From d2db96b91bfa0432a38deac0328dd67220b52468 Mon Sep 17 00:00:00 2001 From: Bruno Pimentel Date: Wed, 24 Jun 2026 16:14:50 +0200 Subject: [PATCH 1/7] Create the release pipeline for Lightwell Java artifacts This pipeline will be used in Konflux for the releasing of the Java artifacts. The necessary tasks, however, will be hosted in the dedicated Slan-Cuan repository, since they have a tight coupling with the CLI tool that is also built from this repository. Assisted-by: Claude Sonnet 4.5 Signed-off-by: Bruno Pimentel --- pipelines/managed/slan-cuan-release/README.md | 85 ++++++ .../slan-cuan-release/slan-cuan-release.yaml | 282 ++++++++++++++++++ 2 files changed, 367 insertions(+) create mode 100644 pipelines/managed/slan-cuan-release/README.md create mode 100644 pipelines/managed/slan-cuan-release/slan-cuan-release.yaml diff --git a/pipelines/managed/slan-cuan-release/README.md b/pipelines/managed/slan-cuan-release/README.md new file mode 100644 index 0000000000..0d764c077d --- /dev/null +++ b/pipelines/managed/slan-cuan-release/README.md @@ -0,0 +1,85 @@ +# slan-cuan-release pipeline + +Release pipeline for Lightwell Java artifacts (slan-cuan). + +This pipeline orchestrates the complete release workflow for Java artifacts built by +PNC (Project Newcastle): + +1. **Extract** -- Pull artifacts from PNC container image +2. **Sign** -- Cryptographically sign artifacts using RADAS +3. **Register** -- Upload SBOMs to Trustify for CVE tracking +4. **Publish** -- Push signed artifacts to Pulp for distribution + +## Workflow Topology + +The pipeline executes tasks in strict sequential order: + +``` +extract → sign → register → publish +``` + +Each task waits for its predecessor via `runAfter` dependencies. Data flows through +a shared workspace that persists the artifact directory across all stages. + +## Workspaces + +The pipeline requires a single shared workspace (`shared-workspace`) for artifact passing +between tasks. All tasks mount this workspace at `/var/workdir`. + +Workspace binding options: +- **PersistentVolumeClaim** -- For traditional Konflux pipelines +- **Trusted Artifacts** -- Wrap tasks with use-trusted-artifact/create-trusted-artifact +- **emptyDir** -- For ephemeral single-node execution (testing only) + +## Results + +The pipeline propagates key results from individual tasks for downstream consumption +and Enterprise Contract policy evaluation: + +- `manifest-digest` -- OCI manifest digest of the extracted PNC image +- `deliverable-dir` -- Name of the deliverable directory +- `sbom-urn` -- URN of the SBOM registered in Trustify +- `artifacts-uploaded` -- Number of artifacts uploaded to Pulp +- `artifacts-skipped` -- Number of artifacts skipped during upload +- `published-artifact-outputs` -- JSON object for Tekton Chains SLSA provenance + +The `published-artifact-outputs` result contains `uri` and `digest` keys. The +`-ARTIFACT_OUTPUTS` suffix triggers Tekton Chains to generate SLSA provenance +attestations for the published artifacts. + +## Required Kubernetes Secrets + +Create these Kubernetes Secrets before running the pipeline: + +- `registry-auth` (.dockerconfigjson) -- Docker/Podman registry authentication +- `radas-config` (Opaque) -- RADAS configuration JSON in `config.json` key +- `trustify-sso` (Opaque) -- OIDC credentials (`client-id`, `client-secret` keys) +- Custom CA certs (Opaque, optional) -- `ca.crt` key for register/publish tasks + +Secret names are configurable via pipeline parameters. + +## Parameters + +| Name | Description | Optional | Default value | +|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------| +| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git | +| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | +| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - | +| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | +| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | +| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - | +| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | +| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@example.com | +| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is / | Yes | repository | +| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | +| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | +| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - | +| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/realms/token +| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | +| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | +| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | +| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | +| pulp-url | Pulp instance base URL. The base URL for the Pulp content management system. Example: https://pulp.example.com | No | - | +| pulp-repository | Pulp Maven distribution name. The name of the target Pulp repository for artifact publishing. Example: lightwell-maven | No | - | +| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | +| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | diff --git a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml new file mode 100644 index 0000000000..b70cdada3d --- /dev/null +++ b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml @@ -0,0 +1,282 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: slan-cuan-release + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/displayName: "slan-cuan: Release Pipeline" + tekton.dev/pipelines.minVersion: "0.50.0" + tekton.dev/platforms: "linux/amd64" + tekton.dev/tags: "release,maven,lightwell" +spec: + description: | + Release pipeline for Lightwell Java artifacts (slan-cuan). + + This pipeline orchestrates the complete release workflow for Java artifacts built by + PNC (Project Newcastle). + params: + # Pipeline infrastructure + - name: taskGitUrl + type: string + description: The url to the git repo where the tasks to be used are stored + default: https://github.com/konflux-lightwell/slan-cuan.git + - name: taskGitRevision + type: string + description: The revision in the taskGitUrl repo to be used + + # Extract parameters + - name: pnc-image + description: | + PNC container image reference to extract artifacts from. + This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. + Example: quay.io/pnc-builds/foo@sha256:xyz + type: string + - name: registry-auth-secret + description: | + Kubernetes Secret name for registry authentication (.dockerconfigjson format). + Points to a Docker/Podman auth config for accessing private registries + type: string + default: "registry-auth" + - name: force-extract + description: | + Overwrite existing output directory if it exists. + Without this flag, the extract task refuses to overwrite existing directories + type: string + default: "false" + + # Sign parameters + - name: signing-key + description: | + Signing key name for RADAS. + Identifies which signing key to use for cryptographic signatures + type: string + - name: radas-config-secret + description: | + Kubernetes Secret name containing RADAS configuration JSON. + The secret must have a `config.json` key with RADAS API URL and credentials + type: string + default: "radas-config" + - name: requester-id + description: | + Requester identity for signing operations. + Used for audit trails and RADAS access control. Typically an email address + type: string + default: "slan-cuan@org.com" + - name: zip-root-path + description: | + Root of the Maven repository tree inside the ZIP archive submitted to RADAS. + The ZIP file structure is / + type: string + default: "repository" + - name: product-key + description: | + Product key for metadata tagging. + Identifies the product in RADAS records and signing logs + type: string + default: "slan-cuan" + - name: ignore-patterns + description: | + Comma-separated regex patterns to exclude files from signing. + Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs + type: string + default: "" + + # Register parameters + - name: trustify-api-url + description: | + Trustify instance API URL. + The base URL for the Trustify (TPA) SBOM ingestion API. + Example: https://trustify.stage.example.com + type: string + - name: sso-token-url + description: | + OIDC token endpoint URL. + The OAuth2/OIDC token endpoint for Trustify authentication. + Example: https://sso.example.com/auth/token + type: string + - name: sso-secret-name + description: | + Kubernetes Secret name with OIDC credentials. + The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow + type: string + default: "trustify-sso" + - name: register-insecure + description: | + Disable TLS verification for Trustify API calls. + Set to "true" to skip certificate validation (not recommended for production) + type: string + default: "false" + - name: register-retries + description: | + Number of retry attempts for Trustify API calls. + The task will retry failed API calls this many times before giving up + type: string + default: "3" + - name: register-ca-cert-secret + description: | + Kubernetes Secret name for custom CA certificate (optional). + The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. + Leave empty to use system CA bundle + type: string + default: "" + + # Publish parameters + - name: pulp-url + description: | + Pulp instance base URL. + The base URL for the Pulp content management system. + Example: https://pulp.example.com + type: string + - name: pulp-repository + description: | + Pulp Maven distribution name. + The name of the target Pulp repository for artifact publishing. + Example: lightwell-maven + type: string + - name: publish-insecure + description: | + Disable TLS verification for Pulp API calls. + Set to "true" to skip certificate validation (not recommended for production) + type: string + default: "false" + - name: publish-ca-cert-secret + description: | + Kubernetes Secret name for custom CA certificate (optional). + The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. + Leave empty to use system CA bundle + type: string + default: "" + + results: + - name: manifest-digest + description: OCI manifest digest of the extracted image. + value: $(tasks.extract.results.MANIFEST_DIGEST) + - name: deliverable-dir + description: Name of the deliverable directory inside the artifact. + value: $(tasks.extract.results.DELIVERABLE_DIR) + - name: sbom-urn + description: URN of the SBOM registered in Trustify. + value: $(tasks.register.results.SBOM_URN) + - name: artifacts-uploaded + description: Number of artifacts uploaded to Pulp. + value: $(tasks.publish.results.ARTIFACTS_UPLOADED) + - name: artifacts-skipped + description: Number of artifacts skipped during upload. + value: $(tasks.publish.results.ARTIFACTS_SKIPPED) + - name: published-artifact-outputs + description: JSON object for Tekton Chains SLSA provenance. + type: object + value: $(tasks.publish.results.PUBLISHED_ARTIFACT_OUTPUTS) + + workspaces: + - name: shared-workspace + description: Shared workspace for artifact processing across tasks. + + tasks: + - name: extract + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/slan-cuan-extract/slan-cuan-extract.yaml + params: + - name: IMAGE + value: $(params.pnc-image) + - name: REGISTRY_AUTH_SECRET + value: $(params.registry-auth-secret) + - name: FORCE + value: $(params.force-extract) + workspaces: + - name: workdir + workspace: shared-workspace + + - name: sign + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/slan-cuan-sign/slan-cuan-sign.yaml + runAfter: + - extract + params: + - name: REPO_URL + value: $(params.pnc-image) + - name: SIGNING_KEY + value: $(params.signing-key) + - name: RADAS_CONFIG_SECRET + value: $(params.radas-config-secret) + - name: REQUESTER_ID + value: $(params.requester-id) + - name: ZIP_ROOT_PATH + value: $(params.zip-root-path) + - name: PRODUCT_KEY + value: $(params.product-key) + - name: IGNORE_PATTERNS + value: $(params.ignore-patterns) + workspaces: + - name: workdir + workspace: shared-workspace + + - name: register + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/slan-cuan-register/slan-cuan-register.yaml + runAfter: + - sign + params: + - name: TRUSTIFY_API_URL + value: $(params.trustify-api-url) + - name: SSO_TOKEN_URL + value: $(params.sso-token-url) + - name: SSO_SECRET_NAME + value: $(params.sso-secret-name) + - name: INSECURE + value: $(params.register-insecure) + - name: RETRIES + value: $(params.register-retries) + - name: CA_CERT_SECRET + value: $(params.register-ca-cert-secret) + workspaces: + - name: workdir + workspace: shared-workspace + + - name: publish + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/slan-cuan-publish/slan-cuan-publish.yaml + runAfter: + - register + params: + - name: PULP_URL + value: $(params.pulp-url) + - name: PULP_REPOSITORY + value: $(params.pulp-repository) + - name: INSECURE + value: $(params.publish-insecure) + - name: CA_CERT_SECRET + value: $(params.publish-ca-cert-secret) + workspaces: + - name: workdir + workspace: shared-workspace From 047ec228dcc39dca7be052cf03931850288b1c84 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jun 2026 14:00:12 -0400 Subject: [PATCH 2/7] slan-cuan-release: Derive pulp-url and pulp-repository from RPA data via collect-data Replace static pipeline params with dynamic extraction from RPA data blob. Uses collect-data and collect-task-params tasks resolved from catalogGitUrl to enable Trusted Artifacts handoff between pipeline stages. Assisted-by: Claude Code (Sonnet 4.6) --- .../slan-cuan-release/slan-cuan-release.yaml | 162 ++++++++++++++++-- 1 file changed, 146 insertions(+), 16 deletions(-) diff --git a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml index b70cdada3d..c256d5a12e 100644 --- a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml +++ b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml @@ -17,10 +17,65 @@ spec: This pipeline orchestrates the complete release workflow for Java artifacts built by PNC (Project Newcastle). params: - # Pipeline infrastructure + # Release service standard params (passed by release-service controller) + - name: release + type: string + description: The namespaced name (namespace/name) of the Release + - name: releasePlan + type: string + description: The namespaced name (namespace/name) of the ReleasePlan + - name: releasePlanAdmission + type: string + description: The namespaced name (namespace/name) of the ReleasePlanAdmission + - name: releaseServiceConfig + type: string + description: The namespaced name (namespace/name) of the ReleaseServiceConfig + - name: snapshot + type: string + description: The namespaced name (namespace/name) of the Snapshot + - name: ociStorage + type: string + description: The OCI repository where Trusted Artifacts are stored + default: "empty" + - name: ociArtifactExpiresAfter + type: string + description: Expiration date for trusted artifacts created in the OCI repository + default: "1d" + - name: trustedArtifactsDebug + type: string + description: Flag to enable debug logging in trusted artifacts + default: "" + - name: orasOptions + type: string + description: oras options to pass to Trusted Artifacts calls + default: "" + - name: dataDir + type: string + description: The location where data will be stored + default: "/var/workdir/release" + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from + default: "trusted-ca" + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data + default: "ca-bundle.crt" + + # Catalog git params — for release-service-catalog tasks (collect-data, collect-task-params) + - name: catalogGitUrl + type: string + description: The url to the git repo where release-service-catalog tasks are stored + default: https://github.com/arewm/release-service-catalog.git + - name: catalogGitRevision + type: string + description: The revision in the catalogGitUrl repo to be used + default: lightwell-pipeline + + # Pipeline infrastructure — for slan-cuan domain-specific tasks - name: taskGitUrl type: string - description: The url to the git repo where the tasks to be used are stored + description: The url to the git repo where the slan-cuan tasks are stored default: https://github.com/konflux-lightwell/slan-cuan.git - name: taskGitRevision type: string @@ -123,18 +178,6 @@ spec: default: "" # Publish parameters - - name: pulp-url - description: | - Pulp instance base URL. - The base URL for the Pulp content management system. - Example: https://pulp.example.com - type: string - - name: pulp-repository - description: | - Pulp Maven distribution name. - The name of the target Pulp repository for artifact publishing. - Example: lightwell-maven - type: string - name: publish-insecure description: | Disable TLS verification for Pulp API calls. @@ -175,6 +218,90 @@ spec: description: Shared workspace for artifact processing across tasks. tasks: + - name: collect-data + taskRef: + resolver: "git" + params: + - name: url + value: $(params.catalogGitUrl) + - name: revision + value: $(params.catalogGitRevision) + - name: pathInRepo + value: tasks/managed/collect-data/collect-data.yaml + params: + - name: release + value: $(params.release) + - name: releasePlan + value: $(params.releasePlan) + - name: releasePlanAdmission + value: $(params.releasePlanAdmission) + - name: releaseServiceConfig + value: $(params.releaseServiceConfig) + - name: snapshot + value: $(params.snapshot) + - name: subdirectory + value: $(context.pipelineRun.uid) + - name: ociStorage + value: $(params.ociStorage) + - name: ociArtifactExpiresAfter + value: $(params.ociArtifactExpiresAfter) + - name: trustedArtifactsDebug + value: $(params.trustedArtifactsDebug) + - name: orasOptions + value: $(params.orasOptions) + - name: dataDir + value: $(params.dataDir) + - name: caTrustConfigMapName + value: $(params.caTrustConfigMapName) + - name: caTrustConfigMapKey + value: $(params.caTrustConfigMapKey) + - name: taskGitUrl + value: $(params.catalogGitUrl) + - name: taskGitRevision + value: $(params.catalogGitRevision) + + - name: collect-task-params + taskRef: + resolver: "git" + params: + - name: url + value: $(params.catalogGitUrl) + - name: revision + value: $(params.catalogGitRevision) + - name: pathInRepo + value: tasks/managed/collect-task-params/collect-task-params.yaml + runAfter: + - collect-data + params: + - name: dataPath + value: $(tasks.collect-data.results.data) + - name: dataDir + value: $(params.dataDir) + - name: keysToExtract + value: | + [ + {"resultIndex": 0, "key": ".pulp.domain"}, + {"resultIndex": 1, "key": ".pulp.repository"} + ] + - name: ociStorage + value: $(params.ociStorage) + - name: ociArtifactExpiresAfter + value: $(params.ociArtifactExpiresAfter) + - name: trustedArtifactsDebug + value: $(params.trustedArtifactsDebug) + - name: orasOptions + value: $(params.orasOptions) + - name: sourceDataArtifact + value: $(tasks.collect-data.results.sourceDataArtifact) + - name: taskGitUrl + value: $(params.catalogGitUrl) + - name: taskGitRevision + value: $(params.catalogGitRevision) + - name: caTrustConfigMapName + value: $(params.caTrustConfigMapName) + - name: caTrustConfigMapKey + value: $(params.caTrustConfigMapKey) + - name: extract taskRef: resolver: "git" @@ -185,6 +312,8 @@ spec: value: $(params.taskGitRevision) - name: pathInRepo value: tasks/managed/slan-cuan-extract/slan-cuan-extract.yaml + runAfter: + - collect-data params: - name: IMAGE value: $(params.pnc-image) @@ -268,11 +397,12 @@ spec: value: tasks/managed/slan-cuan-publish/slan-cuan-publish.yaml runAfter: - register + - collect-task-params params: - name: PULP_URL - value: $(params.pulp-url) + value: $(tasks.collect-task-params.results.extractedValues[0]) - name: PULP_REPOSITORY - value: $(params.pulp-repository) + value: $(tasks.collect-task-params.results.extractedValues[1]) - name: INSECURE value: $(params.publish-insecure) - name: CA_CERT_SECRET From 7cacff224ed964b95e5339936fa69b11bcb86336 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jun 2026 14:28:00 -0400 Subject: [PATCH 3/7] slan-cuan-release: Add generated README Assisted-by: Claude Code (Sonnet 4.6) --- pipelines/managed/slan-cuan-release/README.md | 113 ++++++------------ 1 file changed, 36 insertions(+), 77 deletions(-) diff --git a/pipelines/managed/slan-cuan-release/README.md b/pipelines/managed/slan-cuan-release/README.md index 0d764c077d..230c5d1413 100644 --- a/pipelines/managed/slan-cuan-release/README.md +++ b/pipelines/managed/slan-cuan-release/README.md @@ -3,83 +3,42 @@ Release pipeline for Lightwell Java artifacts (slan-cuan). This pipeline orchestrates the complete release workflow for Java artifacts built by -PNC (Project Newcastle): - -1. **Extract** -- Pull artifacts from PNC container image -2. **Sign** -- Cryptographically sign artifacts using RADAS -3. **Register** -- Upload SBOMs to Trustify for CVE tracking -4. **Publish** -- Push signed artifacts to Pulp for distribution - -## Workflow Topology - -The pipeline executes tasks in strict sequential order: - -``` -extract → sign → register → publish -``` - -Each task waits for its predecessor via `runAfter` dependencies. Data flows through -a shared workspace that persists the artifact directory across all stages. - -## Workspaces - -The pipeline requires a single shared workspace (`shared-workspace`) for artifact passing -between tasks. All tasks mount this workspace at `/var/workdir`. - -Workspace binding options: -- **PersistentVolumeClaim** -- For traditional Konflux pipelines -- **Trusted Artifacts** -- Wrap tasks with use-trusted-artifact/create-trusted-artifact -- **emptyDir** -- For ephemeral single-node execution (testing only) - -## Results - -The pipeline propagates key results from individual tasks for downstream consumption -and Enterprise Contract policy evaluation: - -- `manifest-digest` -- OCI manifest digest of the extracted PNC image -- `deliverable-dir` -- Name of the deliverable directory -- `sbom-urn` -- URN of the SBOM registered in Trustify -- `artifacts-uploaded` -- Number of artifacts uploaded to Pulp -- `artifacts-skipped` -- Number of artifacts skipped during upload -- `published-artifact-outputs` -- JSON object for Tekton Chains SLSA provenance - -The `published-artifact-outputs` result contains `uri` and `digest` keys. The -`-ARTIFACT_OUTPUTS` suffix triggers Tekton Chains to generate SLSA provenance -attestations for the published artifacts. - -## Required Kubernetes Secrets - -Create these Kubernetes Secrets before running the pipeline: - -- `registry-auth` (.dockerconfigjson) -- Docker/Podman registry authentication -- `radas-config` (Opaque) -- RADAS configuration JSON in `config.json` key -- `trustify-sso` (Opaque) -- OIDC credentials (`client-id`, `client-secret` keys) -- Custom CA certs (Opaque, optional) -- `ca.crt` key for register/publish tasks - -Secret names are configurable via pipeline parameters. +PNC (Project Newcastle). ## Parameters -| Name | Description | Optional | Default value | -|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------| -| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git | -| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | -| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - | -| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | -| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | -| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - | -| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | -| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@example.com | -| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is / | Yes | repository | -| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | -| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | -| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - | -| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/realms/token -| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | -| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | -| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | -| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | -| pulp-url | Pulp instance base URL. The base URL for the Pulp content management system. Example: https://pulp.example.com | No | - | -| pulp-repository | Pulp Maven distribution name. The name of the target Pulp repository for artifact publishing. Example: lightwell-maven | No | - | -| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | -| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | +| Name | Description | Optional | Default value | +|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| +| release | The namespaced name (namespace/name) of the Release | No | - | +| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - | +| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - | +| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - | +| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - | +| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty | +| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d | +| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" | +| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" | +| dataDir | The location where data will be stored | Yes | /var/workdir/release | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt | +| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git | +| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline | +| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git | +| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | +| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - | +| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | +| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | +| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - | +| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | +| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com | +| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is / | Yes | repository | +| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | +| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | +| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - | +| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/token | No | - | +| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | +| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | +| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | +| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | +| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | +| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | From 2d282005dee5f162c79319ea6160c09cfe3a3a77 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jun 2026 15:17:06 -0400 Subject: [PATCH 4/7] slan-cuan-release: Derive all runtime params from snapshot and RPA data Remove pnc-image, signing-key, trustify-api-url, and sso-token-url as required pipeline params. pnc-image is now extracted from the snapshot component image via a second collect-task-params step (collect-snapshot-params). signing-key and Trustify URLs are extracted from RPA data alongside the existing Pulp config. Assisted-by: Claude Code (Sonnet 4.6) --- pipelines/managed/slan-cuan-release/README.md | 70 ++++++++------- .../slan-cuan-release/slan-cuan-release.yaml | 86 ++++++++++++------- 2 files changed, 89 insertions(+), 67 deletions(-) diff --git a/pipelines/managed/slan-cuan-release/README.md b/pipelines/managed/slan-cuan-release/README.md index 230c5d1413..1c71160775 100644 --- a/pipelines/managed/slan-cuan-release/README.md +++ b/pipelines/managed/slan-cuan-release/README.md @@ -3,42 +3,40 @@ Release pipeline for Lightwell Java artifacts (slan-cuan). This pipeline orchestrates the complete release workflow for Java artifacts built by -PNC (Project Newcastle). +PNC (Project Newcastle). All per-release configuration (image reference, signing key, +Trustify URLs, Pulp target) is derived from the Snapshot and ReleasePlanAdmission data +via collect-data, so no pipeline parameters need to be supplied at invocation time. ## Parameters -| Name | Description | Optional | Default value | -|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| -| release | The namespaced name (namespace/name) of the Release | No | - | -| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - | -| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - | -| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - | -| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - | -| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty | -| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d | -| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" | -| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" | -| dataDir | The location where data will be stored | Yes | /var/workdir/release | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt | -| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git | -| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline | -| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git | -| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | -| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - | -| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | -| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | -| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - | -| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | -| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com | -| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is / | Yes | repository | -| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | -| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | -| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - | -| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/token | No | - | -| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | -| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | -| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | -| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | -| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | -| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | +| Name | Description | Optional | Default value | +|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| +| release | The namespaced name (namespace/name) of the Release | No | - | +| releasePlan | The namespaced name (namespace/name) of the ReleasePlan | No | - | +| releasePlanAdmission | The namespaced name (namespace/name) of the ReleasePlanAdmission | No | - | +| releaseServiceConfig | The namespaced name (namespace/name) of the ReleaseServiceConfig | No | - | +| snapshot | The namespaced name (namespace/name) of the Snapshot | No | - | +| ociStorage | The OCI repository where Trusted Artifacts are stored | Yes | empty | +| ociArtifactExpiresAfter | Expiration date for trusted artifacts created in the OCI repository | Yes | 1d | +| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts | Yes | "" | +| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" | +| dataDir | The location where data will be stored | Yes | /var/workdir/release | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt | +| catalogGitUrl | The url to the git repo where release-service-catalog tasks are stored | Yes | https://github.com/arewm/release-service-catalog.git | +| catalogGitRevision | The revision in the catalogGitUrl repo to be used | Yes | lightwell-pipeline | +| taskGitUrl | The url to the git repo where the slan-cuan tasks are stored | Yes | https://github.com/konflux-lightwell/slan-cuan.git | +| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | +| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth | +| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false | +| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a `config.json` key with RADAS API URL and credentials | Yes | radas-config | +| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@org.com | +| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is / | Yes | repository | +| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan | +| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".*-sources\\.jar$,.*-javadoc\\.jar$" excludes source and javadoc JARs | Yes | "" | +| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have `client-id` and `client-secret` keys for OAuth2 client credentials flow | Yes | trustify-sso | +| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | +| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 | +| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | +| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false | +| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a `ca.crt` key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle | Yes | "" | diff --git a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml index c256d5a12e..309e62799b 100644 --- a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml +++ b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml @@ -15,7 +15,9 @@ spec: Release pipeline for Lightwell Java artifacts (slan-cuan). This pipeline orchestrates the complete release workflow for Java artifacts built by - PNC (Project Newcastle). + PNC (Project Newcastle). All per-release configuration (image reference, signing key, + Trustify URLs, Pulp target) is derived from the Snapshot and ReleasePlanAdmission data + via collect-data, so no pipeline parameters need to be supplied at invocation time. params: # Release service standard params (passed by release-service controller) - name: release @@ -82,12 +84,6 @@ spec: description: The revision in the taskGitUrl repo to be used # Extract parameters - - name: pnc-image - description: | - PNC container image reference to extract artifacts from. - This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. - Example: quay.io/pnc-builds/foo@sha256:xyz - type: string - name: registry-auth-secret description: | Kubernetes Secret name for registry authentication (.dockerconfigjson format). @@ -102,11 +98,6 @@ spec: default: "false" # Sign parameters - - name: signing-key - description: | - Signing key name for RADAS. - Identifies which signing key to use for cryptographic signatures - type: string - name: radas-config-secret description: | Kubernetes Secret name containing RADAS configuration JSON. @@ -139,18 +130,6 @@ spec: default: "" # Register parameters - - name: trustify-api-url - description: | - Trustify instance API URL. - The base URL for the Trustify (TPA) SBOM ingestion API. - Example: https://trustify.stage.example.com - type: string - - name: sso-token-url - description: | - OIDC token endpoint URL. - The OAuth2/OIDC token endpoint for Trustify authentication. - Example: https://sso.example.com/auth/token - type: string - name: sso-secret-name description: | Kubernetes Secret name with OIDC credentials. @@ -281,7 +260,51 @@ spec: value: | [ {"resultIndex": 0, "key": ".pulp.domain"}, - {"resultIndex": 1, "key": ".pulp.repository"} + {"resultIndex": 1, "key": ".pulp.repository"}, + {"resultIndex": 2, "key": ".radas.signingKey"}, + {"resultIndex": 3, "key": ".trustify.apiUrl"}, + {"resultIndex": 4, "key": ".trustify.ssoTokenUrl"} + ] + - name: ociStorage + value: $(params.ociStorage) + - name: ociArtifactExpiresAfter + value: $(params.ociArtifactExpiresAfter) + - name: trustedArtifactsDebug + value: $(params.trustedArtifactsDebug) + - name: orasOptions + value: $(params.orasOptions) + - name: sourceDataArtifact + value: $(tasks.collect-data.results.sourceDataArtifact) + - name: taskGitUrl + value: $(params.catalogGitUrl) + - name: taskGitRevision + value: $(params.catalogGitRevision) + - name: caTrustConfigMapName + value: $(params.caTrustConfigMapName) + - name: caTrustConfigMapKey + value: $(params.caTrustConfigMapKey) + + - name: collect-snapshot-params + taskRef: + resolver: "git" + params: + - name: url + value: $(params.catalogGitUrl) + - name: revision + value: $(params.catalogGitRevision) + - name: pathInRepo + value: tasks/managed/collect-task-params/collect-task-params.yaml + runAfter: + - collect-data + params: + - name: dataPath + value: $(tasks.collect-data.results.snapshotSpec) + - name: dataDir + value: $(params.dataDir) + - name: keysToExtract + value: | + [ + {"resultIndex": 0, "key": ".components[0].containerImage"} ] - name: ociStorage value: $(params.ociStorage) @@ -313,10 +336,10 @@ spec: - name: pathInRepo value: tasks/managed/slan-cuan-extract/slan-cuan-extract.yaml runAfter: - - collect-data + - collect-snapshot-params params: - name: IMAGE - value: $(params.pnc-image) + value: $(tasks.collect-snapshot-params.results.extractedValues[0]) - name: REGISTRY_AUTH_SECRET value: $(params.registry-auth-secret) - name: FORCE @@ -337,11 +360,12 @@ spec: value: tasks/managed/slan-cuan-sign/slan-cuan-sign.yaml runAfter: - extract + - collect-task-params params: - name: REPO_URL - value: $(params.pnc-image) + value: $(tasks.collect-snapshot-params.results.extractedValues[0]) - name: SIGNING_KEY - value: $(params.signing-key) + value: $(tasks.collect-task-params.results.extractedValues[2]) - name: RADAS_CONFIG_SECRET value: $(params.radas-config-secret) - name: REQUESTER_ID @@ -370,9 +394,9 @@ spec: - sign params: - name: TRUSTIFY_API_URL - value: $(params.trustify-api-url) + value: $(tasks.collect-task-params.results.extractedValues[3]) - name: SSO_TOKEN_URL - value: $(params.sso-token-url) + value: $(tasks.collect-task-params.results.extractedValues[4]) - name: SSO_SECRET_NAME value: $(params.sso-secret-name) - name: INSECURE From 16f284c202dad14981712c35630f053aa88a7cc2 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jun 2026 15:21:26 -0400 Subject: [PATCH 5/7] slan-cuan-release: Fix slan-cuan task paths to match actual repo layout Tasks live at tekton/tasks/slan-cuan-{task}.yaml in konflux-lightwell/slan-cuan, not tasks/managed/slan-cuan-{task}/slan-cuan-{task}.yaml. Assisted-by: Claude Code (Sonnet 4.6) --- .../managed/slan-cuan-release/slan-cuan-release.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml index 309e62799b..c175cc5e49 100644 --- a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml +++ b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml @@ -334,7 +334,7 @@ spec: - name: revision value: $(params.taskGitRevision) - name: pathInRepo - value: tasks/managed/slan-cuan-extract/slan-cuan-extract.yaml + value: tekton/tasks/slan-cuan-extract.yaml runAfter: - collect-snapshot-params params: @@ -357,7 +357,7 @@ spec: - name: revision value: $(params.taskGitRevision) - name: pathInRepo - value: tasks/managed/slan-cuan-sign/slan-cuan-sign.yaml + value: tekton/tasks/slan-cuan-sign.yaml runAfter: - extract - collect-task-params @@ -389,7 +389,7 @@ spec: - name: revision value: $(params.taskGitRevision) - name: pathInRepo - value: tasks/managed/slan-cuan-register/slan-cuan-register.yaml + value: tekton/tasks/slan-cuan-register.yaml runAfter: - sign params: @@ -418,7 +418,7 @@ spec: - name: revision value: $(params.taskGitRevision) - name: pathInRepo - value: tasks/managed/slan-cuan-publish/slan-cuan-publish.yaml + value: tekton/tasks/slan-cuan-publish.yaml runAfter: - register - collect-task-params From 5a788171d558ec55a4a6e6d86948860397698e42 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jun 2026 15:37:57 -0400 Subject: [PATCH 6/7] slan-cuan-release: Add default for taskGitRevision param Without a default, the release service cannot create the PipelineRun since it has no mechanism to pass taskGitRevision. Default to main. Assisted-by: Claude Code (Sonnet 4.6) --- pipelines/managed/slan-cuan-release/slan-cuan-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml index c175cc5e49..612e951fcc 100644 --- a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml +++ b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml @@ -82,6 +82,7 @@ spec: - name: taskGitRevision type: string description: The revision in the taskGitUrl repo to be used + default: main # Extract parameters - name: registry-auth-secret From 8ecb3b95bd0057b30927110d1aa1675ffa3769e2 Mon Sep 17 00:00:00 2001 From: Jonathan Gangi Date: Wed, 24 Jun 2026 17:05:32 -0300 Subject: [PATCH 7/7] fix: use proper secret for RADAS Pass the `RADAS_CONFIG_PATH` as env secret Signed-off-by: Jonathan Gangi --- .../slan-cuan-release/slan-cuan-release.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml index 612e951fcc..02b29d8730 100644 --- a/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml +++ b/pipelines/managed/slan-cuan-release/slan-cuan-release.yaml @@ -99,12 +99,6 @@ spec: default: "false" # Sign parameters - - name: radas-config-secret - description: | - Kubernetes Secret name containing RADAS configuration JSON. - The secret must have a `config.json` key with RADAS API URL and credentials - type: string - default: "radas-config" - name: requester-id description: | Requester identity for signing operations. @@ -359,6 +353,12 @@ spec: value: $(params.taskGitRevision) - name: pathInRepo value: tekton/tasks/slan-cuan-sign.yaml + env: + - name: RADAS_CONFIG_PATH + valueFrom: + secretKeyRef: + name: radas-cfg + key: radas_cfg.json runAfter: - extract - collect-task-params @@ -367,8 +367,6 @@ spec: value: $(tasks.collect-snapshot-params.results.extractedValues[0]) - name: SIGNING_KEY value: $(tasks.collect-task-params.results.extractedValues[2]) - - name: RADAS_CONFIG_SECRET - value: $(params.radas-config-secret) - name: REQUESTER_ID value: $(params.requester-id) - name: ZIP_ROOT_PATH