apiVersion: v1 kind: Namespace metadata: annotations: argocd.argoproj.io/sync-wave: "0" openshift.io/description: "" openshift.io/display-name: "" labels: kubernetes.io/metadata.name: eshop-dev # Enable HTTPS on Tekton EventListeners operator.tekton.dev/enable-annotation: disabled name: eshop-dev spec: finalizers: - kubernetes --- apiVersion: image.openshift.io/v1 kind: ImageStream metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: eshop-web namespace: eshop-dev spec: lookupPolicy: local: false --- apiVersion: image.openshift.io/v1 kind: ImageStream metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: eshop-api namespace: eshop-dev spec: lookupPolicy: local: false --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: cosign-sign namespace: eshop-dev spec: params: - name: cosignKeyRef type: string - name: cosignKeyPassword type: string - name: image type: string steps: - name: cosign image: gcr.io/projectsigstore/cosign:v2.0.2 args: - sign - -y - --tlog-upload=false - --key=$(params.cosignKeyRef) - $(params.image) env: - name: COSIGN_PASSWORD value: "$(params.cosignKeyPassword)" --- apiVersion: tekton.dev/v1beta1 kind: Task metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: roxctl-image-check namespace: eshop-dev spec: params: - description: >- Secret containing the StackRox API token with CI permissions and the address:port tuple for StackRox Central (example: rox.stackrox.io:443) name: roxctlSecret type: string - description: Bypass Central's cache for the image and force a new pull from the Scanner name: forcePull type: string default: "false" - description: Image name (registry hostname + port + path) name: imageName type: string - description: Image digest name: imageDigest type: string results: - description: Output of `roxctl image check` name: check_output steps: - env: - name: FORCE_PULL value: $(params.forcePull) - name: DIGEST value: $(params.imageDigest) - name: NAME value: $(params.imageName) - name: FORCE_PULL value: $(params.forcePull) - name: ROX_API_TOKEN valueFrom: secretKeyRef: key: token name: $(params.roxctlSecret) - name: ROX_CENTRAL_ENDPOINT valueFrom: secretKeyRef: key: endpoint name: $(params.roxctlSecret) image: quay.io/skopeo/stable:v1.5.2 name: roxctl-image-check resources: {} script: | #!/bin/bash set -Eeuo pipefail curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" --output /tmp/roxctl > /dev/null chmod +x /tmp/roxctl extra_args="" if [ "${FORCE_PULL:-}" == "true" ]; then extra_args="$extra_args --force" fi /tmp/roxctl image check --insecure-skip-tls-verify -e "$ROX_CENTRAL_ENDPOINT" --image "$NAME@$DIGEST" --send-notifications $extra_args --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: eshop-ci namespace: eshop-dev spec: params: - default: 'https://github.com/eShopOnWeb-OpenShift/eShopOnWeb.git' name: GIT_REPO type: string - default: main name: GIT_REVISION type: string - name: IMAGE_NAME type: string - name: DOTNET_STARTUP_PROJECT type: string tasks: - name: git-clone params: - name: url value: $(params.GIT_REPO) - name: revision value: $(params.GIT_REVISION) - name: subdirectory value: '' - name: deleteExisting value: 'true' taskRef: kind: ClusterTask name: git-clone workspaces: - name: output workspace: workspace - name: build params: - name: IMAGE value: $(params.IMAGE_NAME) - name: TLSVERIFY value: 'false' - name: PATH_CONTEXT value: . - name: VERSION value: 7.0-ubi8 - name: ENV_VARS value: - DOTNET_STARTUP_PROJECT=$(params.DOTNET_STARTUP_PROJECT) runAfter: - git-clone taskRef: kind: ClusterTask name: s2i-dotnet workspaces: - name: source workspace: workspace - name: roxctl-image-check taskRef: name: roxctl-image-check runAfter: - build params: - name: roxctlSecret value: stackrox-cicd-token - name: imageName value: $(params.IMAGE_NAME) - name: imageDigest value: $(tasks.build.results.IMAGE_DIGEST) - name: cosign-sign params: - name: cosignKeyRef value: k8s://eshop-dev/code-signature - name: cosignKeyPassword value: dummy - name: image value: $(params.IMAGE_NAME)@$(tasks.build.results.IMAGE_DIGEST) runAfter: - roxctl-image-check taskRef: kind: Task name: cosign-sign workspaces: - name: workspace --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: eshop-cd namespace: eshop-dev spec: params: - name: IMAGESTREAM_NAME type: string - name: DEV_NAMESPACE type: string default: eshop-dev - name: TEST_NAMESPACE type: string default: eshop-test - name: PROD_NAMESPACE type: string default: eshop-prod - name: APPLICATION_NAME type: string - name: IMAGE_DIGEST type: string tasks: - name: roxctl-image-check taskRef: name: roxctl-image-check params: - name: roxctlSecret value: stackrox-cicd-token - name: imageName value: image-registry.openshift-image-registry.svc:5000/$(params.DEV_NAMESPACE)/$(params.IMAGESTREAM_NAME) - name: imageDigest value: $(params.IMAGE_DIGEST) - name: forcePull value: "true" - name: deploy-in-test params: - name: SCRIPT value: | oc tag $(params.DEV_NAMESPACE)/$(params.IMAGESTREAM_NAME)@$(params.IMAGE_DIGEST) $(params.TEST_NAMESPACE)/$(params.IMAGESTREAM_NAME):latest oc set image deploy/$(params.APPLICATION_NAME) -n $(params.TEST_NAMESPACE) $(params.APPLICATION_NAME)=image-registry.openshift-image-registry.svc:5000/$(params.TEST_NAMESPACE)/$(params.IMAGESTREAM_NAME)@$(params.IMAGE_DIGEST) runAfter: - roxctl-image-check taskRef: kind: ClusterTask name: openshift-client - name: deploy-in-prod params: - name: SCRIPT value: | oc tag $(params.DEV_NAMESPACE)/$(params.IMAGESTREAM_NAME)@$(params.IMAGE_DIGEST) $(params.PROD_NAMESPACE)/$(params.IMAGESTREAM_NAME):latest oc set image deploy/$(params.APPLICATION_NAME) -n $(params.PROD_NAMESPACE) $(params.APPLICATION_NAME)=image-registry.openshift-image-registry.svc:5000/$(params.PROD_NAMESPACE)/$(params.IMAGESTREAM_NAME)@$(params.IMAGE_DIGEST) runAfter: - deploy-in-test taskRef: kind: ClusterTask name: openshift-client --- apiVersion: triggers.tekton.dev/v1beta1 kind: EventListener metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: eshoponweb namespace: eshop-dev spec: serviceAccountName: pipeline triggers: - triggerRef: eshop-web - triggerRef: eshop-api --- apiVersion: triggers.tekton.dev/v1beta1 kind: Trigger metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: eshop-web namespace: eshop-dev spec: serviceAccountName: pipeline interceptors: - name: GitHub push events ref: name: "github" params: - name: "secretRef" value: secretName: github-webbook-secret secretKey: secretToken - name: "eventTypes" value: ["push"] - name: Filter on repository name ref: name: "cel" kind: ClusterInterceptor apiVersion: triggers.tekton.dev params: - name: filter value: body.repository.full_name == 'eShopOnWeb-OpenShift/eShopOnWeb' bindings: - name: NAME value: web - name: GIT_REPO value: $(body.repository.clone_url) - name: GIT_REVISION value: $(body.head_commit.id) - name: IMAGE_NAME value: image-registry.openshift-image-registry.svc:5000/eshop-dev/eshop-web - name: DOTNET_STARTUP_PROJECT value: src/Web/Web.csproj template: ref: eshoponweb --- apiVersion: triggers.tekton.dev/v1beta1 kind: Trigger metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: eshop-api namespace: eshop-dev spec: serviceAccountName: pipeline interceptors: - name: GitHub push events ref: name: "github" params: - name: "secretRef" value: secretName: github-webbook-secret secretKey: secretToken - name: "eventTypes" value: ["push"] - name: Filter on repository name ref: name: "cel" kind: ClusterInterceptor apiVersion: triggers.tekton.dev params: - name: filter value: body.repository.full_name == 'eShopOnWeb-OpenShift/eShopOnWeb' bindings: - name: NAME value: api - name: GIT_REPO value: $(body.repository.clone_url) - name: GIT_REVISION value: $(body.head_commit.id) - name: IMAGE_NAME value: image-registry.openshift-image-registry.svc:5000/eshop-dev/eshop-api - name: DOTNET_STARTUP_PROJECT value: src/PublicApi/PublicApi.csproj template: ref: eshoponweb --- apiVersion: v1 kind: Secret metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: github-webbook-secret namespace: eshop-dev type: Opaque data: secretToken: {{ include "github-tekton-webhook-secret" . | b64enc | quote }} --- apiVersion: triggers.tekton.dev/v1beta1 kind: TriggerTemplate metadata: annotations: argocd.argoproj.io/sync-wave: "20" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true name: eshoponweb namespace: eshop-dev spec: params: - name: NAME - name: GIT_REPO - name: GIT_REVISION - name: IMAGE_NAME - name: DOTNET_STARTUP_PROJECT resourcetemplates: - apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: annotations: argocd.argoproj.io/sync-options: Prune=false generateName: eshop-ci-$(tt.params.NAME)- spec: serviceAccountName: pipeline pipelineRef: name: eshop-ci params: - name: GIT_REPO value: $(tt.params.GIT_REPO) - name: GIT_REVISION value: $(tt.params.GIT_REVISION) - name: IMAGE_NAME value: $(tt.params.IMAGE_NAME) - name: DOTNET_STARTUP_PROJECT value: $(tt.params.DOTNET_STARTUP_PROJECT) workspaces: - name: workspace volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi --- kind: Route apiVersion: route.openshift.io/v1 metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: el-eshoponweb namespace: eshop-dev labels: app.kubernetes.io/managed-by: EventListener app.kubernetes.io/part-of: Triggers eventlistener: eshoponweb spec: to: kind: Service name: el-eshoponweb tls: termination: edge insecureEdgeTerminationPolicy: Redirect port: targetPort: http-listener