|
3 | 3 | Release pipeline for Lightwell Java artifacts (slan-cuan). |
4 | 4 |
|
5 | 5 | This pipeline orchestrates the complete release workflow for Java artifacts built by |
6 | | -PNC (Project Newcastle). |
| 6 | +PNC (Project Newcastle). All per-release configuration (image reference, signing key, |
| 7 | +Trustify URLs, Pulp target) is derived from the Snapshot and ReleasePlanAdmission data |
| 8 | +via collect-data, so no pipeline parameters need to be supplied at invocation time. |
7 | 9 |
|
8 | 10 | ## Parameters |
9 | 11 |
|
10 | | -| Name | Description | Optional | Default value | |
11 | | -|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| |
12 | | -| release | The namespaced name (namespace/name) of the Release | No | - | |
13 | | -| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - | |
14 | | -| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - | |
15 | | -| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - | |
16 | | -| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - | |
17 | | -| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty | |
18 | | -| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d | |
19 | | -| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" | |
20 | | -| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" | |
21 | | -| dataDir | The location where data will be stored | Yes | /var/workdir/release | |
22 | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca | |
23 | | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt | |
24 | | -| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git | |
25 | | -| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline | |
26 | | -| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git | |
27 | | -| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | |
28 | | -| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - | |
29 | | -| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | |
30 | | -| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | |
31 | | -| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - | |
32 | | -| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | |
33 | | -| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com | |
34 | | -| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout> | Yes | repository | |
35 | | -| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | |
36 | | -| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | |
37 | | -| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - | |
38 | | -| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/token | No | - | |
39 | | -| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | |
40 | | -| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | |
41 | | -| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | |
42 | | -| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | |
43 | | -| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | |
44 | | -| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | |
| 12 | +| Name | Description | Optional | Default value | |
| 13 | +|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| |
| 14 | +| release | The namespaced name (namespace/name) of the Release | No | - | |
| 15 | +| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - | |
| 16 | +| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - | |
| 17 | +| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - | |
| 18 | +| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - | |
| 19 | +| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty | |
| 20 | +| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d | |
| 21 | +| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" | |
| 22 | +| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" | |
| 23 | +| dataDir | The location where data will be stored | Yes | /var/workdir/release | |
| 24 | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca | |
| 25 | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt | |
| 26 | +| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git | |
| 27 | +| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline | |
| 28 | +| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git | |
| 29 | +| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | |
| 30 | +| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | |
| 31 | +| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | |
| 32 | +| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | |
| 33 | +| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com | |
| 34 | +| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/<maven-layout> | Yes | repository | |
| 35 | +| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | |
| 36 | +| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | |
| 37 | +| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | |
| 38 | +| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | |
| 39 | +| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | |
| 40 | +| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | |
| 41 | +| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | |
| 42 | +| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | |
0 commit comments