diff --git a/bootc/Containerfile b/bootc/Containerfile index 5368683..1e0f9d1 100644 --- a/bootc/Containerfile +++ b/bootc/Containerfile @@ -10,7 +10,7 @@ RUN <&2 +} + +_log "✅ Update script started." + +# --- Function to run mosquitto ---- +function get_mqtt_message () { + _log "ℹ️ Mosquitto command: mosquitto_sub $mosquitto_opts $MOSQUITTO_OPTS -L "$MQTT_URL" -C 1" + local return_code=0 + mosquitto_sub $mosquitto_opts $MOSQUITTO_OPTS -L "$MQTT_URL" -C 1 || return_code=$? + _log "ℹ️ Mosquitto command returned with code: $return_code" + if [[ $? -ne 27 ]] && [[ $? -ne 0 ]]; then # 27 is the exit code for a timeout, which we can ignore + _log "❗️ Error: Mosquitto connection failed. Please check the MQTT URL and network connectivity." + return $? + fi +} + +# 1. Get the current image and digest +_log "🔍 Checking the current image..." +CURRENT_IMAGE_REF=$(bootc status --format json | jq -r '.spec.image.image') + +# Extracts the digest and the base image (e.g., registry/path/image) +# Handles the case where the image is tagged by digest (with '@') +if [[ "$CURRENT_IMAGE_REF" == *"@sha256:"* ]]; then + CURRENT_IMAGE_BASE=$(echo "$CURRENT_IMAGE_REF" | cut -d'@' -f1) + CURRENT_DIGEST=$(echo "$CURRENT_IMAGE_REF" | cut -d'@' -f2) + _log "ℹ️ Current image: $CURRENT_IMAGE_BASE" + _log "ℹ️ Current digest : $CURRENT_DIGEST" +elif [[ "$CURRENT_IMAGE_REF" == *":"* ]]; then + # If the image is tagged by a tag (e.g., :latest), we cannot compare the digest. + # The script will continue but will trigger an update on the first digest received. + CURRENT_IMAGE_BASE=$(echo "$CURRENT_IMAGE_REF" | cut -d':' -f1) + CURRENT_DIGEST="" + _log "⚠️ The current image ($CURRENT_IMAGE_REF) is using a tag. Any new digest notification will trigger an update." +else + CURRENT_IMAGE_BASE="$CURRENT_IMAGE_REF" + CURRENT_DIGEST="" + _log "⚠️ The current image ($CURRENT_IMAGE_REF) has neither digest nor tag. Any new digest notification will trigger an update." +fi + +# --- Main Loop --- +mosquitto_opts="-W 10 --retained-only" +stale="1" +_log "♻️ Processing stale update triggers..." +while true; do + # 2. Wait for an MQTT message containing the new digest + _log "📡 Waiting for a message..." + # The `-C 1` flag makes mosquitto_sub exit after receiving one message. + NEW_DIGEST=$(get_mqtt_message) + + if [[ -z "$NEW_DIGEST" ]]; then + _log "⚠️ No message received from the MQTT broker. Delaying for 10 seconds before retrying..." + sleep 10 # Short pause before retrying + else + _log "📩 New digest received: $NEW_DIGEST" + + # 3. Compare the digests and act accordingly + if [[ "$NEW_DIGEST" != "$CURRENT_DIGEST" ]]; then + _log "✨ New digest detected! Starting the update process." + + # Build the new full image reference + NEW_IMAGE_REF="${CURRENT_IMAGE_BASE}@${NEW_DIGEST}" + _log "ℹ️ New target image: $NEW_IMAGE_REF" + + # Running update commands + _log "🚀 Executing 'bootc switch'..." + bootc switch "$NEW_IMAGE_REF" + + _log "🔄 Rebooting the system to apply the update..." + reboot + + # The script stops here due to the reboot + exit 0 + else + _log "👍 The received digest is identical to the current one. No action required." + _log "😴 Returning to listening mode..." + fi + fi + + # Up frow now, process only fresh messages + if [[ "$stale" -eq "1" ]]; then + _log "✨ Processing fresh update triggers only from now on." + mosquitto_opts="-R" + stale="0" + fi +done diff --git a/tekton/README.md b/tekton/README.md index d6b9897..729dfee 100644 --- a/tekton/README.md +++ b/tekton/README.md @@ -3,7 +3,7 @@ ## Tekton configuration ```sh -oc patch configmap/feature-flags -n openshift-pipelines --type=merge -p '{"data":{"disable-affinity-assistant":"true"}}' +oc patch tektonconfig/config -n openshift-pipelines --type=merge -p '{"spec":{"pipeline":{"coschedule":"disabled","disable-affinity-assistant":true}}}' ``` ## Pipeline manifests @@ -57,7 +57,7 @@ oc create secret generic github-authentication --from-literal=.git-credentials=h Set the tekton password in the mosquitto passwd file (**common/mosquitto.conf**) and then: ```sh -oc create secret generic mqtt-config --from-literal=OTA_MQTT_URL=mqtts://tekton:secret@mosquitto-build-multiarch.apps.nmasse-q2-2025.sandbox1038.opentlc.com:443/bootc/updates +oc create secret generic mqtt-config --from-literal=OTA_MQTT_URL=mqtt://tekton:secret@mosquitto/bootc/updates ``` ## Rclone config for AWS S3 diff --git a/tekton/common/kustomization.yaml b/tekton/common/kustomization.yaml index 92a08e2..7157e5a 100644 --- a/tekton/common/kustomization.yaml +++ b/tekton/common/kustomization.yaml @@ -3,7 +3,7 @@ resources: - mosquitto.yaml - task-ota-update.yaml - task-buildah.yaml -- task-git-clone.yaml +- task-git.yaml - task-rclone.yaml - daemonset-qemu.yaml - storage.yaml diff --git a/tekton/common/task-buildah.yaml b/tekton/common/task-buildah.yaml index 1475902..68f33a5 100644 --- a/tekton/common/task-buildah.yaml +++ b/tekton/common/task-buildah.yaml @@ -33,6 +33,10 @@ spec: description: RW storage to cache build artefacts mountPath: /caches optional: true + - name: rpms + description: Local RPM Repository + mountPath: /rpms + optional: true - name: entitlements description: RW storage for RHEL entitlements mountPath: /entitlements diff --git a/tekton/common/task-git-clone.yaml b/tekton/common/task-git-clone.yaml deleted file mode 100644 index 8b81e2d..0000000 --- a/tekton/common/task-git-clone.yaml +++ /dev/null @@ -1,242 +0,0 @@ -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: git-clone - labels: - app.kubernetes.io/version: "0.9" - annotations: - tekton.dev/pipelines.minVersion: "0.38.0" - tekton.dev/categories: Git - tekton.dev/tags: git - tekton.dev/displayName: "git clone" - tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" -spec: - description: >- - These Tasks are Git tasks to work with repositories used by other tasks - in your Pipeline. - - The git-clone Task will clone a repo from the provided url into the - output Workspace. By default the repo will be cloned into the root of - your Workspace. You can clone into a subdirectory by setting this Task's - subdirectory param. This Task also supports sparse checkouts. To perform - a sparse checkout, pass a list of comma separated directory patterns to - this Task's sparseCheckoutDirectories param. - workspaces: - - name: output - description: The git repo will be cloned onto the volume backing this Workspace. - - name: ssh-directory - optional: true - description: | - A .ssh directory with private key, known_hosts, config, etc. Copied to - the user's home before git commands are executed. Used to authenticate - with the git remote when performing the clone. Binding a Secret to this - Workspace is strongly recommended over other volume types. - - name: basic-auth - optional: true - description: | - A Workspace containing a .gitconfig and .git-credentials file. These - will be copied to the user's home before any git commands are run. Any - other files in this Workspace are ignored. It is strongly recommended - to use ssh-directory over basic-auth whenever possible and to bind a - Secret to this Workspace over other volume types. - - name: ssl-ca-directory - optional: true - description: | - A workspace containing CA certificates, this will be used by Git to - verify the peer with when fetching or pushing over HTTPS. - params: - - name: url - description: Repository URL to clone from. - type: string - - name: revision - description: Revision to checkout. (branch, tag, sha, ref, etc...) - type: string - default: "" - - name: refspec - description: Refspec to fetch before checking out revision. - default: "" - - name: submodules - description: Initialize and fetch git submodules. - type: string - default: "true" - - name: depth - description: Perform a shallow clone, fetching only the most recent N commits. - type: string - default: "1" - - name: sslVerify - description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. - type: string - default: "true" - - name: crtFileName - description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt. - type: string - default: "ca-bundle.crt" - - name: subdirectory - description: Subdirectory inside the `output` Workspace to clone the repo into. - type: string - default: "" - - name: sparseCheckoutDirectories - description: Define the directory patterns to match or exclude when performing a sparse checkout. - type: string - default: "" - - name: deleteExisting - description: Clean out the contents of the destination directory if it already exists before cloning. - type: string - default: "true" - - name: httpProxy - description: HTTP proxy server for non-SSL requests. - type: string - default: "" - - name: httpsProxy - description: HTTPS proxy server for SSL requests. - type: string - default: "" - - name: noProxy - description: Opt out of proxying HTTP/HTTPS requests. - type: string - default: "" - - name: verbose - description: Log the commands that are executed during `git-clone`'s operation. - type: string - default: "true" - - name: gitInitImage - description: The image providing the git-init binary that this Task runs. - type: string - default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2" - - name: userHome - description: | - Absolute path to the user's home directory. - type: string - default: "/home/git" - results: - - name: commit - description: The precise commit SHA that was fetched by this Task. - - name: url - description: The precise URL that was fetched by this Task. - - name: committer-date - description: The epoch timestamp of the commit that was fetched by this Task. - steps: - - name: clone - image: "$(params.gitInitImage)" - env: - - name: HOME - value: "$(params.userHome)" - - name: PARAM_URL - value: $(params.url) - - name: PARAM_REVISION - value: $(params.revision) - - name: PARAM_REFSPEC - value: $(params.refspec) - - name: PARAM_SUBMODULES - value: $(params.submodules) - - name: PARAM_DEPTH - value: $(params.depth) - - name: PARAM_SSL_VERIFY - value: $(params.sslVerify) - - name: PARAM_CRT_FILENAME - value: $(params.crtFileName) - - name: PARAM_SUBDIRECTORY - value: $(params.subdirectory) - - name: PARAM_DELETE_EXISTING - value: $(params.deleteExisting) - - name: PARAM_HTTP_PROXY - value: $(params.httpProxy) - - name: PARAM_HTTPS_PROXY - value: $(params.httpsProxy) - - name: PARAM_NO_PROXY - value: $(params.noProxy) - - name: PARAM_VERBOSE - value: $(params.verbose) - - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES - value: $(params.sparseCheckoutDirectories) - - name: PARAM_USER_HOME - value: $(params.userHome) - - name: WORKSPACE_OUTPUT_PATH - value: $(workspaces.output.path) - - name: WORKSPACE_SSH_DIRECTORY_BOUND - value: $(workspaces.ssh-directory.bound) - - name: WORKSPACE_SSH_DIRECTORY_PATH - value: $(workspaces.ssh-directory.path) - - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND - value: $(workspaces.basic-auth.bound) - - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH - value: $(workspaces.basic-auth.path) - - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND - value: $(workspaces.ssl-ca-directory.bound) - - name: WORKSPACE_SSL_CA_DIRECTORY_PATH - value: $(workspaces.ssl-ca-directory.path) - securityContext: - runAsNonRoot: false - runAsUser: 0 - script: | - #!/usr/bin/env sh - set -eu - - if [ "${PARAM_VERBOSE}" = "true" ] ; then - set -x - fi - - if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then - cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" - cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" - chmod 400 "${PARAM_USER_HOME}/.git-credentials" - chmod 400 "${PARAM_USER_HOME}/.gitconfig" - fi - - if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then - cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh - chmod 700 "${PARAM_USER_HOME}"/.ssh - chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* - fi - - if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then - export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" - if [ "${PARAM_CRT_FILENAME}" != "" ] ; then - export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" - fi - fi - CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" - # or the root of a mounted volume. - if [ -d "${CHECKOUT_DIR}" ] ; then - # Delete non-hidden files and directories - rm -rf "${CHECKOUT_DIR:?}"/* - # Delete files and directories starting with . but excluding .. - rm -rf "${CHECKOUT_DIR}"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "${CHECKOUT_DIR}"/..?* - fi - } - - if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then - cleandir || true - fi - - test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" - test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" - test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" - - git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" - /ko-app/git-init \ - -url="${PARAM_URL}" \ - -revision="${PARAM_REVISION}" \ - -refspec="${PARAM_REFSPEC}" \ - -path="${CHECKOUT_DIR}" \ - -sslVerify="${PARAM_SSL_VERIFY}" \ - -submodules="${PARAM_SUBMODULES}" \ - -depth="${PARAM_DEPTH}" \ - -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" - cd "${CHECKOUT_DIR}" - RESULT_SHA="$(git rev-parse HEAD)" - EXIT_CODE="$?" - if [ "${EXIT_CODE}" != 0 ] ; then - exit "${EXIT_CODE}" - fi - RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" - printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" - printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" - printf "%s" "${PARAM_URL}" > "$(results.url.path)" diff --git a/tekton/common/task-git.yaml b/tekton/common/task-git.yaml new file mode 100644 index 0000000..ca440e6 --- /dev/null +++ b/tekton/common/task-git.yaml @@ -0,0 +1,251 @@ +--- +# Source: task-git/templates/task.yaml +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git + labels: + app.kubernetes.io/version: 0.2.0 + annotations: + tekton.dev/source: "https://github.com/openshift-pipelines/task-git" + tekton.dev/categories: Git + tekton.dev/displayName: git + tekton.dev/pipelines.minVersion: 0.41.0 + tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 + tekton.dev/tags: git +spec: + description: | + This Task represents Git and is able to initialize and clone a remote repository on the informed Workspace. It's likely to become the first `step` on a Pipeline. + + workspaces: + - name: output + description: | + The Git repository directory, data will be placed on the root of the + Workspace, or on the relative path defined by the SUBDIRECTORY + parameter. + - name: ssh-directory + optional: true + description: | + A `.ssh` directory with private key, `known_hosts`, `config`, etc. + Copied to the Git user's home before cloning the repository, in order to + server as authentication mechanismBinding a Secret to this Workspace is + strongly recommended over other volume types. + - name: basic-auth + optional: true + description: | + A Workspace containing a `.gitconfig` and `.git-credentials` files. + These will be copied to the user's home before Git commands run. All + other files in this Workspace are ignored. It is strongly recommended to + use `ssh-directory` over `basic-auth` whenever possible, and to bind a + Secret to this Workspace over other volume types. + - name: ssl-ca-directory + optional: true + description: | + A Workspace containing CA certificates, this will be used by Git to + verify the peer with when interacting with remote repositories using + HTTPS. + + params: + - name: URL + type: string + description: | + Git repository URL. + - name: REVISION + type: string + default: main + description: | + Revision to checkout, an branch, tag, sha, ref, etc... + - name: REFSPEC + default: "" + description: | + Repository `refspec` to fetch before checking out the revision. + - name: SUBMODULES + type: string + default: "true" + description: | + Initialize and fetch Git submodules. + - name: DEPTH + type: string + default: "1" + description: | + Number of commits to fetch, a "shallow clone" is a single commit. + - name: SSL_VERIFY + type: string + default: "true" + description: | + Sets the global `http.sslVerify` value, `false` is not advised unless + you trust the remote repository. + - name: CRT_FILENAME + type: string + default: ca-bundle.crt + description: | + Certificate Authority (CA) bundle filename on the `ssl-ca-directory` + Workspace. + - name: SUBDIRECTORY + type: string + default: "" + description: | + Relative path to the `output` Workspace where the repository will be + cloned. + - name: SPARSE_CHECKOUT_DIRECTORIES + type: string + default: "" + description: | + List of directory patterns split by comma to perform "sparse checkout". + - name: DELETE_EXISTING + type: string + default: "true" + description: | + Clean out the contents of the `output` Workspace before cloning the + repository, if data exists. + - name: HTTP_PROXY + type: string + default: "" + description: | + HTTP proxy server (non-TLS requests). + - name: HTTPS_PROXY + type: string + default: "" + description: | + HTTPS proxy server (TLS requests). + - name: NO_PROXY + type: string + default: "" + description: | + Opt out of proxying HTTP/HTTPS requests. + - name: VERBOSE + type: string + default: "false" + description: | + Log the commands executed. + - name: USER_HOME + type: string + default: "/home/git" + description: | + Absolute path to the Git user home directory. + + results: + - name: COMMIT + description: | + The precise commit SHA digest cloned. + - name: URL + description: | + The precise repository URL. + - name: COMMITTER_DATE + description: | + The epoch timestamp of the commit cloned. + + volumes: + - name: user-home + emptyDir: {} + - name: scripts-dir + emptyDir: {} + + stepTemplate: + env: + + - name: PARAMS_URL + value: "$(params.URL)" + - name: PARAMS_REVISION + value: "$(params.REVISION)" + - name: PARAMS_REFSPEC + value: "$(params.REFSPEC)" + - name: PARAMS_SUBMODULES + value: "$(params.SUBMODULES)" + - name: PARAMS_DEPTH + value: "$(params.DEPTH)" + - name: PARAMS_SSL_VERIFY + value: "$(params.SSL_VERIFY)" + - name: PARAMS_CRT_FILENAME + value: "$(params.CRT_FILENAME)" + - name: PARAMS_SUBDIRECTORY + value: "$(params.SUBDIRECTORY)" + - name: PARAMS_SPARSE_CHECKOUT_DIRECTORIES + value: "$(params.SPARSE_CHECKOUT_DIRECTORIES)" + - name: PARAMS_DELETE_EXISTING + value: "$(params.DELETE_EXISTING)" + - name: PARAMS_HTTP_PROXY + value: "$(params.HTTP_PROXY)" + - name: PARAMS_HTTPS_PROXY + value: "$(params.HTTPS_PROXY)" + - name: PARAMS_NO_PROXY + value: "$(params.NO_PROXY)" + - name: PARAMS_VERBOSE + value: "$(params.VERBOSE)" + - name: PARAMS_USER_HOME + value: "$(params.USER_HOME)" + - name: WORKSPACES_OUTPUT_PATH + value: "$(workspaces.output.path)" + - name: WORKSPACES_SSH_DIRECTORY_BOUND + value: "$(workspaces.ssh-directory.bound)" + - name: WORKSPACES_SSH_DIRECTORY_PATH + value: "$(workspaces.ssh-directory.path)" + - name: WORKSPACES_BASIC_AUTH_BOUND + value: "$(workspaces.basic-auth.bound)" + - name: WORKSPACES_BASIC_AUTH_PATH + value: "$(workspaces.basic-auth.path)" + - name: WORKSPACES_SSL_CA_DIRECTORY_BOUND + value: "$(workspaces.ssl-ca-directory.bound)" + - name: WORKSPACES_SSL_CA_DIRECTORY_PATH + value: "$(workspaces.ssl-ca-directory.path)" + - name: RESULTS_COMMITTER_DATE_PATH + value: "$(results.COMMITTER_DATE.path)" + - name: RESULTS_COMMIT_PATH + value: "$(results.COMMIT.path)" + - name: RESULTS_URL_PATH + value: "$(results.URL.path)" + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + runAsNonRoot: true + runAsUser: 65532 + + steps: + - name: load-scripts + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + workingDir: /scripts + script: | + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKCmV4cG9ydCBQQVJBTVNfVVJMPSIke1BBUkFNU19VUkw6LX0iCmV4cG9ydCBQQVJBTVNfUkVWSVNJT049IiR7UEFSQU1TX1JFVklTSU9OOi19IgpleHBvcnQgUEFSQU1TX1JFRlNQRUM9IiR7UEFSQU1TX1JFRlNQRUM6LX0iCmV4cG9ydCBQQVJBTVNfU1VCTU9EVUxFUz0iJHtQQVJBTVNfU1VCTU9EVUxFUzotfSIKZXhwb3J0IFBBUkFNU19ERVBUSD0iJHtQQVJBTVNfREVQVEg6LX0iCmV4cG9ydCBQQVJBTVNfU1NMX1ZFUklGWT0iJHtQQVJBTVNfU1NMX1ZFUklGWTotfSIKZXhwb3J0IFBBUkFNU19DUlRfRklMRU5BTUU9IiR7UEFSQU1TX0NSVF9GSUxFTkFNRTotfSIKZXhwb3J0IFBBUkFNU19TVUJESVJFQ1RPUlk9IiR7UEFSQU1TX1NVQkRJUkVDVE9SWTotfSIKZXhwb3J0IFBBUkFNU19TUEFSU0VfQ0hFQ0tPVVRfRElSRUNUT1JJRVM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFUzotfSIKZXhwb3J0IFBBUkFNU19ERUxFVEVfRVhJU1RJTkc9IiR7UEFSQU1TX0RFTEVURV9FWElTVElORzotfSIKZXhwb3J0IFBBUkFNU19IVFRQX1BST1hZPSIke1BBUkFNU19IVFRQX1BST1hZOi19IgpleHBvcnQgUEFSQU1TX0hUVFBTX1BST1hZPSIke1BBUkFNU19IVFRQU19QUk9YWTotfSIKZXhwb3J0IFBBUkFNU19OT19QUk9YWT0iJHtQQVJBTVNfTk9fUFJPWFk6LX0iCmV4cG9ydCBQQVJBTVNfVkVSQk9TRT0iJHtQQVJBTVNfVkVSQk9TRTotfSIKZXhwb3J0IFBBUkFNU19VU0VSX0hPTUU9IiR7UEFSQU1TX1VTRVJfSE9NRTotfSIKCmV4cG9ydCBXT1JLU1BBQ0VTX09VVFBVVF9QQVRIPSIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTSF9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfQk9VTkQ9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg9IiR7V09SS1NQQUNFU19CQVNJQ19BVVRIX1BBVEg6LX0iCmV4cG9ydCBXT1JLU1BBQ0VTX1NTTF9DQV9ESVJFQ1RPUllfQk9VTkQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX0JPVU5EOi19IgpleHBvcnQgV09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEg6LX0iCgpleHBvcnQgUkVTVUxUU19DT01NSVRURVJfREFURV9QQVRIPSIke1JFU1VMVFNfQ09NTUlUVEVSX0RBVEVfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfQ09NTUlUX1BBVEg9IiR7UkVTVUxUU19DT01NSVRfUEFUSDotfSIKZXhwb3J0IFJFU1VMVFNfVVJMX1BBVEg9IiR7UkVTVUxUU19VUkxfUEFUSDotfSIKCiMgZnVsbCBwYXRoIHRvIHRoZSBjaGVja291dCBkaXJlY3RvcnksIHVzaW5nIHRoZSBvdXRwdXQgd29ya3NwYWNlIGFuZCBzdWJkaXJlY3RvciBwYXJhbWV0ZXIKZXhwb3J0IGNoZWNrb3V0X2Rpcj0iJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfS8ke1BBUkFNU19TVUJESVJFQ1RPUll9IgoKIwojIEZ1bmN0aW9ucwojCgpmYWlsKCkgewogICAgZWNobyAiRVJST1I6ICR7QH0iIDE+JjIKICAgIGV4aXQgMQp9CgpwaGFzZSgpIHsKICAgIGVjaG8gIi0tLT4gUGhhc2U6ICR7QH0uLi4iCn0KCiMgSW5zcGVjdCB0aGUgZW52aXJvbm1lbnQgdmFyaWFibGVzIHRvIGFzc2VydCB0aGUgbWluaW11bSBjb25maWd1cmF0aW9uIGlzIGluZm9ybWVkLgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsKCkgewogICAgW1sgLXogIiR7UEFSQU1TX1VSTH0iIF1dICYmCiAgICAgICAgZmFpbCAiUGFyYW1ldGVyIFVSTCBpcyBub3Qgc2V0ISIKCiAgICBbWyAteiAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIgXV0gJiYKICAgICAgICBmYWlsICJPdXRwdXQgV29ya3NwYWNlIGlzIG5vdCBzZXQhIgoKICAgIFtbICEgLWQgIiR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0iIF1dICYmCiAgICAgICAgZmFpbCAiT3V0cHV0IFdvcmtzcGFjZSBkaXJlY3RvcnkgJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nIG5vdCBmb3VuZCEiCgogICAgcmV0dXJuIDAKfQoKIyBDb3B5IHRoZSBmaWxlIGludG8gdGhlIGRlc3RpbmF0aW9uLCBjaGVja2luZyBpZiB0aGUgc291cmNlIGV4aXN0cy4KY29weV9vcl9mYWlsKCkgewogICAgbG9jYWwgX21vZGU9IiR7MX0iCiAgICBsb2NhbCBfc3JjPSIkezJ9IgogICAgbG9jYWwgX2RzdD0iJHszfSIKCiAgICBpZiBbWyAhIC1mICIke19zcmN9IiAmJiAhIC1kICIke19zcmN9IiBdXTsgdGhlbgogICAgICAgIGZhaWwgIlNvdXJjZSBmaWxlL2RpcmVjdG9yeSBpcyBub3QgZm91bmQgYXQgJyR7X3NyY30nIgogICAgZmkKCiAgICBpZiBbWyAtZCAiJHtfc3JjfSIgXV07IHRoZW4KICAgICAgICBjcCAtUnYgJHtfc3JjfSAke19kc3R9CiAgICAgICAgY2htb2QgLXYgJHtfbW9kZX0gJHtfZHN0fQogICAgZWxzZQogICAgICAgIGluc3RhbGwgLS12ZXJib3NlIC0tbW9kZT0ke19tb2RlfSAke19zcmN9ICR7X2RzdH0KICAgIGZpCn0KCiMgRGVsZXRlIGFueSBleGlzdGluZyBjb250ZW50cyBvZiB0aGUgcmVwbyBkaXJlY3RvcnkgaWYgaXQgZXhpc3RzLiBXZSBkb24ndCBqdXN0ICJybSAtcmYgPGRpcj4iCiMgYmVjYXVzZSBtaWdodCBiZSAiLyIgb3IgdGhlIHJvb3Qgb2YgYSBtb3VudGVkIHZvbHVtZS4KY2xlYW5fZGlyKCkgewogICAgbG9jYWwgX2Rpcj0iJHsxfSIKCiAgICBbWyAhIC1kICIke19kaXJ9IiBdXSAmJgogICAgICAgIHJldHVybiAwCgogICAgIyBEZWxldGUgbm9uLWhpZGRlbiBmaWxlcyBhbmQgZGlyZWN0b3JpZXMKICAgIHJtIC1yZnYgJHtfZGlyOj99LyoKICAgICMgRGVsZXRlIGZpbGVzIGFuZCBkaXJlY3RvcmllcyBzdGFydGluZyB3aXRoIC4gYnV0IGV4Y2x1ZGluZyAuLgogICAgcm0gLXJmdiAke19kaXJ9Ly5bIS5dKgogICAgIyBEZWxldGUgZmlsZXMgYW5kIGRpcmVjdG9yaWVzIHN0YXJ0aW5nIHdpdGggLi4gcGx1cyBhbnkgb3RoZXIgY2hhcmFjdGVyCiAgICBybSAtcmZ2ICR7X2Rpcn0vLi4/Kgp9CgojCiMgU2V0dGluZ3MKIwoKIyB3aGVuIHRoZSBrby1hcHAgZGlyZWN0b3J5IGlzIHByZXNlbnQsIG1ha2luZyBzdXJlIGl0J3MgcGFydCBvZiB0aGUgUEFUSApbWyAtZCAiL2tvLWFwcCIgXV0gJiYgZXhwb3J0IFBBVEg9IiR7UEFUSH06L2tvLWFwcCIKCiMgbWFraW5nIHRoZSBzaGVsbCB2ZXJib3NlIHdoZW4gdGhlIHBhcmFtdGVyIGlzIHNldApbWyAiJHtQQVJBTVNfVkVSQk9TRX0iID09ICJ0cnVlIiBdXSAmJiBzZXQgLXgKCnJldHVybiAw" |base64 -d >common.sh + chmod +x "common.sh" + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIEV4cG9ydHMgcHJveHkgYW5kIGN1c3RvbSBTU0wgQ0EgY2VydGlmaWNhdHMgaW4gdGhlIGVudmlyb21lbnQgYW5kIHJ1bnMgdGhlIGdpdC1pbml0IHdpdGggZmxhZ3MKIyBiYXNlZCBvbiB0aGUgdGFzayBwYXJhbWV0ZXJzLgojCgpzZXQgLWV1Cgpzb3VyY2UgJChDRFBBVEg9IGNkIC0tICIkKGRpcm5hbWUgLS0gJHswfSkiICYmIHB3ZCkvY29tbW9uLnNoCgphc3NlcnRfcmVxdWlyZWRfY29uZmlndXJhdGlvbl9vcl9mYWlsCgojCiMgQ0EgKGBzc2wtY2EtZGlyZWN0b3J5YCBXb3Jrc3BhY2UpCiMKCmlmIFtbICIke1dPUktTUEFDRVNfU1NMX0NBX0RJUkVDVE9SWV9CT1VORH0iID09ICJ0cnVlIiAmJiAtbiAiJHtQQVJBTVNfQ1JUX0ZJTEVOQU1FfSIgXV07IHRoZW4KCXBoYXNlICJJbnNwZWN0aW5nICdzc2wtY2EtZGlyZWN0b3J5JyB3b3Jrc3BhY2UgbG9va2luZyBmb3IgJyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0nIGZpbGUiCgljcnQ9IiR7V09SS1NQQUNFU19TU0xfQ0FfRElSRUNUT1JZX1BBVEh9LyR7UEFSQU1TX0NSVF9GSUxFTkFNRX0iCglbWyAhIC1mICIke2NydH0iIF1dICYmCgkJZmFpbCAiQ1JUIGZpbGUgKFBBUkFNU19DUlRfRklMRU5BTUUpIG5vdCBmb3VuZCBhdCAnJHtjcnR9JyIKCglwaGFzZSAiRXhwb3J0aW5nIGN1c3RvbSBDQSBjZXJ0aWZpY2F0ZSAnR0lUX1NTTF9DQUlORk89JHtjcnR9JyIKCWV4cG9ydCBHSVRfU1NMX0NBSU5GTz0ke2NydH0KZmkKCiMKIyBQcm94eSBTZXR0aW5ncwojCgpwaGFzZSAiU2V0dGluZyB1cCBIVFRQX1BST1hZPScke1BBUkFNU19IVFRQX1BST1hZfSciCltbIC1uICIke1BBUkFNU19IVFRQX1BST1hZfSIgXV0gJiYgZXhwb3J0IEhUVFBfUFJPWFk9IiR7UEFSQU1TX0hUVFBfUFJPWFl9IgoKcGhhc2UgIlNldHR0aW5nIHVwIEhUVFBTX1BST1hZPScke1BBUkFNU19IVFRQU19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfSFRUUFNfUFJPWFl9IiBdXSAmJiBleHBvcnQgSFRUUFNfUFJPWFk9IiR7UEFSQU1TX0hUVFBTX1BST1hZfSIKCnBoYXNlICJTZXR0aW5nIHVwIE5PX1BST1hZPScke1BBUkFNU19OT19QUk9YWX0nIgpbWyAtbiAiJHtQQVJBTVNfTk9fUFJPWFl9IiBdXSAmJiBleHBvcnQgTk9fUFJPWFk9IiR7UEFSQU1TX05PX1BST1hZfSIKCiMKIyBHaXQgQ2xvbmUKIwoKcGhhc2UgIlNldHRpbmcgb3V0cHV0IHdvcmtzcGFjZSBhcyBzYWZlIGRpcmVjdG9yeSAoJyR7V09SS1NQQUNFU19PVVRQVVRfUEFUSH0nKSIKZ2l0IGNvbmZpZyAtLWdsb2JhbCAtLWFkZCBzYWZlLmRpcmVjdG9yeSAiJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfSIKCnBoYXNlICJDbG9uaW5nICcke1BBUkFNU19VUkx9JyBpbnRvICcke2NoZWNrb3V0X2Rpcn0nIgpzZXQgLXgKZXhlYyBnaXQtaW5pdCBcCgktdXJsPSIke1BBUkFNU19VUkx9IiBcCgktcmV2aXNpb249IiR7UEFSQU1TX1JFVklTSU9OfSIgXAoJLXJlZnNwZWM9IiR7UEFSQU1TX1JFRlNQRUN9IiBcCgktcGF0aD0iJHtjaGVja291dF9kaXJ9IiBcCgktc3NsVmVyaWZ5PSIke1BBUkFNU19TU0xfVkVSSUZZfSIgXAoJLXN1Ym1vZHVsZXM9IiR7UEFSQU1TX1NVQk1PRFVMRVN9IiBcCgktZGVwdGg9IiR7UEFSQU1TX0RFUFRIfSIgXAoJLXNwYXJzZUNoZWNrb3V0RGlyZWN0b3JpZXM9IiR7UEFSQU1TX1NQQVJTRV9DSEVDS09VVF9ESVJFQ1RPUklFU30iCg==" |base64 -d >git-clone.sh + chmod +x "git-clone.sh" + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNldHMgdXAgdGhlIGJhc2ljIGFuZCBTU0ggYXV0aGVudGljYXRpb24gYmFzZWQgb24gaW5mb3JtZWQgd29ya3NwYWNlcywgYXMgd2VsbCBhcyBjbGVhbmluZyB1cCB0aGUKIyBwcmV2aW91cyBnaXQtY2xvbmUgc3RhbGUgZGF0YS4KIwoKc2V0IC1ldQoKc291cmNlICQoQ0RQQVRIPSBjZCAtLSAiJChkaXJuYW1lIC0tICR7MH0pIiAmJiBwd2QpL2NvbW1vbi5zaAoKYXNzZXJ0X3JlcXVpcmVkX2NvbmZpZ3VyYXRpb25fb3JfZmFpbAoKcGhhc2UgIlByZXBhcmluZyB0aGUgZmlsZXN5c3RlbSBiZWZvcmUgY2xvbmluZyB0aGUgcmVwb3NpdG9yeSIKCmlmIFtbICIke1dPUktTUEFDRVNfQkFTSUNfQVVUSF9CT1VORH0iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkNvbmZpZ3VyaW5nIEdpdCBhdXRoZW50aWNhdGlvbiB3aXRoICdiYXNpYy1hdXRoJyBXb3Jrc3BhY2UgZmlsZXMiCgoJZm9yIGYgaW4gLmdpdC1jcmVkZW50aWFscyAuZ2l0Y29uZmlnOyBkbwoJCXNyYz0iJHtXT1JLU1BBQ0VTX0JBU0lDX0FVVEhfUEFUSH0vJHtmfSIKCQlwaGFzZSAiQ29weWluZyAnJHtzcmN9JyB0byAnJHtQQVJBTVNfVVNFUl9IT01FfSciCgkJY29weV9vcl9mYWlsIDQwMCAke3NyY30gIiR7UEFSQU1TX1VTRVJfSE9NRX0vIgoJZG9uZQpmaQoKaWYgW1sgIiR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX0JPVU5EfSIgPT0gInRydWUiIF1dOyB0aGVuCglwaGFzZSAiQ29weWluZyAnLnNzaCcgZnJvbSBzc2gtZGlyZWN0b3J5IHdvcmtzcGFjZSAoJyR7V09SS1NQQUNFU19TU0hfRElSRUNUT1JZX1BBVEh9JykiCgoJZG90X3NzaD0iJHtQQVJBTVNfVVNFUl9IT01FfS8uc3NoIgoJY29weV9vcl9mYWlsIDcwMCAke1dPUktTUEFDRVNfU1NIX0RJUkVDVE9SWV9QQVRIfSAke2RvdF9zc2h9CgljaG1vZCAtUnYgNDAwICR7ZG90X3NzaH0vKgpmaQoKaWYgW1sgIiR7UEFSQU1TX0RFTEVURV9FWElTVElOR30iID09ICJ0cnVlIiBdXTsgdGhlbgoJcGhhc2UgIkRlbGV0aW5nIGFsbCBjb250ZW50cyBvZiBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgljbGVhbl9kaXIgJHtjaGVja291dF9kaXJ9IHx8IHRydWUKZmkKCmV4aXQgMA==" |base64 -d >prepare.sh + chmod +x "prepare.sh" + printf '%s' "IyEvdXNyL2Jpbi9lbnYgc2gKIwojIFNjYW4gdGhlIGNsb25lZCByZXBvc2l0b3J5IGluIG9yZGVyIHRvIHJlcG9ydCBkZXRhaWxzIHdyaXR0aW5nIHRoZSByZXN1bHQgZmlsZXMuCiMKCnNldCAtZXUKCnNvdXJjZSAkKENEUEFUSD0gY2QgLS0gIiQoZGlybmFtZSAtLSAkezB9KSIgJiYgcHdkKS9jb21tb24uc2gKCmFzc2VydF9yZXF1aXJlZF9jb25maWd1cmF0aW9uX29yX2ZhaWwKCnBoYXNlICJDb2xsZWN0aW5nIGNsb25lZCByZXBvc2l0b3J5IGluZm9ybWF0aW9uICgnJHtjaGVja291dF9kaXJ9JykiCgpjZCAiJHtjaGVja291dF9kaXJ9IiB8fCBmYWlsICJOb3QgYWJsZSB0byBlbnRlciBjaGVja291dC1kaXIgJyR7Y2hlY2tvdXRfZGlyfSciCgpwaGFzZSAiU2V0dGluZyBvdXRwdXQgd29ya3NwYWNlIGFzIHNhZmUgZGlyZWN0b3J5ICgnJHtXT1JLU1BBQ0VTX09VVFBVVF9QQVRIfScpIgpnaXQgY29uZmlnIC0tZ2xvYmFsIC0tYWRkIHNhZmUuZGlyZWN0b3J5ICIke1dPUktTUEFDRVNfT1VUUFVUX1BBVEh9IgoKcmVzdWx0X3NoYT0iJChnaXQgcmV2LXBhcnNlIEhFQUQpIgpyZXN1bHRfY29tbWl0dGVyX2RhdGU9IiQoZ2l0IGxvZyAtMSAtLXByZXR0eT0lY3QpIgoKcGhhc2UgIlJlcG9ydGluZyBsYXN0IGNvbW1pdCBkYXRlICcke3Jlc3VsdF9jb21taXR0ZXJfZGF0ZX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfY29tbWl0dGVyX2RhdGV9IiA+JHtSRVNVTFRTX0NPTU1JVFRFUl9EQVRFX1BBVEh9CgpwaGFzZSAiUmVwb3J0aW5nIHBhcnNlZCByZXZpc2lvbiBTSEEgJyR7cmVzdWx0X3NoYX0nIgpwcmludGYgIiVzIiAiJHtyZXN1bHRfc2hhfSIgPiR7UkVTVUxUU19DT01NSVRfUEFUSH0KCnBoYXNlICJSZXBvcnRpbmcgcmVwb3NpdG9yeSBVUkwgJyR7UEFSQU1TX1VSTH0nIgpwcmludGYgIiVzIiAiJHtQQVJBTVNfVVJMfSIgPiR7UkVTVUxUU19VUkxfUEFUSH0KCmV4aXQgMA==" |base64 -d >report.sh + chmod +x "report.sh" + volumeMounts: + - name: scripts-dir + mountPath: /scripts + + - name: prepare + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + command: + - /scripts/prepare.sh + volumeMounts: + - name: scripts-dir + mountPath: /scripts + - name: user-home + mountPath: $(params.USER_HOME) + + - name: git-clone + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + command: + - /scripts/git-clone.sh + volumeMounts: + - name: scripts-dir + mountPath: /scripts + - name: user-home + mountPath: $(params.USER_HOME) + + - name: report + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:c4b2183f7c7997bd401d86b33eefb637b3ef2fa90618e875106292cd69a15c14 + command: + - /scripts/report.sh + volumeMounts: + - name: scripts-dir + mountPath: /scripts diff --git a/tekton/common/task-ota-update.yaml b/tekton/common/task-ota-update.yaml index 2d8c7a5..9be4017 100644 --- a/tekton/common/task-ota-update.yaml +++ b/tekton/common/task-ota-update.yaml @@ -18,7 +18,7 @@ spec: - name: OTA_VERSION value: "$(params.otaVersion)" script: | - #!/bin/bash - set -Eeuo pipefail - echo "Sending the OTA firmware udate notification for version $OTA_VERSION on $OTA_MQTT_TOPIC..." - mosquitto_pub -L "$OTA_MQTT_URL" -m "$OTA_VERSION" -d + #!/bin/sh + set -eu + echo "Sending the OTA firmware udate notification for version $OTA_VERSION..." + mosquitto_pub --retain -L "$OTA_MQTT_URL" -m "$OTA_VERSION" -d diff --git a/tekton/pipeline.yaml b/tekton/pipeline.yaml index 7c2ec3a..0bddab4 100644 --- a/tekton/pipeline.yaml +++ b/tekton/pipeline.yaml @@ -12,6 +12,8 @@ spec: optional: true - name: entitlements optional: true + - name: rpms + optional: true - name: git-auth optional: true - name: registries-conf @@ -44,11 +46,11 @@ spec: - name: clone-repo taskRef: kind: Task - name: git-clone + name: git params: - - name: url + - name: URL value: $(params.git-url) - - name: revision + - name: REVISION value: $(params.git-revision) workspaces: - name: output @@ -118,6 +120,8 @@ spec: workspace: caches - name: entitlements workspace: entitlements + - name: rpms + workspace: rpms - name: ota-update runAfter: ["buildah-bootc"] diff --git a/tekton/pipelinerun.yaml b/tekton/pipelinerun.yaml index 3af1cf6..ad45aaf 100644 --- a/tekton/pipelinerun.yaml +++ b/tekton/pipelinerun.yaml @@ -20,19 +20,19 @@ spec: value: app/model-s3.onnx - name: build-architectures value: - - aarch64 + - x86_64 # - name: pypi-mirror-url # value: http://... workspaces: - # - name: caches - # persistentVolumeClaim: - # claimName: bootc-caches - # - name: entitlements - # persistentVolumeClaim: - # claimName: bootc-entitlements - - name: rpms + - name: caches persistentVolumeClaim: - claimName: bootc-rpms + claimName: bootc-caches + - name: entitlements + persistentVolumeClaim: + claimName: bootc-entitlements + # - name: rpms + # persistentVolumeClaim: + # claimName: bootc-rpms - name: source-workspace volumeClaimTemplate: spec: @@ -56,3 +56,5 @@ spec: # name: registries-conf taskRunTemplate: serviceAccountName: buildbot + timeouts: + pipeline: 2h diff --git a/tekton/service-ca.crt b/tekton/service-ca.crt new file mode 100644 index 0000000..7ffee40 --- /dev/null +++ b/tekton/service-ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUTCCAjmgAwIBAgIIE+EuJO9o6cowDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE +Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc0OTY0OTE1NTAe +Fw0yNTA2MTExMzM5MTVaFw0yNzA4MTAxMzM5MTZaMDYxNDAyBgNVBAMMK29wZW5z +aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NDk2NDkxNTUwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN+0NjKb71dma5axn4Ziu7SiJ9OSioXNFb +dCmsxSgoqOKyNaYf/qyBXOAuERnmGGL9Bvtr3nleP26JYYdyY9R+X6wWfiQSmUQW +tu3CfOqY5tQTFWz9qTUCS58XXTlAXJydooVx0PxxK560jq69d8pVzU74wr2Wxw2Y +WKYoS7En5akpjLMRLxPobiV1IMZniICeBvDKjZ0iOPaInwYFno/jZRW87AY7MkKl +BfAIAz+aefuXyKBqvKQs7yntCck+IzkXSsH5eM4raqeuT7mF+RbIS90ks0t94nj3 +AzPZ822PUwYCiQYZ+mvFEVGF51YF0xkFjcHfK+9OqOT7M6nhV6KLAgMBAAGjYzBh +MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSLZRD2 +v1UJRCpj5ICYBf+70HEoQDAfBgNVHSMEGDAWgBSLZRD2v1UJRCpj5ICYBf+70HEo +QDANBgkqhkiG9w0BAQsFAAOCAQEAV9y3RpVRvWz0sLfpEGdKHAntUvpW6CTLmv47 +3tu2ah5Tn8udGncIpegm8l2suyOeOEv+wZyOXZRUJtZja2zRLlAIyxJYheaa3kgD +WspQvDN9iApeS6Q6ZEqEy3p8Zh4XA+rT3PRrg1ej5Kk3ofjNIA0mUBt4uuy77ovM +vmqaRSLBLGx1ShBea6Pu3sTBV5RHUgQmZHzhyANq7tHgZbxATXM60/92rwzKpfGB ++/Blfvc2ssb+YwAeDw/SYdtkOp6HVoLF1UF4Cm49MyeW0QWFbdpxV5d0WSkCM1Fm +Gsar1igyfdtXC1WYEULR79JtGUVcXehorcH/Oe1y71zmGzz3Cg== +-----END CERTIFICATE-----