-
Notifications
You must be signed in to change notification settings - Fork 133
Expand file tree
/
Copy pathpublish-pyxis-repository.yaml
More file actions
207 lines (203 loc) · 7.74 KB
/
Copy pathpublish-pyxis-repository.yaml
File metadata and controls
207 lines (203 loc) · 7.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: publish-pyxis-repository
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: |-
Tekton task to mark all repositories in the mapped snapshot as published in Pyxis.
This is currently only meant to be used in the rh-push-to-registry-redhat-io
and rh-advisories pipelines.
It converts repository URLs to the registry and repository values used in Pyxis:
- Standard releases: e.g. "quay.io/redhat-prod/my-product----my-image" uses registry
"registry.access.redhat.com" and repository "my-product/my-image" in Pyxis.
- Flatpak releases: images pushed to quay.io/rh-flatpaks-prod/* or quay.io/rh-flatpaks-stage/*
use registry "flatpaks.registry.redhat.io" in Pyxis (for both prod and stage).
The task also optionally marks repositories as source_container_image_enabled true if
pushSourceContainer is true in the data JSON.
Additionally, this task respects the `publish-on-push` flag. If `false`, then the task
does not publish the repository.
The task emits a result: `signRegistryAccessPath`
This contains the relative path in the workspace to a text file that contains a list of
repositories that need registry.access.redhat.com image references to be signed (i.e.
requires_terms=true), one repository string per line, e.g. "rhtas/cosign-rhel9".
Only standard (non-flatpak) repositories are included; flatpak repos are never added.
Note: This task runs quite early on in the pipeline, because we need the result it produces
for the signing tasks (and `rh-direct-sign-image` runs quite early to begin with). So this means
that if you're releasing to a repo for the first time, the repository might get published
even before the actual image is pushed and published. But we checked with RHEC team and this
shouldn't cause any problems, because RHEC will ignore repos with no published images.
params:
- name: server
type: string
description: The server type to use. Options are 'production','production-internal,'stage-internal' and 'stage'
default: production
- name: pyxisSecret
type: string
description: |
The kubernetes secret to use to authenticate to Pyxis. It needs to contain two keys: key and cert
- name: snapshotPath
description: Path to the JSON file containing the mapped Snapshot spec in the data workspace
type: string
- name: dataPath
description: Path to the JSON string of the merged data to use in the data workspace
type: string
- name: resultsDirPath
description: Path to the results directory in the data workspace
type: string
- name: ociStorage
description: The OCI repository where the Trusted Artifacts are stored
type: string
default: "empty"
- name: ociArtifactExpiresAfter
description: Expiration date for the trusted artifacts created in the
OCI repository. An empty string means the artifacts do not expire
type: string
default: "1d"
- name: trustedArtifactsDebug
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable
type: string
default: ""
- name: orasOptions
description: oras options to pass to Trusted Artifacts calls
type: string
default: ""
- name: sourceDataArtifact
type: string
description: Location of trusted artifacts to be used to populate data directory
default: ""
- name: dataDir
description: The location where data will be stored
type: string
default: /var/workdir/release
- name: taskGitUrl
type: string
description: The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored
- name: taskGitRevision
type: string
description: The revision in the taskGitUrl repo to be used
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from
default: trusted-ca
- name: caTrustConfigMapKey
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data
default: ca-bundle.crt
results:
- name: signRegistryAccessPath
type: string
description: |
The relative path in the workspace to a text file that contains a list of repositories
that needs registry.access.redhat.com image references to be signed (i.e.
requires_terms=true), one repository string per line, e.g. "rhtas/cosign-rhel9".
- description: Produced trusted data artifact
name: sourceDataArtifact
type: string
volumes:
- name: workdir
emptyDir: {}
- name: pyxis-secret-vol
secret:
secretName: $(params.pyxisSecret)
defaultMode: 0444
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
optional: true
stepTemplate:
volumeMounts:
- mountPath: /var/workdir
name: workdir
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
env:
- name: IMAGE_EXPIRES_AFTER
value: $(params.ociArtifactExpiresAfter)
- name: "ORAS_OPTIONS"
value: "$(params.orasOptions)"
- name: "DEBUG"
value: "$(params.trustedArtifactsDebug)"
securityContext:
runAsUser: 1001
steps:
- name: use-trusted-artifact
computeResources:
limits:
memory: 64Mi
requests:
memory: 64Mi
cpu: 30m
ref:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: stepactions/use-trusted-artifact/use-trusted-artifact.yaml
params:
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(params.sourceDataArtifact)
- name: publish-pyxis-repository
image: quay.io/konflux-ci/release-service-utils@sha256:0500c0e70b08ee3371ceac717d78436cfcb621ca1545b0f91081db19f223cd6f
computeResources:
limits:
memory: 128Mi
requests:
memory: 128Mi
cpu: 450m
volumeMounts:
- name: pyxis-secret-vol
mountPath: "/etc/secrets"
env:
- name: PYXIS_SECRET_MOUNT
value: /etc/secrets
- name: PARAM_DATA_DIR
value: $(params.dataDir)
- name: PARAM_SNAPSHOT_PATH
value: $(params.snapshotPath)
- name: PARAM_DATA_PATH
value: $(params.dataPath)
- name: PARAM_RESULTS_DIR_PATH
value: $(params.resultsDirPath)
- name: PARAM_SERVER
value: $(params.server)
- name: RESULT_SIGN_REGISTRY_ACCESS_PATH
value: $(results.signRegistryAccessPath.path)
- name: TASK_NAME
value: $(context.task.name)
command: ["/home/scripts/python/tasks/managed/publish_pyxis_repository.py"]
- name: create-trusted-artifact
computeResources:
limits:
memory: 128Mi
requests:
memory: 128Mi
cpu: 250m
ref:
resolver: "git"
params:
- name: url
value: "$(params.taskGitUrl)"
- name: revision
value: "$(params.taskGitRevision)"
- name: pathInRepo
value: stepactions/create-trusted-artifact/create-trusted-artifact.yaml
params:
- name: ociStorage
value: $(params.ociStorage)
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(results.sourceDataArtifact.path)