzlBM6weDezHrDN0Ue8THRA + WykySzbolV3pBriRk5Dx0lEBS1rV4HjpNfS8fZPX05l+j8bJgjy81UZKxAo/R9QM + nmpmgJ/+Ub+RudD/d/YEkiirgG2OnsFRBU+u/u9Qi14YZilQYAB5dFTvIB4OTus1 + L8w= + =Keic + -----END PGP MESSAGE----- + fp: 72E72623346EA4589F9348C8DD8DF053BEDF14D1 + encrypted_regex: ^(user.*|pass.*|.*[Bb]earer.*|.*[Kk]ey|.*[Kk]eys|salt|sentry.*|.*[Tt]oken|data.*|stringData.*)$ + version: 3.7.3 diff --git a/tasks/generate-image-tag-task.yaml b/tasks/generate-image-tag-task.yaml new file mode 100644 index 0000000..96f83f5 --- /dev/null +++ b/tasks/generate-image-tag-task.yaml @@ -0,0 +1,29 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: generate-image-tag + namespace: goghvideo-cicd-pipeline +spec: + params: + - name: image + type: string + - name: version + type: string + results: + - name: imagetag + type: string + steps: + - name: concatenate-strings + image: quay01.ipa.endofday.com/goghvideo/rockylinux:9-ubi + env: + - name: IMAGE + value: $(params.image) + - name: TAG + value: $(params.version) + + script: | + #!/usr/bin/env bash + IMAGE=$(echo -n ${IMAGE}) + TAG=$(echo -n ${TAG}) + + echo -n "${IMAGE}:v${TAG}" > "$(results.imagetag.path)" diff --git a/tasks/git-semver.yaml b/tasks/git-semver.yaml new file mode 100644 index 0000000..74668f3 --- /dev/null +++ b/tasks/git-semver.yaml @@ -0,0 +1,34 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git-semver + namespace: goghvideo-cicd-pipeline +spec: + params: + - name: gitrepositoryurl + type: string + - name: gitbranch + type: string + default: master + results: + - name: version + type: string + steps: + - name: clone-and-calculate-semver + image: quay01.ipa.endofday.com/goghvideo/gitversion:latest + env: + - name: PARAM_REPO + value: $(params.gitrepositoryurl) + - name: PARAM_BRANCH + value: $(params.gitbranch) + script: | + #!/usr/bin/env bash + USERNAME=$(cat /workspace/gitauth/username) + PASSWORD=$(cat /workspace/gitauth/password) + /tools/dotnet-gitversion /url ${PARAM_REPO} /b ${PARAM_BRANCH} /u ${USERNAME} /p ${PASSWORD} /dynamicRepoLocation /workspace/repo /overrideconfig mode=Mainline /showvariable MajorMinorPatch /verbosity quiet > $(results.version.path) + securityContext: + runAsNonRoot: true + runAsUser: 65532 + workspaces: + - name: repo + - name: gitauth diff --git a/tasks/gitea-merge-pr.yaml b/tasks/gitea-merge-pr.yaml new file mode 100644 index 0000000..0e72c9e --- /dev/null +++ b/tasks/gitea-merge-pr.yaml @@ -0,0 +1,132 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: gitea-merge-pr + namespace: goghvideo-cicd-pipeline +spec: + description: |- + This task will merge a PR and delete the branch. + params: + - description: | + The Gitea host, e.g: git.yourcompany.com. Can include port. + name: GITEA_HOST_URL + type: string + - default: https + description: | + If we should connect with HTTP or HTTPS. Use "http" or "https" here. + name: GITEA_HTTPS_OR_HTTP + type: string + - default: /api/v1 + description: | + The API path prefix of Gitea, default: /api/v1 + name: API_PATH_PREFIX + type: string + - description: | + The Gitea repository full name, e.g.: tektoncd/catalog + name: REPO_FULL_NAME + type: string + - default: gitea + description: | + The name of the kubernetes secret that contains the Gitea token, default: gitea + name: GITEA_TOKEN_SECRET_NAME + type: string + - default: token + description: | + The key within the kubernetes secret that contains the Gitea token, default: token + name: GITEA_TOKEN_SECRET_KEY + type: string + - description: | + Merge Index Number + name: INDEX + type: string + - description: | + The target URL to associate with this status. This URL will be linked + from the Gitea UI to allow users to easily see the source of the + status. + name: TARGET_URL + type: string + - description: | + A short description of the status. + name: DESCRIPTION + type: string + - default: continuous-integration/tekton + description: | + The Gitea context, A string label to differentiate this status from + the status of other systems. ie: "continuous-integration/tekton" + name: CONTEXT + type: string + - description: | + The merge message field + name: MERGETYPE + type: string + - default: python:3.10.1-alpine3.15@sha256:affe0faa14e7553fc570beec3864e74b5e36f8c19b2bb49ae8ba79c0e9e7236e + description: | + Image providing the python binary which this task uses. + name: IMAGE + type: string + - default: true + description: | + Delete the branch after merge + name: DELETEBRANCH + type: string + - default: /usr/bin/env python + description: | + Python path. Depends on the image. + name: SHEBANG + type: string + steps: + - image: $(params.IMAGE) + name: merge-pull-request + script: | + #!$(params.SHEBANG) + + """This script will set the CI status on a Gitea commit""" + + import json + import sys + import http.client + + gitea_token = open("/etc/gitea-set-status/$(params.GITEA_TOKEN_SECRET_KEY)", "r").read() + + merge_url = "$(params.API_PATH_PREFIX)" + "/repos/$(params.REPO_FULL_NAME)/" + \ + "pulls/$(params.INDEX)/merge" + + data = { + "Do": "$(params.MERGETYPE)", + "MergeMessageField": "$(params.DESCRIPTION)", + "MergeTitleField": "$(params.CONTEXT)" + } + print("Sending this data to Gitea: ") + print(data) + + authHeader = "token " + gitea_token + + if "$(params.GITEA_HTTPS_OR_HTTP)" == "https": + conn = http.client.HTTPSConnection("$(params.GITEA_HOST_URL)") + else: + conn = http.client.HTTPConnection("$(params.GITEA_HOST_URL)") + + conn.request( + "POST", + merge_url, + body=json.dumps(data), + headers={ + "User-Agent": "TektonCD, the peaceful cat", + "Authorization": authHeader, + "Accept": "application/json", + "Content-Type": "application/json", + }) + resp = conn.getresponse() + if not str(resp.status).startswith("2"): + print("Error: %d" % (resp.status)) + print(resp.read()) + sys.exit(1) + else: + print("Gitea merge completed on $(params.REPO_FULL_NAME)") + volumeMounts: + - mountPath: /etc/gitea-set-status + name: giteatoken + volumes: + - name: giteatoken + secret: + secretName: $(params.GITEA_TOKEN_SECRET_NAME) diff --git a/tasks/golangci-lint.yaml b/tasks/golangci-lint.yaml new file mode 100644 index 0000000..735a027 --- /dev/null +++ b/tasks/golangci-lint.yaml @@ -0,0 +1,81 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + annotations: + tekton.dev/categories: Code Quality + tekton.dev/displayName: golangci lint + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/platforms: linux/amd64 + tekton.dev/tags: lint + labels: + app.kubernetes.io/version: "0.2" + name: golangci-lint + namespace: goghvideo-cicd-pipeline +spec: + description: This Task is Golang task to validate Go projects. + params: + - description: base package (and its children) under validation + name: package + type: string + - default: . + description: path to the directory to use as context. + name: context + type: string + - default: --verbose + description: flags to use for the test command + name: flags + type: string + - default: v1.39 + description: golangci-lint version to use + name: version + type: string + - default: linux + description: running operating system target + name: GOOS + type: string + - default: amd64 + description: running architecture target + name: GOARCH + type: string + - default: auto + description: value of module support + name: GO111MODULE + type: string + - default: "" + description: Go caching directory path + name: GOCACHE + type: string + - default: "" + description: Go mod caching directory path + name: GOMODCACHE + type: string + - default: "" + description: golangci-lint cache path + name: GOLANGCI_LINT_CACHE + type: string + steps: + - env: + - name: GOPATH + value: /workspace + - name: GOOS + value: $(params.GOOS) + - name: GOARCH + value: $(params.GOARCH) + - name: GO111MODULE + value: $(params.GO111MODULE) + - name: GOCACHE + value: $(params.GOCACHE) + - name: GOMODCACHE + value: $(params.GOMODCACHE) + - name: GOLANGCI_LINT_CACHE + value: $(params.GOLANGCI_LINT_CACHE) + image: quay01.ipa.endofday.com/goghvideo/golang-lint:$(params.version) + name: lint + script: | + golangci-lint run $(params.flags) + workingDir: $(workspaces.source.path)/$(params.context) + workspaces: +# - mountPath: /workspace/src/$(params.package) +# name: source + - name: source + diff --git a/tasks/openshift-ephemeral-namespace-client.yaml b/tasks/openshift-ephemeral-namespace-client.yaml new file mode 100644 index 0000000..17743d8 --- /dev/null +++ b/tasks/openshift-ephemeral-namespace-client.yaml @@ -0,0 +1,45 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: openshift-ephemeral-namespace-client + namespace: goghvideo-cicd-pipeline +spec: + description: |- + This task runs commands against the cluster provided by user and if not provided then where the Task is being executed. + OpenShift is a Kubernetes distribution from Red Hat which provides oc, the OpenShift CLI that complements kubectl for simplifying deployment and configuration applications on OpenShift. + params: + - default: oc help + description: The OpenShift CLI arguments to run + name: SCRIPT + type: string + - default: "4.7" + description: The OpenShift Version to use + name: VERSION + type: string + results: + - name: namespace + type: string + description: The namespace which was created + steps: + - image: quay.io/openshift/origin-cli:$(params.VERSION) + name: oc + script: | + #!/usr/bin/env bash + + [[ "$(workspaces.manifest-dir.bound)" == "true" ]] && \ + cd $(workspaces.manifest-dir.path) + + [[ "$(workspaces.kubeconfig-dir.bound)" == "true" ]] && \ + [[ -f $(workspaces.kubeconfig-dir.path)/kubeconfig ]] && \ + export KUBECONFIG=$(workspaces.kubeconfig-dir.path)/kubeconfig + + $(params.SCRIPT) + workspaces: + - description: The workspace which contains kubernetes manifests which we want to + apply on the cluster. + name: manifest-dir + optional: true + - description: The workspace which contains the the kubeconfig file if in case we + want to run the oc command on another cluster. + name: kubeconfig-dir + optional: true diff --git a/tasks/s2i-go-debug.yaml b/tasks/s2i-go-debug.yaml new file mode 100644 index 0000000..61ed1b8 --- /dev/null +++ b/tasks/s2i-go-debug.yaml @@ -0,0 +1,107 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: s2i-go-debug + namespace: goghvideo-cicd-pipeline +spec: + description: s2i-go task clones a Git repository and builds and pushes a container + image using S2I and a Go builder image. + params: + - default: latest + description: The tag of go imagestream for go version + name: VERSION + type: string + - default: . + description: The location of the path to run s2i from. + name: PATH_CONTEXT + type: string + - default: "true" + description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS + registry) + name: TLSVERIFY + type: string + - description: Location of the repo where image has to be pushed + name: IMAGE + type: string + - default: registry.redhat.io/rhel8/buildah@sha256:00795fafdab9bbaa22cd29d1faa1a01e604e4884a2c935c1bf8e3d1f0ad1c084 + description: The location of the buildah builder image. + name: BUILDER_IMAGE + type: string + - default: "false" + description: Skip pushing the built image + name: SKIP_PUSH + type: string + - description: Environment variables to set during _build-time_. + name: ENV_VARS + type: array + results: + - description: Digest of the image just built. + name: IMAGE_DIGEST + type: string + steps: + - args: + - $(params.ENV_VARS[*]) + env: + - name: HOME + value: /tekton/home + image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:98d8cb3a255641ca6a1bce854e5e2460c20de9fb9b28e3cc67eb459f122873dd + name: generate + script: | + echo "Processing Build Environment Variables" + echo "" > /env-vars/env-file + for var in "$@" + do + echo "$var" >> /env-vars/env-file + done + + echo "Outputting Generated /env-vars/env-file" + cat /env-vars/env-file + + s2i build $(params.PATH_CONTEXT) image-registry.openshift-image-registry.svc:5000/openshift/golang:$(params.VERSION) \ + --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file + + echo "Outputting Generated /gen-source/Dockerfile.gen file" + cat /gen-source/Dockerfile.gen + volumeMounts: + - mountPath: /gen-source + name: gen-source + - mountPath: /env-vars + name: env-vars + workingDir: $(workspaces.source.path) + - image: $(params.BUILDER_IMAGE) + name: build-and-push + script: | + find . -type f -ls + + buildah --log-level=info bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) \ + --layers -f /gen-source/Dockerfile.gen -t $(params.IMAGE) . + + [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0 + [[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)" + buildah push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) \ + --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \ + docker://$(params.IMAGE) + + cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /gen-source + name: gen-source + workingDir: /gen-source + volumes: + - name: varlibcontainers + - name: gen-source + - name: env-vars + workspaces: + - mountPath: /workspace/source + name: source + - description: An optional workspace that allows providing a .docker/config.json + file for Buildah to access the container registry. The file should be placed + at the root of the Workspace with name config.json. + name: dockerconfig + optional: true diff --git a/triggerbinding/gitea-webhook-binding.yaml b/triggerbinding/gitea-webhook-binding.yaml new file mode 100644 index 0000000..113fe78 --- /dev/null +++ b/triggerbinding/gitea-webhook-binding.yaml @@ -0,0 +1,18 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerBinding +metadata: + name: gitea-binding +spec: + params: + - name: gitrepositoryurl + value: $(body.repository.clone_url) + - name: gitcommitsha + value: $(body.pull_request.head.sha) + - name: gitfullreponame + value: $(body.pull_request.base.repo.full_name) + - name: gitbranch + value: $(body.pull_request.head.ref) + - name: gitreponame + value: $(body.pull_request.base.repo.name) + - name: gitprindex + value: $(body.pull_request.number) diff --git a/triggertemplate/conversionengine-template.yaml b/triggertemplate/conversionengine-template.yaml new file mode 100644 index 0000000..3704980 --- /dev/null +++ b/triggertemplate/conversionengine-template.yaml @@ -0,0 +1,88 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerTemplate +metadata: + name: conversionengine-template + namespace: goghvideo-cicd-pipeline +spec: + params: + - name: gitrepositoryurl + description: The git repository url + - name: gitfullreponame + description: The org and repo name + - name: gitreponame + description: The name of the repo + - name: gitbranch + description: Branch to act on + - name: gitcommitsha + description: The SHA head + - name: gitprindex + description: The pull request reference + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + generateName: goghvideo-conversionengine- + spec: + pipelineRef: + name: ce-buildtest + serviceAccountName: pipeline + params: + - name: git-repo-url + value: $(tt.params.gitrepositoryurl) + - name: git-repo-full-name + value: $(tt.params.gitfullreponame) + - name: git-branch + value: $(tt.params.gitbranch) + - name: git-commit-sha + value: $(tt.params.gitcommitsha) + - name: git-pr-index + value: $(tt.params.gitprindex) + - name: verbose + value: true + - name: lint-package + value: git.endofday.com/goghvideo/conversion-engine + - name: lint-context + value: $(tt.params.gitreponame)/src + - name: image + value: quay01.ipa.endofday.com/goghvideo/conversion-engine + - name: s2i-builder-image + value: quay01.ipa.endofday.com/goghvideo/golang-s2i-buildah:v1 + - name: git-token-secret-name + value: git-http-credentials + - name: git-token-secret-key + value: password + - name: git-merge-type + value: squash + - name: git-merge-delete-branch + value: True + - name: git-helm-url + value: git@git-ssh.ipa.endofday.com:goghvideo/helm.git + workspaces: + - name: source + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: nfs-client + - name: gitauth + secret: + secretName: git-http-credentials + - name: gitsshauth + secret: + secretName: git-credentials + - name: dockerconfig + secret: + secretName: goghvideo-registry-pusher + - name: helm + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: nfs-client + diff --git a/triggertemplate/upload-to-nextcloud.yaml b/triggertemplate/upload-to-nextcloud.yaml new file mode 100644 index 0000000..e8a92f8 --- /dev/null +++ b/triggertemplate/upload-to-nextcloud.yaml @@ -0,0 +1,88 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerTemplate +metadata: + name: upload2nc-template + namespace: goghvideo-cicd-pipeline +spec: + params: + - name: gitrepositoryurl + description: The git repository url + - name: gitfullreponame + description: The org and repo name + - name: gitreponame + description: The name of the repo + - name: gitbranch + description: Branch to act on + - name: gitcommitsha + description: The SHA head + - name: gitprindex + description: The pull request reference + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + generateName: goghvideo-upload2nc- + spec: + pipelineRef: + name: upload-to-nextcloud + serviceAccountName: build-bot + params: + - name: git-repo-url + value: $(tt.params.gitrepositoryurl) + - name: git-repo-full-name + value: $(tt.params.gitfullreponame) + - name: git-branch + value: $(tt.params.gitbranch) + - name: git-commit-sha + value: $(tt.params.gitcommitsha) + - name: git-pr-index + value: $(tt.params.gitprindex) + - name: verbose + value: true + - name: lint-package + value: git.endofday.com/goghvideo/upload-to-nextcloud + - name: lint-context + value: $(tt.params.gitreponame)/src + - name: image + value: quay01.ipa.endofday.com/goghvideo/upload-to-nextcloud + - name: s2i-builder-image + value: quay01.ipa.endofday.com/goghvideo/golang-s2i-buildah:v1 + - name: git-token-secret-name + value: git-http-credentials + - name: git-token-secret-key + value: password + - name: git-merge-type + value: squash + - name: git-merge-delete-branch + value: True + - name: git-helm-url + value: git@git-ssh.ipa.endofday.com:goghvideo/helm.git + workspaces: + - name: source + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: nfs-client + - name: gitauth + secret: + secretName: git-http-credentials + - name: gitsshauth + secret: + secretName: git-credentials + - name: dockerconfig + secret: + secretName: goghvideo-registry-pusher + - name: helm + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: nfs-client +