Skip to content

Commit 2d28200

Browse files
arewmJAVGan
authored andcommitted
slan-cuan-release: Derive all runtime params from snapshot and RPA data
Remove pnc-image, signing-key, trustify-api-url, and sso-token-url as required pipeline params. pnc-image is now extracted from the snapshot component image via a second collect-task-params step (collect-snapshot-params). signing-key and Trustify URLs are extracted from RPA data alongside the existing Pulp config. Assisted-by: Claude Code (Sonnet 4.6)
1 parent 25af5b4 commit 2d28200

2 files changed

Lines changed: 89 additions & 67 deletions

File tree

pipelines/managed/slan-cuan-release/README.md

Lines changed: 34 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -3,42 +3,40 @@
33
Release pipeline for Lightwell Java artifacts (slan-cuan).
44

55
This pipeline orchestrates the complete release workflow for Java artifacts built by
6-
PNC (Project Newcastle).
6+
PNC (Project Newcastle). All per-release configuration (image reference, signing key,
7+
Trustify URLs, Pulp target) is derived from the Snapshot and ReleasePlanAdmission data
8+
via collect-data, so no pipeline parameters need to be supplied at invocation time.
79

810
## Parameters
911

10-
| Name | Description | Optional | Default value |
11-
|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------|
12-
| release | The namespaced name (namespace/name) of the Release | No | - |
13-
| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - |
14-
| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - |
15-
| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - |
16-
| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - |
17-
| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty |
18-
| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d |
19-
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" |
20-
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
21-
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
22-
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
23-
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
24-
| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git |
25-
| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline |
26-
| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git |
27-
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
28-
| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - |
29-
| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth |
30-
| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false |
31-
| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - |
32-
| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config |
33-
| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com |
34-
| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout> | Yes | repository |
35-
| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan |
36-
| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" |
37-
| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - |
38-
| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/token | No | - |
39-
| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso |
40-
| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
41-
| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 |
42-
| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
43-
| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
44-
| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
12+
| Name | Description | Optional | Default value |
13+
|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------|
14+
| release | The namespaced name (namespace/name) of the Release | No | - |
15+
| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - |
16+
| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - |
17+
| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - |
18+
| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - |
19+
| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty |
20+
| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d |
21+
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" |
22+
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
23+
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
24+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
25+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
26+
| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git |
27+
| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline |
28+
| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git |
29+
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
30+
| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth |
31+
| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false |
32+
| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config |
33+
| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com |
34+
| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout> | Yes | repository |
35+
| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan |
36+
| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" |
37+
| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso |
38+
| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
39+
| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 |
40+
| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |
41+
| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
42+
| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" |

0 commit comments

Comments
 (0)