You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
222 lines
5.3 KiB
222 lines
5.3 KiB
apiVersion: project.openshift.io/v1
|
|
kind: Project
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "0"
|
|
openshift.io/description: ""
|
|
openshift.io/display-name: ""
|
|
labels:
|
|
kubernetes.io/metadata.name: fruits-dev
|
|
name: fruits-dev
|
|
spec:
|
|
finalizers:
|
|
- kubernetes
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: cosign-hook
|
|
namespace: fruits-dev
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: cosign-hook
|
|
namespace: fruits-dev
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: edit
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: cosign-hook
|
|
namespace: fruits-dev
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: secret-reader
|
|
namespace: fruits-dev
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
# The stackrox hook needs to be able to read the cosign public key in order to create the sigstore policy
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: stackrox-hook
|
|
namespace: fruits-dev
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: secret-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: stackrox-hook
|
|
namespace: stackrox
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: cosign-hook
|
|
namespace: fruits-dev
|
|
data:
|
|
cosign.sh: |
|
|
#!/bin/bash
|
|
|
|
set -Eeuo pipefail
|
|
|
|
mkdir -p /tmp/bin
|
|
curl -sfLo /tmp/bin/cosign https://github.com/sigstore/cosign/releases/download/v2.0.2/cosign-linux-amd64
|
|
chmod 755 /tmp/bin/cosign
|
|
export PATH="/tmp/bin:$PATH"
|
|
|
|
if ! oc get secret code-signature -n fruits-dev &>/dev/null; then
|
|
echo "========================================================================"
|
|
echo " Generating a keypair"
|
|
echo "========================================================================"
|
|
echo
|
|
|
|
## Move to /tmp before creating the keypair because of:
|
|
# Error: open cosign.pub: permission denied
|
|
# main.go:74: error during command execution: open cosign.pub: permission denied
|
|
cd /tmp
|
|
|
|
COSIGN_PASSWORD=dummy cosign generate-key-pair k8s://fruits-dev/code-signature
|
|
fi
|
|
|
|
exit 0
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: cosign-hook
|
|
namespace: fruits-dev
|
|
spec:
|
|
backoffLimit: 30
|
|
template:
|
|
spec:
|
|
containers:
|
|
- name: hook
|
|
command:
|
|
- /entrypoint/cosign.sh
|
|
args: []
|
|
image: registry.redhat.io/openshift4/ose-cli:v4.13
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: USER
|
|
value: openshift
|
|
- name: HOME
|
|
value: /tmp
|
|
volumeMounts:
|
|
- mountPath: /entrypoint
|
|
name: cosign-hook
|
|
readOnly: true
|
|
serviceAccountName: cosign-hook
|
|
serviceAccount: cosign-hook
|
|
restartPolicy: OnFailure
|
|
terminationGracePeriodSeconds: 30
|
|
volumes:
|
|
- name: cosign-hook
|
|
configMap:
|
|
name: cosign-hook
|
|
defaultMode: 0755
|
|
---
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Pipeline
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
labels:
|
|
app.kubernetes.io/instance: fruits
|
|
app.kubernetes.io/name: fruits
|
|
operator.tekton.dev/operand-name: openshift-pipelines-addons
|
|
pipeline.openshift.io/runtime: java
|
|
pipeline.openshift.io/runtime-version: openjdk-17-ubi8
|
|
pipeline.openshift.io/type: kubernetes
|
|
name: fruits
|
|
namespace: fruits-dev
|
|
spec:
|
|
params:
|
|
- default: fruits
|
|
name: APP_NAME
|
|
type: string
|
|
- default: 'https://github.com/MAD-Roadshow-France-2023/devspaces'
|
|
name: GIT_REPO
|
|
type: string
|
|
- default: main
|
|
name: GIT_REVISION
|
|
type: string
|
|
- default: >-
|
|
image-registry.openshift-image-registry.svc:5000/fruits-dev/fruits
|
|
name: IMAGE_NAME
|
|
type: string
|
|
- default: .
|
|
name: PATH_CONTEXT
|
|
type: string
|
|
- default: openjdk-17-ubi8
|
|
name: VERSION
|
|
type: string
|
|
tasks:
|
|
- name: fetch-repository
|
|
params:
|
|
- name: url
|
|
value: $(params.GIT_REPO)
|
|
- name: revision
|
|
value: $(params.GIT_REVISION)
|
|
- name: subdirectory
|
|
value: ''
|
|
- name: deleteExisting
|
|
value: 'true'
|
|
taskRef:
|
|
kind: ClusterTask
|
|
name: git-clone
|
|
workspaces:
|
|
- name: output
|
|
workspace: workspace
|
|
- name: build
|
|
params:
|
|
- name: IMAGE
|
|
value: $(params.IMAGE_NAME)
|
|
- name: TLSVERIFY
|
|
value: 'false'
|
|
- name: PATH_CONTEXT
|
|
value: $(params.PATH_CONTEXT)
|
|
- name: VERSION
|
|
value: $(params.VERSION)
|
|
runAfter:
|
|
- fetch-repository
|
|
taskRef:
|
|
kind: ClusterTask
|
|
name: s2i-java
|
|
workspaces:
|
|
- name: source
|
|
workspace: workspace
|
|
- name: deploy
|
|
params:
|
|
- name: SCRIPT
|
|
value: oc rollout status deploy/$(params.APP_NAME)
|
|
runAfter:
|
|
- build
|
|
taskRef:
|
|
kind: ClusterTask
|
|
name: openshift-client
|
|
workspaces:
|
|
- name: workspace
|
|
optional: false
|
|
resources: []
|
|
finally: []
|