diff --git a/.konflux/applications/serverless-operator-135/components/imagerepositories/net-istio-controller-115.yaml b/.konflux/applications/serverless-operator-135/components/imagerepositories/net-istio-controller-115.yaml new file mode 100755 index 0000000000..0ecc5caaca --- /dev/null +++ b/.konflux/applications/serverless-operator-135/components/imagerepositories/net-istio-controller-115.yaml @@ -0,0 +1,13 @@ +apiVersion: appstudio.redhat.com/v1alpha1 +kind: ImageRepository +metadata: + annotations: + image-controller.appstudio.redhat.com/update-component-image: "true" + labels: + appstudio.redhat.com/application: serverless-operator-release-135 + appstudio.redhat.com/component: net-istio-controller-115 + name: net-istio-controller-115 +spec: + image: + name: serverless-operator-release-135/net-istio-controller + visibility: public diff --git a/.konflux/applications/serverless-operator-135/components/imagerepositories/net-istio-webhook-115.yaml b/.konflux/applications/serverless-operator-135/components/imagerepositories/net-istio-webhook-115.yaml new file mode 100755 index 0000000000..094d9c77c2 --- /dev/null +++ b/.konflux/applications/serverless-operator-135/components/imagerepositories/net-istio-webhook-115.yaml @@ -0,0 +1,13 @@ +apiVersion: appstudio.redhat.com/v1alpha1 +kind: ImageRepository +metadata: + annotations: + image-controller.appstudio.redhat.com/update-component-image: "true" + labels: + appstudio.redhat.com/application: serverless-operator-release-135 + appstudio.redhat.com/component: net-istio-webhook-115 + name: net-istio-webhook-115 +spec: + image: + name: serverless-operator-release-135/net-istio-webhook + visibility: public diff --git a/.konflux/applications/serverless-operator-135/components/net-istio-controller-115.yaml b/.konflux/applications/serverless-operator-135/components/net-istio-controller-115.yaml new file mode 100755 index 0000000000..5b00106186 --- /dev/null +++ b/.konflux/applications/serverless-operator-135/components/net-istio-controller-115.yaml @@ -0,0 +1,21 @@ +apiVersion: appstudio.redhat.com/v1alpha1 +kind: Component +metadata: + annotations: + build.appstudio.openshift.io/pipeline: '{"name":"docker-build","bundle":"latest"}' + name: net-istio-controller-115 +spec: + componentName: net-istio-controller-115 + application: serverless-operator-135 + + build-nudges-ref: + + - "serverless-bundle-135" + + + source: + git: + url: https://github.com/openshift-knative/net-istio.git + context: + dockerfileUrl: openshift/ci-operator/knative-images/controller/Dockerfile + revision: release-v1.15 diff --git a/.konflux/applications/serverless-operator-135/components/net-istio-webhook-115.yaml b/.konflux/applications/serverless-operator-135/components/net-istio-webhook-115.yaml new file mode 100755 index 0000000000..ba84de8271 --- /dev/null +++ b/.konflux/applications/serverless-operator-135/components/net-istio-webhook-115.yaml @@ -0,0 +1,21 @@ +apiVersion: appstudio.redhat.com/v1alpha1 +kind: Component +metadata: + annotations: + build.appstudio.openshift.io/pipeline: '{"name":"docker-build","bundle":"latest"}' + name: net-istio-webhook-115 +spec: + componentName: net-istio-webhook-115 + application: serverless-operator-135 + + build-nudges-ref: + + - "serverless-bundle-135" + + + source: + git: + url: https://github.com/openshift-knative/net-istio.git + context: + dockerfileUrl: openshift/ci-operator/knative-images/webhook/Dockerfile + revision: release-v1.15 diff --git a/.konflux/applications/serverless-operator-135/serverless-operator-135.yaml b/.konflux/applications/serverless-operator-135/serverless-operator-135.yaml new file mode 100755 index 0000000000..a4b049641a --- /dev/null +++ b/.konflux/applications/serverless-operator-135/serverless-operator-135.yaml @@ -0,0 +1,7 @@ +apiVersion: appstudio.redhat.com/v1alpha1 +kind: Application +metadata: + name: serverless-operator-135 +spec: + description: serverless-operator release-1.35 + displayName: serverless-operator release-1.35 diff --git a/.tekton/docker-build.yaml b/.tekton/docker-build.yaml new file mode 100755 index 0000000000..579f8fc4c3 --- /dev/null +++ b/.tekton/docker-build.yaml @@ -0,0 +1,451 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + creationTimestamp: null + labels: + pipelines.openshift.io/runtime: generic + pipelines.openshift.io/strategy: docker + pipelines.openshift.io/used-by: build-cloud + name: docker-build +spec: + description: | + This pipeline is ideal for building container images from a Containerfile while reducing network traffic. + + _Uses `buildah` to create a container image. It also optionally creates a source image and runs some build-time tests. EC will flag a violation for [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) if any tasks are added to the pipeline. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-image-index.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b + - name: kind + value: task + resolver: bundles + workspaces: + - name: workspace + workspace: workspace + params: + - default: [] + description: Additional image tags + name: additional-tags + type: array + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like 1h, + 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: apply-tags + params: + - name: ADDITIONAL_TAGS + value: $(params.additional-tags[*]) + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e6beb161ed59d7be26317da03e172137b31b26648d3e139558e9a457bc56caff + - name: kind + value: task + resolver: bundles + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:fd1fda0dcf53938860ae6fcba37f5572ae25ae02dba44c15754fb7ba7549fb5c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.prefetch-input) + operator: notin + values: + - "" + workspaces: + - name: source + workspace: workspace + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:a523f60203d90e149f96ec776b47ce85a7acfd6d634ddfc18f4a03f14e08ea0e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:8619eabd7cf3340d1123afadac1f4296dc14472c8db0f774497748c762f46f33 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1@sha256:baea4be429cf8d91f7c758378cea42819fe324f25a7f957bf9805409cab6d123 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.2@sha256:82c42d27c9c59db6cf6c235e89f7b37f5cdfc75d0d361ca0ee91ae703ba72301 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:0e61e7fce97b089b216eccd8390b1c2a265454c81c6630449e0f648dfcd4fcfe + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:92d63edd09636f97961ca18fac14b67935179d2c14b4a4d5f8087c614e8c2bd9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: workspace + workspace: workspace + workspaces: + - name: workspace + - name: git-auth + optional: true + - name: netrc + optional: true diff --git a/.tekton/net-istio-controller-115-pull-request.yaml b/.tekton/net-istio-controller-115-pull-request.yaml new file mode 100755 index 0000000000..2da4bd70da --- /dev/null +++ b/.tekton/net-istio-controller-115-pull-request.yaml @@ -0,0 +1,50 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/openshift-knative/net-istio?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "release-v1.15" + creationTimestamp: null + labels: + appstudio.openshift.io/application: serverless-operator-135 + appstudio.openshift.io/component: net-istio-controller-115 + pipelines.appstudio.openshift.io/type: build + name: net-istio-controller-115-on-pull-request + namespace: ocp-serverless-tenant +spec: + params: + - name: dockerfile + value: openshift/ci-operator/knative-images/controller/Dockerfile + - name: build-args + value: [ VERSION=release-1.35, ] + - name: git-url + value: '{{source_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/ocp-serverless-tenant/serverless-operator-135/net-istio-controller:on-pr-{{revision}} + - name: revision + value: '{{revision}}' + pipelineRef: + name: docker-build + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' diff --git a/.tekton/net-istio-controller-115-push.yaml b/.tekton/net-istio-controller-115-push.yaml new file mode 100755 index 0000000000..c357faa5ad --- /dev/null +++ b/.tekton/net-istio-controller-115-push.yaml @@ -0,0 +1,49 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/openshift-knative/net-istio?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "release-v1.15" + creationTimestamp: null + labels: + appstudio.openshift.io/application: serverless-operator-135 + appstudio.openshift.io/component: net-istio-controller-115 + pipelines.appstudio.openshift.io/type: build + name: net-istio-controller-115-on-push + namespace: ocp-serverless-tenant +spec: + params: + - name: dockerfile + value: openshift/ci-operator/knative-images/controller/Dockerfile + - name: build-args + value: [ VERSION=release-1.35, ] + - name: git-url + value: '{{source_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/ocp-serverless-tenant/serverless-operator-135/net-istio-controller:{{revision}} + - name: revision + value: '{{revision}}' + - name: additional-tags + value: [ release-1.35, latest, ] + pipelineRef: + name: docker-build + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' diff --git a/.tekton/net-istio-webhook-115-pull-request.yaml b/.tekton/net-istio-webhook-115-pull-request.yaml new file mode 100755 index 0000000000..a9d02dc464 --- /dev/null +++ b/.tekton/net-istio-webhook-115-pull-request.yaml @@ -0,0 +1,50 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/openshift-knative/net-istio?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "release-v1.15" + creationTimestamp: null + labels: + appstudio.openshift.io/application: serverless-operator-135 + appstudio.openshift.io/component: net-istio-webhook-115 + pipelines.appstudio.openshift.io/type: build + name: net-istio-webhook-115-on-pull-request + namespace: ocp-serverless-tenant +spec: + params: + - name: dockerfile + value: openshift/ci-operator/knative-images/webhook/Dockerfile + - name: build-args + value: [ VERSION=release-1.35, ] + - name: git-url + value: '{{source_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/ocp-serverless-tenant/serverless-operator-135/net-istio-webhook:on-pr-{{revision}} + - name: revision + value: '{{revision}}' + pipelineRef: + name: docker-build + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' diff --git a/.tekton/net-istio-webhook-115-push.yaml b/.tekton/net-istio-webhook-115-push.yaml new file mode 100755 index 0000000000..5831f59adc --- /dev/null +++ b/.tekton/net-istio-webhook-115-push.yaml @@ -0,0 +1,49 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/openshift-knative/net-istio?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "release-v1.15" + creationTimestamp: null + labels: + appstudio.openshift.io/application: serverless-operator-135 + appstudio.openshift.io/component: net-istio-webhook-115 + pipelines.appstudio.openshift.io/type: build + name: net-istio-webhook-115-on-push + namespace: ocp-serverless-tenant +spec: + params: + - name: dockerfile + value: openshift/ci-operator/knative-images/webhook/Dockerfile + - name: build-args + value: [ VERSION=release-1.35, ] + - name: git-url + value: '{{source_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/ocp-serverless-tenant/serverless-operator-135/net-istio-webhook:{{revision}} + - name: revision + value: '{{revision}}' + - name: additional-tags + value: [ release-1.35, latest, ] + pipelineRef: + name: docker-build + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}'