eShopOnWeb-gitops/infrastructure/templates/fruits-dev.yaml

apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "0"
    openshift.io/description: ""
    openshift.io/display-name: ""
  labels:
    kubernetes.io/metadata.name: fruits-dev
  name: fruits-dev
spec:
  finalizers:
  - kubernetes
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: fruits-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: fruits-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: ServiceAccount
  name: cosign-hook
  namespace: fruits-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: secret-reader
  namespace: fruits-dev
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
---
# The stackrox hook needs to be able to read the cosign public key in order to create the sigstore policy
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: stackrox-hook
  namespace: fruits-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secret-reader
subjects:
- kind: ServiceAccount
  name: stackrox-hook
  namespace: stackrox
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: test-can-pull
  namespace: fruits-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
subjects:
- kind: ServiceAccount
  name: default
  namespace: fruits-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: prod-can-pull
  namespace: fruits-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
subjects:
- kind: ServiceAccount
  name: default
  namespace: fruits-prod
---
apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: fruits-dev
data:
{{ (.Files.Glob "files/cosign-hook/*").AsConfig | indent 2 }}
---
apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: fruits-dev
spec:
  backoffLimit: 30
  template:
    spec:
      containers:
      - name: hook
        command:
        - /entrypoint/cosign.sh
        args: []
        image: registry.redhat.io/openshift4/ose-cli:v4.13
        imagePullPolicy: IfNotPresent
        env:
        - name: USER
          value: openshift
        - name: HOME
          value: /tmp
        volumeMounts:
        - mountPath: /entrypoint
          name: cosign-hook
          readOnly: true
      serviceAccountName: cosign-hook
      serviceAccount: cosign-hook
      restartPolicy: OnFailure
      terminationGracePeriodSeconds: 30
      volumes:
      - name: cosign-hook
        configMap:
          name: cosign-hook
          defaultMode: 0755
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: slack-approval
  namespace: fruits-dev
spec:
  params:
  - name: slackChannel
    type: string
  - name: slackSecretName
    type: string
  - name: pipelineId
    type: string
  steps:
  - name: slack-approval
    image: quay.io/madroadshowfrance2023/tekton-pipeline-slack-bot:latest
    env:
    - name: SLACK_CHANNEL
      value: "$(params.slackChannel)"
    - name: TEKTON_PIPELINE_ID
      value: "$(params.pipelineId)"
    - name: SLACK_BOT_TOKEN
      valueFrom:
        secretKeyRef:
          name: $(params.slackSecretName)
          key: "bot-token"
    - name: SLACK_APP_TOKEN
      valueFrom:
        secretKeyRef:
          name: $(params.slackSecretName)
          key: "app-token"
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: cosign-sign
  namespace: fruits-dev
spec:
  params:
  - name: cosignKeyRef
    type: string
  - name: cosignKeyPassword
    type: string
  - name: image
    type: string
  steps:
  - name: cosign
    image: gcr.io/projectsigstore/cosign:v2.0.2
    args:
    - sign
    - -y
    - --tlog-upload=false
    - --key=$(params.cosignKeyRef)
    - $(params.image)
    env:
    - name: COSIGN_PASSWORD
      value: "$(params.cosignKeyPassword)"
---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: tekton-tokens
  namespace: fruits-dev
type: Opaque
data:
  bot-token: {{ .Values.slackBotToken | b64enc | quote }}
  app-token: {{ .Values.slackAppToken | b64enc | quote }}
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  labels:
    app.kubernetes.io/instance: fruits
    app.kubernetes.io/name: fruits
    operator.tekton.dev/operand-name: openshift-pipelines-addons
    pipeline.openshift.io/runtime: java
    pipeline.openshift.io/runtime-version: openjdk-17-ubi8
    pipeline.openshift.io/type: kubernetes
  name: fruits
  namespace: fruits-dev
spec:
  params:
    - default: fruits
      name: APP_NAME
      type: string
    - default: 'https://github.com/MAD-Roadshow-France-2023/devspaces'
      name: GIT_REPO
      type: string
    - default: main
      name: GIT_REVISION
      type: string
    - default: >-
                image-registry.openshift-image-registry.svc:5000/fruits-dev/fruits:latest
      name: IMAGE_NAME
      type: string
    - default: .
      name: PATH_CONTEXT
      type: string
    - default: openjdk-17-ubi8
      name: VERSION
      type: string
  tasks:
    - name: fetch-repository
      params:
        - name: url
          value: $(params.GIT_REPO)
        - name: revision
          value: $(params.GIT_REVISION)
        - name: subdirectory
          value: ''
        - name: deleteExisting
          value: 'true'
      taskRef:
        kind: ClusterTask
        name: git-clone
      workspaces:
        - name: output
          workspace: workspace
    - name: build
      params:
        - name: IMAGE
          value: $(params.IMAGE_NAME)
        - name: TLSVERIFY
          value: 'false'
        - name: PATH_CONTEXT
          value: $(params.PATH_CONTEXT)
        - name: VERSION
          value: $(params.VERSION)
      runAfter:
        - fetch-repository
      taskRef:
        kind: ClusterTask
        name: s2i-java
      workspaces:
        - name: source
          workspace: workspace
    - name: cosign-sign
      params:
      - name: cosignKeyRef
        value: k8s://fruits-dev/code-signature
      - name: cosignKeyPassword
        value: dummy
      - name: image
        value: $(params.IMAGE_NAME)
      runAfter:
        - build
      taskRef:
        kind: Task
        name: cosign-sign
    - name: deploy-in-test
      params:
        - name: SCRIPT
          value: oc delete pods -l deployment=$(params.APP_NAME) -n fruits-test
      runAfter:
        - cosign-sign
      taskRef:
        kind: ClusterTask
        name: openshift-client
    - name: slack-approval
      params:
      - name: slackChannel
        value: "#mad-roadshow-france-2023"
      - name: slackSecretName
        value: "tekton-tokens"
      - name: pipelineId
        value: "$(context.pipelineRun.name)"
      runAfter:
      - deploy-in-test
      taskRef:
        name: slack-approval
    - name: deploy-in-prod
      params:
        - name: SCRIPT
          value: oc delete pods -l deployment=$(params.APP_NAME) -n fruits-prod
      runAfter:
        - slack-approval
      taskRef:
        kind: ClusterTask
        name: openshift-client

  workspaces:
    - name: workspace
---
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: fruits
  namespace: fruits-dev
spec:
  lookupPolicy:
    local: false