-
Notifications
You must be signed in to change notification settings - Fork 133
Expand file tree
/
Copy pathpush-artifacts-to-cdn-task.yaml
More file actions
261 lines (260 loc) · 9.11 KB
/
Copy pathpush-artifacts-to-cdn-task.yaml
File metadata and controls
261 lines (260 loc) · 9.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: push-artifacts-to-cdn-task
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: |-
Tekton task to push artifacts to the Customer Portal using Pulp and optionally to
the Developer Portal using exodus-rsync with optional signing. It uses logic based
on the snapshot data to determine which targets to publish to: if components contain
both `staged` and `contentGateway` data, artifacts are pushed to the Customer Portal
(Pulp) and to CGW; if components contain `staged` data only, artifacts are
pushed to the Customer Portal (Pulp); if components contain `contentGateway`
data only, artifacts are pushed to the Developer Portal (exodus-rsync) and CGW.
params:
- name: snapshot_json
type: string
description: String containing a JSON representation of the snapshot spec
- name: concurrentLimit
type: string
description: The maximum number of images to be pulled at once
default: 3
# signing params start here
- name: author
type: string
description: Author taken from Release to be used for checksum signing
- name: signingKeyName
type: string
description: Signing key name to be used for checksum signing
- name: quayURL
type: string
description: Quay URL of the repo where content will be shared between tasks
default: quay.io/konflux-artifacts
- name: quaySecret
type: string
description: Secret to interact with Quay
default: quay-credentials
- name: windowsCredentials
type: string
description: Secret to interact with the Windows signing host
default: windows-credentials
- name: windowsSSHKey
type: string
description: Secret containing SSH private key for the Windows signing host
default: windows-ssh-key
- name: macHostCredentials
type: string
description: Secret to interact with the Mac signing host
default: mac-host-credentials
- name: macSigningCredentials
type: string
description: Secret to interact with the Mac signing utils
default: mac-signing-credentials
- name: macSSHKey
type: string
description: Secret containing SSH private key for the Mac signing host
default: mac-ssh-key
- name: checksumCredentials
type: string
description: Secret containing the keytab, user, host, and fingerprint for the checksum host
default: checksum-credentials
- name: kerberosRealm
type: string
description: Kerberos realm for the checksum host
default: IPA.REDHAT.COM
# cdn params start here
- name: exodusGwSecret
type: string
description: Env specific secret containing the Exodus Gateway configs
- name: exodusGwEnv
type: string
description: Environment to use in the Exodus Gateway. Options are [live, pre]
- name: pulpSecret
type: string
description: Env specific secret containing the rhsm-pulp credentials
- name: udcacheSecret
type: string
description: Env specific secret containing the udcache credentials
- name: cgwHostname
type: string
description: Env specific hostname for content gateway
- name: cgwSecret
type: string
description: Env specific secret containing the content gateway credentials
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from
default: trusted-ca
- name: caTrustConfigMapKey
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data
default: ca-bundle.crt
- name: certExpirationWarnDays
type: string
description: Number of days before expiration to warn about certificate expiration
default: "7"
- name: trustedArtifactsDockerConfigSecret
type: string
description: The name of the secret that contains dockerconfig json for trusted artifact operations
default: quay-token-konflux-release-trusted-artifacts-secret
results:
- name: result
description: Success if the task succeeds, the error otherwise
- name: checksum_map
description: OCI artifact reference containing checksum map JSON for advisory PURL updates
- name: publishedFiles
description: List of published files
volumes:
- name: shared-dir
emptyDir: {}
- name: mac-ssh-key-vol
secret:
secretName: mac-ssh-key
defaultMode: 0444
- name: windows-ssh-key-vol
secret:
secretName: windows-ssh-key
defaultMode: 0444
- name: checksum-credentials-vol
secret:
secretName: $(params.checksumCredentials)
defaultMode: 0444
- name: redhat-workloads-token
secret:
secretName: redhat-workloads-token
defaultMode: 0444
- name: quay-secret
secret:
secretName: $(params.quaySecret)
defaultMode: 0444
- name: mac-host-credentials
secret:
secretName: $(params.macHostCredentials)
defaultMode: 0444
- name: mac-signing-credentials
secret:
secretName: $(params.macSigningCredentials)
defaultMode: 0444
- name: windows-credentials
secret:
secretName: $(params.windowsCredentials)
defaultMode: 0444
- name: exodus-gw-secret
secret:
secretName: $(params.exodusGwSecret)
defaultMode: 0444
- name: pulp-secret
secret:
secretName: $(params.pulpSecret)
defaultMode: 0444
- name: udcache-secret
secret:
secretName: $(params.udcacheSecret)
defaultMode: 0444
- name: cgw-secret
secret:
secretName: $(params.cgwSecret)
defaultMode: 0444
- name: trusted-artifacts-dockerconfig-secret
secret:
optional: true
secretName: $(params.trustedArtifactsDockerConfigSecret)
defaultMode: 0444
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
optional: true
stepTemplate:
volumeMounts:
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
steps:
- name: push-artifacts-to-cdn
# TODO(RELEASE-2460): temporary image from PR #833 branch; replace with the released
# quay.io/konflux-ci/release-service-utils digest once PR #833 is merged and published.
image: quay.io/redhat-user-workloads/rhtap-release-2-tenant/release-service-utils-standalone@sha256:2958c29f7ebd57fe7ca54724bbc5f883946c7b4f92ed1fca810d57072fde87f0
securityContext:
runAsUser: 1001
computeResources:
limits:
memory: 512Mi
requests:
memory: 512Mi
cpu: 500m
volumeMounts:
- name: shared-dir
mountPath: /shared
- name: redhat-workloads-token
mountPath: /mnt/redhat-workloads-token
- name: quay-secret
mountPath: /mnt/quaySecret
- name: mac-ssh-key-vol
mountPath: "/mnt/secrets/mac"
- name: mac-host-credentials
mountPath: /mnt/macHostCredentials
- name: mac-signing-credentials
mountPath: /mnt/macSigningCredentials
- name: windows-ssh-key-vol
mountPath: /mnt/secrets/windows
- name: windows-credentials
mountPath: /mnt/windowsCredentials
- name: checksum-credentials-vol
mountPath: /mnt/checksum_credentials
- name: exodus-gw-secret
mountPath: /mnt/exodusGwSecret
- name: pulp-secret
mountPath: /mnt/pulpSecret
- name: udcache-secret
mountPath: /mnt/udcacheSecret
- name: cgw-secret
mountPath: /mnt/cgwSecret
- name: trusted-artifacts-dockerconfig-secret
mountPath: /mnt/trusted_artifacts_dockerconfig
env:
- name: SNAPSHOT_JSON
value: "$(params.snapshot_json)"
- name: AUTHOR
value: $(params.author)
- name: SIGNING_KEY_NAME
value: $(params.signingKeyName)
- name: MAC_SSH_KEY_MOUNT
value: /mnt/secrets/mac
- name: WINDOWS_SSH_KEY_MOUNT
value: /mnt/secrets/windows
- name: REQUESTS_CA_BUNDLE
value: /etc/pki/tls/certs/ca-bundle.crt
- name: HOME
value: /tekton/home
- name: RESULT_RESULT
value: $(results.result.path)
- name: RESULT_CHECKSUM_MAP
value: $(results.checksum_map.path)
- name: RESULT_PUBLISHED_FILES
value: $(results.publishedFiles.path)
command:
- python3
args:
- -u
- /home/scripts/python/tasks/internal/push_artifacts_to_cdn.py
- --concurrent-limit
- $(params.concurrentLimit)
- --quay-url
- $(params.quayURL)
- --pipeline-run-uid
- $(context.taskRun.uid)
- --kerberos-realm
- $(params.kerberosRealm)
- --exodus-gw-env
- $(params.exodusGwEnv)
- --cgw-hostname
- $(params.cgwHostname)
- --cert-expiration-warn-days
- $(params.certExpirationWarnDays)