apiVersion: project.openshift.io/v1 kind: Project metadata: annotations: argocd.argoproj.io/sync-wave: "0" openshift.io/description: "" openshift.io/display-name: "" labels: kubernetes.io/metadata.name: fruits-dev name: fruits-dev spec: finalizers: - kubernetes --- apiVersion: v1 kind: ServiceAccount metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: edit subjects: - kind: ServiceAccount name: cosign-hook namespace: fruits-dev --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: secret-reader namespace: fruits-dev rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] --- # The stackrox hook needs to be able to read the cosign public key in order to create the sigstore policy apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: stackrox-hook namespace: fruits-dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: secret-reader subjects: - kind: ServiceAccount name: stackrox-hook namespace: stackrox --- apiVersion: v1 kind: ConfigMap metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev data: {{ (.Files.Glob "files/cosign-hook/*").AsConfig | indent 2 }} --- apiVersion: batch/v1 kind: Job metadata: annotations: argocd.argoproj.io/sync-wave: "20" name: cosign-hook namespace: fruits-dev spec: backoffLimit: 30 template: spec: containers: - name: hook command: - /entrypoint/cosign.sh args: [] image: registry.redhat.io/openshift4/ose-cli:v4.13 imagePullPolicy: IfNotPresent env: - name: USER value: openshift - name: HOME value: /tmp volumeMounts: - mountPath: /entrypoint name: cosign-hook readOnly: true serviceAccountName: cosign-hook serviceAccount: cosign-hook restartPolicy: OnFailure terminationGracePeriodSeconds: 30 volumes: - name: cosign-hook configMap: name: cosign-hook defaultMode: 0755 --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: annotations: argocd.argoproj.io/sync-wave: "20" labels: app.kubernetes.io/instance: fruits app.kubernetes.io/name: fruits operator.tekton.dev/operand-name: openshift-pipelines-addons pipeline.openshift.io/runtime: java pipeline.openshift.io/runtime-version: openjdk-17-ubi8 pipeline.openshift.io/type: kubernetes name: fruits namespace: fruits-dev spec: params: - default: fruits name: APP_NAME type: string - default: 'https://github.com/MAD-Roadshow-France-2023/devspaces' name: GIT_REPO type: string - default: main name: GIT_REVISION type: string - default: >- image-registry.openshift-image-registry.svc:5000/fruits-dev/fruits name: IMAGE_NAME type: string - default: . name: PATH_CONTEXT type: string - default: openjdk-17-ubi8 name: VERSION type: string tasks: - name: fetch-repository params: - name: url value: $(params.GIT_REPO) - name: revision value: $(params.GIT_REVISION) - name: subdirectory value: '' - name: deleteExisting value: 'true' taskRef: kind: ClusterTask name: git-clone workspaces: - name: output workspace: workspace - name: build params: - name: IMAGE value: $(params.IMAGE_NAME) - name: TLSVERIFY value: 'false' - name: PATH_CONTEXT value: $(params.PATH_CONTEXT) - name: VERSION value: $(params.VERSION) runAfter: - fetch-repository taskRef: kind: ClusterTask name: s2i-java workspaces: - name: source workspace: workspace - name: deploy params: - name: SCRIPT value: oc rollout status deploy/$(params.APP_NAME) runAfter: - build taskRef: kind: ClusterTask name: openshift-client workspaces: - name: workspace optional: false resources: [] finally: []