apiVersion: project.openshift.io/v1 kind: Project metadata: annotations: argocd.argoproj.io/sync-wave: "0" openshift.io/description: "" openshift.io/display-name: "" labels: kubernetes.io/metadata.name: fruits-dev name: fruits-dev spec: finalizers: - kubernetes --- apiVersion: v1 kind: ServiceAccount metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: edit subjects: - kind: ServiceAccount name: cosign-hook namespace: fruits-dev --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: secret-reader namespace: fruits-dev rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] --- # The stackrox hook needs to be able to read the cosign public key in order to create the sigstore policy apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: stackrox-hook namespace: fruits-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: secret-reader subjects: - kind: ServiceAccount name: stackrox-hook namespace: stackrox --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: test-can-pull namespace: fruits-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:image-puller subjects: - kind: ServiceAccount name: default namespace: fruits-test --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: prod-can-pull namespace: fruits-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:image-puller subjects: - kind: ServiceAccount name: default namespace: fruits-prod --- apiVersion: v1 kind: ConfigMap metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev data: {{ (.Files.Glob "files/cosign-hook/*").AsConfig | indent 2 }} --- apiVersion: batch/v1 kind: Job metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev spec: backoffLimit: 30 template: spec: containers: - name: hook command: - /entrypoint/cosign.sh args: [] image: registry.redhat.io/openshift4/ose-cli:v4.13 imagePullPolicy: IfNotPresent env: - name: USER value: openshift - name: HOME value: /tmp volumeMounts: - mountPath: /entrypoint name: cosign-hook readOnly: true serviceAccountName: cosign-hook serviceAccount: cosign-hook restartPolicy: OnFailure terminationGracePeriodSeconds: 30 volumes: - name: cosign-hook configMap: name: cosign-hook defaultMode: 0755 --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: slack-approval namespace: fruits-dev spec: params: - name: slackChannel type: string - name: slackSecretName type: string - name: pipelineId type: string steps: - name: slack-approval image: quay.io/madroadshowfrance2023/tekton-pipeline-slack-bot:latest env: - name: SLACK_CHANNEL value: "$(params.slackChannel)" - name: TEKTON_PIPELINE_ID value: "$(params.pipelineId)" - name: SLACK_BOT_TOKEN valueFrom: secretKeyRef: name: $(params.slackSecretName) key: "bot-token" - name: SLACK_APP_TOKEN valueFrom: secretKeyRef: name: $(params.slackSecretName) key: "app-token" --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: cosign-sign namespace: fruits-dev spec: params: - name: cosignKeyRef type: string - name: cosignKeyPassword type: string - name: image type: string steps: - name: cosign image: gcr.io/projectsigstore/cosign:v2.0.2 args: - sign - -y - --upload=false - --key=$(params.cosignKeyRef) - $(params.image) env: - name: COSIGN_PASSWORD value: "$(params.cosignKeyPassword)" --- apiVersion: v1 kind: Secret metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: tekton-tokens namespace: fruits-dev type: Opaque data: bot-token: {{ .Values.slackBotToken | b64enc | quote }} app-token: {{ .Values.slackAppToken | b64enc | quote }} --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true labels: app.kubernetes.io/instance: fruits app.kubernetes.io/name: fruits operator.tekton.dev/operand-name: openshift-pipelines-addons pipeline.openshift.io/runtime: java pipeline.openshift.io/runtime-version: openjdk-17-ubi8 pipeline.openshift.io/type: kubernetes name: fruits namespace: fruits-dev spec: params: - default: fruits name: APP_NAME type: string - default: 'https://github.com/MAD-Roadshow-France-2023/devspaces' name: GIT_REPO type: string - default: main name: GIT_REVISION type: string - default: >- image-registry.openshift-image-registry.svc:5000/fruits-dev/fruits:latest name: IMAGE_NAME type: string - default: . name: PATH_CONTEXT type: string - default: openjdk-17-ubi8 name: VERSION type: string tasks: - name: fetch-repository params: - name: url value: $(params.GIT_REPO) - name: revision value: $(params.GIT_REVISION) - name: subdirectory value: '' - name: deleteExisting value: 'true' taskRef: kind: ClusterTask name: git-clone workspaces: - name: output workspace: workspace - name: build params: - name: IMAGE value: $(params.IMAGE_NAME) - name: TLSVERIFY value: 'false' - name: PATH_CONTEXT value: $(params.PATH_CONTEXT) - name: VERSION value: $(params.VERSION) runAfter: - fetch-repository taskRef: kind: ClusterTask name: s2i-java workspaces: - name: source workspace: workspace - name: cosign-sign params: - name: cosignKeyRef value: k8s://fruits-dev/code-signature - name: cosignKeyPassword value: dummy - name: image value: $(params.IMAGE_NAME) runAfter: - build taskRef: kind: Task name: cosign-sign - name: deploy-in-test params: - name: SCRIPT value: oc delete pods -l deployment=$(params.APP_NAME) -n fruits-test runAfter: - cosign-signature taskRef: kind: ClusterTask name: openshift-client - name: slack-approval params: - name: slackChannel value: "#mad-roadshow-france-2023" - name: slackSecretName value: "tekton-tokens" - name: pipelineId value: "$(context.pipelineRun.name)" runAfter: - deploy-in-test taskRef: name: slack-approval - name: deploy-in-prod params: - name: SCRIPT value: oc delete pods -l deployment=$(params.APP_NAME) -n fruits-prod runAfter: - slack-approval taskRef: kind: ClusterTask name: openshift-client workspaces: - name: workspace --- apiVersion: image.openshift.io/v1 kind: ImageStream metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: fruits namespace: fruits-dev spec: lookupPolicy: local: false