initial commit

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "kubespray"]
+	path = kubespray
+	url = https://github.com/kubernetes-sigs/kubespray.git

ansible/group_vars/all/versions.yaml

@@ -0,0 +1 @@
+argocd_cli_version: "2.3.3"

ansible/requirements.yaml

@@ -0,0 +1,11 @@
+collections:
+- name: containers.podman
+  version: '>=1.4.1' # 1.4.1 is the minimum when working with podman 2.2
+- name: ansible.posix
+- name: community.general
+  version: '>=2.2.0' # fix a bug with nmcli and bridge interfaces
+- name: community.libvirt
+- name: ansible.netcommon
+- name: community.kubernetes
+- name: openvswitch.openvswitch
+

ansible/roles/argocd/tasks/main.yaml

@@ -0,0 +1,27 @@
+- name: Create the argocd namespace
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: argocd
+      spec: {}
+
+- name: Add the ArgoCD Helm repository
+  kubernetes.core.helm_repository:
+    name: argo
+    repo_url: "https://argoproj.github.io/argo-helm"
+
+- name: Deploy ArgoCD
+  kubernetes.core.helm:
+    name: argocd
+    chart_ref: argo/argo-cd
+    update_repo_cache: yes
+    release_namespace: argocd
+    release_values:
+      configs:
+        secret:
+          argocdServerAdminPassword: '{{ "secret" | password_hash("bcrypt") }}'
+    release_state: present
+    chart_version: '4.5.7'

ansible/roles/helm/defaults/main.yaml

@@ -0,0 +1,2 @@
+helm_version: "3.8.2"
+tkn_version: "0.23.1"

ansible/roles/helm/tasks/main.yaml

@@ -0,0 +1,34 @@
+- name: Download Helm
+  get_url:
+    url: '{{ helm_download_url }}'
+    dest: /usr/local/src/{{ helm_download_url | basename }}
+
+- name: Install Helm
+  unarchive:
+    src: /usr/local/src/{{ helm_download_url | basename }}
+    dest: /usr/local/sbin
+    remote_src: yes
+    # In Ansible 2.11, it will be possible to use "include" instead...
+    exclude:
+    - linux-amd64/README.md
+    - linux-amd64/LICENSE
+    extra_opts:
+    - --strip-components=1
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Download the Tekton CLI
+  get_url:
+    url: '{{ tkn_download_url }}'
+    dest: /usr/local/src/{{ tkn_download_url | basename }}
+
+- name: Install the Tekton CLI
+  unarchive:
+    src: /usr/local/src/{{ tkn_download_url | basename }}
+    dest: /usr/local/sbin
+    remote_src: yes
+    # In Ansible 2.11, it will be possible to use "include" instead...
+    owner: root
+    group: root
+    mode: 0755

ansible/roles/helm/vars/main.yaml

@@ -0,0 +1,2 @@
+helm_download_url: "https://get.helm.sh/helm-v{{ helm_version }}-linux-amd64.tar.gz"
+tkn_download_url: "https://github.com/tektoncd/cli/releases/download/v{{ tkn_version }}/tkn_{{ tkn_version }}_Linux_x86_64.tar.gz"

ansible/roles/vm/defaults/main.yaml

@@ -0,0 +1 @@
+centos_version: "20221005"

ansible/roles/vm/tasks/main.yaml

@@ -0,0 +1,9 @@
+- name: Fetch the CentOS Stream 8 ISO image
+  get_url:
+    url: '{{ centos_download_url }}'
+    dest: /var/lib/libvirt/images/{{ centos_download_url | basename }}
+
+- name: Start the installation
+  command:
+    cmd: virt-install --name foo --autostart --noautoconsole --cpu host-passthrough --vcpus 2 --ram 2048 --os-variant centos-stream8 --disk path=/var/lib/libvirt/images/foo.qcow2,size=50 --console pty,target.type=virtio --serial pty --location "/var/lib/libvirt/images/{{ centos_download_url | basename }}"
+    creates: /var/lib/libvirt/images/foo.qcow2

ansible/roles/vm/vars/main.yaml

@@ -0,0 +1 @@
+centos_download_url: http://ftp.pasteur.fr/mirrors/CentOS/8-stream/isos/x86_64/CentOS-Stream-8-x86_64-{{ centos_version }}-boot.iso

charts/itix-gitea/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: gitea
+  repository: https://dl.gitea.io/charts/
+  version: 5.0.0
+digest: sha256:fb8e51d5b3ebac99aab6e5190e3a3b46dfbd5f014d5b3019feb825af995bae53
+generated: "2022-10-08T06:22:43.958560969Z"

charts/itix-gitea/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: itix-gitea
+version: 0.0.1
+description: ITIX Customizations for Gitea
+dependencies:
+- name: gitea
+  version: 5.0.0
+  repository: https://dl.gitea.io/charts/

charts/itix-gitea/values.yaml

@@ -0,0 +1,11 @@
+gitea:
+  postgresql:
+    enabled: false
+  memcached:
+    enabled: false
+  service:
+    ssh:
+      type: NodePort
+      nodePort: 32022
+  ingress:
+    enabled: false

docker/git/Containerfile

@@ -0,0 +1,12 @@
+FROM quay.io/centos/centos:stream8
+
+ARG GH_VERSION=2.3.0
+
+RUN dnf install -y git curl tar gzip shadow-utils \
+ && curl -sLo /tmp/gh.tgz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz \
+ && tar -xf /tmp/gh.tgz -C /tmp \
+ && mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin \
+ && rm -rf /tmp/gh_${GH_VERSION}_linux_amd64 /tmp/gh.tgz \
+ && dnf clean all
+
+RUN git config --global advice.detachedHead false

docker/mosquitto/Containerfile

@@ -0,0 +1,4 @@
+FROM quay.io/fedora/fedora:35
+
+RUN dnf install -y mqttcli \
+ && dnf clean all

docker/nextcloud/Containerfile

@@ -0,0 +1,6 @@
+# The following line will be rewritten by the custom builder
+FROM docker.io/library/nextcloud
+RUN set -ex \
+ && apk add --no-cache ffmpeg samba-client \
+ && touch /usr/local/etc/php/conf.d/redis-session.ini \
+ && chmod 666 /usr/local/etc/php/conf.d/redis-session.ini # Overwritten by entrypoint.sh on startup

docker/nginx/Containerfile

@@ -0,0 +1,15 @@
+FROM docker.io/nginxinc/nginx-unprivileged:1.20-alpine
+
+ARG SOURCE_TAG
+
+USER root
+
+RUN curl -Lo /tmp/aeneria-app.tgz https://statics.aeneria.com/aeneria-app-${SOURCE_TAG}.tar.gz \
+ && mkdir -p /var/www/html \
+ && tar -C /var/www/html --strip-components=1 -zxf /tmp/aeneria-app.tgz \
+ && chown -R root:root /var/www/html \
+ && chmod -R go+rX-w /var/www/html
+
+ADD nginx.conf /etc/nginx/nginx.conf
+
+USER nginx

docker/php/Containerfile

@@ -0,0 +1,38 @@
+FROM docker.io/library/php:7.3-fpm-alpine
+
+ARG SOURCE_TAG
+
+RUN apk add libpq libpq-dev \
+ && docker-php-ext-configure pgsql \
+ && docker-php-ext-install pdo pdo_pgsql
+
+RUN curl -Lo /tmp/aeneria-app.tgz https://statics.aeneria.com/aeneria-app-${SOURCE_TAG}.tar.gz \
+ && mkdir -p /var/www/html \
+ && tar -C /var/www/html --strip-components=1 -zxf /tmp/aeneria-app.tgz \
+ && chown -R root:root /var/www/html \
+ && chmod -R go+rX-w /var/www/html \
+ && mkdir -p /var/www/html/private /var/www/html/var \
+ && chmod 777 /var/www/html/private /var/www/html/var
+
+ADD entrypoint.sh /entrypoint.sh
+
+ENV APP_ENV=prod \
+    AENERIA_USER_MAX_PLACES=-1  \
+    AENERIA_USER_CAN_SHARE_PLACE=1  \
+    AENERIA_USER_CAN_FETCH=1 \
+    AENERIA_USER_CAN_EXPORT=1 \
+    AENERIA_USER_CAN_IMPORT=1 \
+    AENERIA_PLACE_CAN_BE_PUBLIC=1 \
+    AENERIA_DEMO_MODE=0 \
+    ENEDIS_CLIENT_ID= \
+    ENEDIS_CLIENT_SECRET= \
+    ENEDIS_REDIRECT_URI= \
+    ENEDIS_ENDPOINT_AUTH=https://proxy.aeneria.com/enedis-data-connect \
+    ENEDIS_ENDPOINT_TOKEN=https://proxy.aeneria.com/enedis-data-connect \
+    ENEDIS_ENDPOINT_DATA=https://gw.prd.api.enedis.fr \
+    AENERIA_WELCOME_MESSAGE="Bienvenue !"
+
+VOLUME [ "/var/www/html/private", "/var/www/html/var" ]
+
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ ]

kubespray

@@ -0,0 +1 @@
+Subproject commit eeeca4a1d0334efebcf732d08bffc7e10240fc9c

kustomize/minio/daemonset.yaml

@@ -0,0 +1,64 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: minio
+  namespace: minio
+spec:
+  selector:
+    matchLabels:
+      name: minio
+  template:
+    metadata:
+      labels:
+        name: minio
+    spec:
+      containers:
+      - name: minio
+        image: quay.io/minio/minio:latest
+        args:
+        - server
+        - --console-address
+        - :8080
+        - --address
+        - :8090
+        - /data
+        env:
+        - name: MINIO_ROOT_USER
+          value: admin
+        - name: MINIO_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: minio-admin
+              key: password
+        ports:
+          - containerPort: 8080
+        readinessProbe:
+          failureThreshold: 1
+          httpGet:
+            path: /minio/health/live
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 30
+          successThreshold: 1
+          timeoutSeconds: 20
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        - name: config
+          mountPath: /.minio
+        securityContext:
+          runAsGroup: 10000
+          runAsUser: 10002
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: minio-data
+      - name: config
+        emptyDir: {}

kustomize/minio/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - daemonset.yaml
+images:
+  - name: quay.io/minio/minio
+    newTag: RELEASE.2022-04-29T01-27-09Z

kustomize/nextcloud/kustomize.yaml

@@ -0,0 +1,7 @@
+namespace: nextcloud
+
+helmCharts:
+- releaseName: nextcloud
+  repo: https://nextcloud.github.io/helm/
+  name: nextcloud
+  version: 3.0.0

kustomize/tekton/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.29.0/release.yaml
+- https://storage.googleapis.com/tekton-releases/triggers/previous/v0.17.1/release.yaml
+- https://storage.googleapis.com/tekton-releases/triggers/previous/v0.17.1/interceptors.yaml
+- https://storage.googleapis.com/tekton-releases/dashboard/previous/v0.21.0/tekton-dashboard-release.yaml
+
+patchesStrategicMerge:
+- |
+  $patch: delete
+  apiVersion: autoscaling/v2beta1
+  kind: HorizontalPodAutoscaler
+  metadata:
+    name: tekton-pipelines-webhook
+    namespace: tekton-pipelines
+- |
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: config-artifact-pvc
+    namespace: tekton-pipelines
+  data:
+    size: 1Gi
+    storageClassName: tekton

rpms/SPECS/gitea.spec

@@ -0,0 +1,60 @@
+Name:       gitea
+Version:    1.13.1
+Release:    itix1
+Summary:    Git with a cup of tea, painless self-hosted git service
+License:    MIT
+Source0:    https://github.com/go-gitea/%{name}/releases/download/v%{version}/%{name}-%{version}-linux-amd64.xz
+ExclusiveArch: x86_64
+Source1:    gitea.service
+Requires(pre): shadow-utils
+Requires: postgresql-server
+BuildRequires: systemd
+
+%description
+
+The goal of this project is to make the easiest, fastest, and most painless
+way of setting up a self-hosted Git service. Using Go, this can be done with
+an independent binary distribution across all platforms which Go supports,
+including Linux, macOS, and Windows on x86, amd64, ARM and PowerPC
+architectures.
+
+# Since we don't recompile from source, disable the build_id checking
+%global _missing_build_ids_terminate_build 0
+%global _build_id_links none
+%global debug_package %{nil}
+
+%prep
+%setup -q -c -T
+xz -dc %{S:0} > gitea
+cp %{S:1} %{name}.service
+
+%build
+
+%install
+install -d %{buildroot}/opt/%{name}/etc/
+install -d %{buildroot}/srv/%{name}/custom
+install -d %{buildroot}/srv/%{name}/git
+install -D gitea %{buildroot}/opt/%{name}/bin/gitea
+install -D -m 0644 %{name}.service %{buildroot}/%{_unitdir}/%{name}.service
+
+%files
+%defattr(0644, root, root, 0755)
+%dir /opt/%{name}/bin
+%dir /opt/%{name}/etc
+%dir /srv/%{name}
+%dir /srv/%{name}/custom
+%dir /srv/%{name}/git
+%attr(0755, root, root) /opt/%{name}/bin/gitea
+%{_unitdir}/%{name}.service
+
+%pre
+getent group itix-svc >/dev/null || groupadd -r itix-svc
+getent passwd git >/dev/null || useradd -r -g itix-svc \
+  -d /srv/%{name} -s /sbin/nologin -c "Git with a cup of tea" \
+  git
+
+exit 0
+
+%changelog
+* Mon Feb 22 2021 Nicolas MASSE <nicolas.masse@itix.fr> - 1.13.1-itix1
+- First release

tekton/charts/hugo/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: hugo
+type: application
+version: 0.0.1
+appVersion: "0.0.1"

tekton/charts/hugo/templates/_helpers.tpl

@@ -0,0 +1,3 @@
+{{- define "release.name" -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}

tekton/charts/hugo/templates/pipeline.yaml

@@ -0,0 +1,131 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: {{ include "release.name" . }}
+spec:
+  workspaces:
+  - name: scratch
+  params:
+  - name: hugoVersion
+    type: string
+    default: {{ .Values.hugo.version | quote }}
+  - name: gitRepositoryURL
+    type: string
+  - name: gitBranch
+    type: string
+    default: ""
+  - name: gitRevision
+    type: string
+  tasks:
+  # Clone the git repository
+  - name: git-clone
+    params:
+    - name: gitRepositoryURL
+      value: "$(params.gitRepositoryURL)"
+    - name: gitBranch
+      value: "$(params.gitBranch)"
+    - name: gitRevision
+      value: "$(params.gitRevision)"
+    - name: ciVersion
+      value: {{ .Values.itixCi.version | quote }}
+    workspaces:
+    - name: src
+      workspace: scratch
+      subPath: src
+    taskRef:
+      name: git-clone
+
+  # Build the Hugo site
+  - name: hugo
+    runAfter:
+    - git-clone
+    params:
+    - name: hugoVersion
+      value: "$(params.hugoVersion)"
+    workspaces:
+    - name: src
+      workspace: scratch
+      subPath: src
+    taskRef:
+      name: hugo
+
+  # Build and push the container images
+  - name: buildah
+    runAfter:
+    - hugo
+    params:
+    - name: buildahVersion
+      value: {{ .Values.buildah.version | quote }}
+    - name: containerfilePath
+      value: {{ .Values.buildah.containerfilePath | quote }}
+    - name: outputContainerImage
+      value: {{ .Values.buildah.outputContainerImage | quote }}
+    - name: gitRevision
+      value: "$(tasks.git-clone.results.gitRevision)"
+    - name: gitCurrentTag
+      value: "$(tasks.git-clone.results.gitCurrentTag)"
+    workspaces:
+    - name: src
+      workspace: scratch
+      subPath: src
+    - name: containers
+      workspace: scratch
+      subPath: containers
+    taskRef:
+      name: buildah
+
+{{ if gt (len (keys .Values.deployment.environments)) 0 }}
+  - name: git-clone-cd
+    runAfter:
+    - buildah
+    params:
+    - name: gitRepositoryURL
+      value: {{ .Values.deployment.git.url | quote }}
+    - name: gitBranch
+      value: {{ .Values.deployment.git.branch | quote }}
+    - name: gitRevision
+      value: ""
+    - name: ciVersion
+      value: {{ .Values.itixCi.version | quote }}
+    workspaces:
+    - name: src
+      workspace: scratch
+      subPath: k8s
+    taskRef:
+      name: git-clone
+
+  - name: kustomize-set-image
+    runAfter:
+    - git-clone-cd
+    params:
+    - name: gitBranch
+      value: {{ .Values.deployment.git.branch | quote }}
+    - name: gitCurrentTag
+      value: "$(tasks.git-clone.results.gitCurrentTag)"
+    - name: kustomizeVersion
+      value: {{ .Values.deployment.kustomizeVersion | quote }}
+    - name: gitVersion
+      value: {{ .Values.git.version | quote }}
+    - name: imageDigest
+      value: "$(tasks.buildah.results.imageDigest)"
+    - name: imageName
+      value: {{ .Values.buildah.outputContainerImage | quote }}
+    - name: testManifestsDir
+{{- if hasKey .Values.deployment.environments "test" }}
+      value: {{ .Values.deployment.environments.test.path | quote }}
+{{- else }}
+      value: ""
+{{- end }}
+    - name: prodManifestsDir
+{{- if hasKey .Values.deployment.environments "prod" }}
+      value: {{ .Values.deployment.environments.prod.path | quote }}
+{{- else }}
+      value: ""
+{{- end }}
+    workspaces:
+    - name: src
+      workspace: scratch
+      subPath: k8s
+    taskRef:
+      name: kustomize-set-image
+{{ end }}

tekton/charts/hugo/templates/trigger.yaml

@@ -0,0 +1,69 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: Trigger
+metadata:
+  name: {{ include "release.name" . }}
+spec:
+  interceptors:
+  - name: {{ .Values.tekton.interceptor }} interceptor
+    ref:
+      name: {{ .Values.tekton.interceptor | quote }}
+      kind: ClusterInterceptor
+      apiVersion: triggers.tekton.dev
+    params:
+    - name: secretRef
+      value:
+        secretName: {{ .Values.tekton.interceptor }}-webhook
+        secretKey: sharedSecret
+    - name: eventTypes
+      value: ["push"]
+  - name: Filter on repository name
+    ref:
+      name: "cel"
+      kind: ClusterInterceptor
+      apiVersion: triggers.tekton.dev
+    params:
+    - name: filter
+      value: body.repository.full_name == '{{ .Values.tekton.repositoryName }}'
+  bindings:
+{{ if eq .Values.tekton.interceptor "github" }}
+  - name: gitRevision
+    value: $(body.head_commit.id)
+{{ else if eq .Values.tekton.interceptor "gitea" }}
+  - name: gitRevision
+    value: $(body.after)
+{{ end }}
+  - name: gitRepositoryUrl
+    value: "$(body.repository.clone_url)"
+  template:
+    spec:
+      params:
+      - name: gitRevision
+        description: The git revision
+      - name: gitRepositoryUrl
+        description: The git repository url
+      resourcetemplates:
+      - apiVersion: tekton.dev/v1beta1
+        kind: PipelineRun
+        metadata:
+          annotations:
+            argocd.argoproj.io/sync-options: Prune=false
+          generateName: {{ include "release.name" . }}-
+        spec:
+          pipelineRef:
+            name: {{ include "release.name" . }}
+          params:
+          - name: gitRepositoryURL
+            value: $(tt.params.gitRepositoryUrl)
+          - name: gitRevision
+            value: $(tt.params.gitRevision)
+          serviceAccountName: itix-push-robot
+          workspaces:
+          - name: scratch
+            volumeClaimTemplate:
+              spec:
+                storageClassName: tekton
+                accessModes:
+                - ReadWriteMany
+                resources:
+                  requests:
+                    storage: 1Gi

tekton/charts/hugo/values.yaml

@@ -0,0 +1,13 @@
+tekton:
+  interceptor: gitea # gitea or github
+  repositoryName: user/repo # github or gitea repo's full_name
+hugo:
+  version: "v0.104.3"
+buildah:
+  containerfilePath: "Containerfile"
+  outputContainerImage: ""
+deployment:
+  git:
+    url: ""
+    branch: "main"
+  environments: {}

tekton/kustomize-set-image.yaml

@@ -0,0 +1,109 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: kustomize-set-image
+spec:
+  params:
+  - name: imageDigest
+    type: string
+  - name: gitCurrentTag
+    type: string
+  - name: gitBranch
+    type: string
+  - name: imageName
+    type: string
+  - name: testManifestsDir
+    type: string
+  - name: prodManifestsDir
+    type: string
+  workspaces:
+  - name: src
+    mountPath: /src
+  steps:
+  - name: kustomize
+    image: k8s.gcr.io/kustomize/kustomize:v4.5.5
+    workingDir: /src
+    env:
+    - name: HOME
+      value: /home/tekton
+    - name: GIT_CURRENT_TAG
+      value: "$(params.gitCurrentTag)"
+    - name: GIT_BRANCH
+      value: "$(params.gitBranch)"
+    - name: IMAGE_NAME
+      value: "$(params.imageName)"
+    - name: IMAGE_DIGEST
+      value: "$(params.imageDigest)"
+    - name: TEST_MANIFESTS_DIR
+      value: "$(params.testManifestsDir)"
+    - name: PROD_MANIFESTS_DIR
+      value: "$(params.prodManifestsDir)"
+    volumeMounts:
+    - name: home
+      mountPath: /home/tekton
+    script: |
+      #!/bin/sh
+      set -euo pipefail
+      echo "========================================================="
+      echo " kustomize edit set image $IMAGE_NAME"
+      echo "========================================================="
+      echo
+      if [ -n "$TEST_MANIFESTS_DIR" ]; then
+        echo "Setting image tag to digest $IMAGE_DIGEST for environment test..."
+        cd "$TEST_MANIFESTS_DIR"
+        kustomize edit set image "$IMAGE_NAME@$IMAGE_DIGEST"
+        cd -
+        echo
+      fi
+      if [[ -n "$PROD_MANIFESTS_DIR" && -n "$GIT_CURRENT_TAG" ]]; then
+        echo "Setting image tag to digest $IMAGE_DIGEST for environment prod..."
+        cd "$PROD_MANIFESTS_DIR"
+        kustomize edit set image "$IMAGE_NAME@$IMAGE_DIGEST"
+        cd -
+        echo
+      fi
+      echo
+      exit 0
+  - name: git-push
+    image: docker.io/alpine/git:v2.26.2
+    workingDir: /src
+    env:
+    - name: HOME
+      value: /home/tekton
+    - name: GIT_CURRENT_TAG
+      value: "$(params.gitCurrentTag)"
+    - name: GIT_BRANCH
+      value: "$(params.gitBranch)"
+    - name: IMAGE_NAME
+      value: "$(params.imageName)"
+    - name: IMAGE_DIGEST
+      value: "$(params.imageDigest)"
+    - name: TEST_MANIFESTS_DIR
+      value: "$(params.testManifestsDir)"
+    - name: PROD_MANIFESTS_DIR
+      value: "$(params.prodManifestsDir)"
+    volumeMounts:
+    - name: home
+      mountPath: /home/tekton
+    script: |
+      #!/bin/sh
+      set -euo pipefail
+      git config --global user.email "nicolas.masse@itix.fr"
+      git config --global user.name "GitOps Tekton Bot"
+      echo "========================================================="
+      echo " git add, commit & push"
+      echo "========================================================="
+      echo
+      if [ -n "$TEST_MANIFESTS_DIR" ]; then
+        git add "$TEST_MANIFESTS_DIR"
+        git commit -m "deploy image $IMAGE_NAME@$IMAGE_DIGEST in test"
+      fi
+      if [[ -n "$PROD_MANIFESTS_DIR" && -n "$GIT_CURRENT_TAG" ]]; then
+        git add "$PROD_MANIFESTS_DIR"
+        git commit -m "deploy image $IMAGE_NAME@$IMAGE_DIGEST in prod"
+      fi
+      git push origin "HEAD:$GIT_BRANCH"
+      exit 0
+  volumes:
+  - name: home
+    emptyDir: {}