Création des task pour symfony app

.gitignore

@@ -1 +1,2 @@
 kustomization/base/tekton/secret/secret.yaml
+kustomization/base/tekton/secret/dockerconfig/config.json

Makefile

@@ -31,6 +31,13 @@ setup-cluster:
 ssh-secret:
 	cp kustomization/overlays/dev/resources/tekton/secret/secret.yaml.distkustomization/overlays/dev/resources/tekton/secret/secret.yaml
 
+docker-secret:
+	docker login reg.cadoles.com
+	mkdir -p kustomization/base/tekton/secret/dockerconfig
+	docker --config kustomization/base/tekton/secret/dockerconfig login reg.cadoles.com
+	# mv kustomization/base/tekton/secret/dockerconfig/config.json kustomization/base/tekton/secret/dockerconfig/.dockerconfigjson
+	kubectl create secret generic regcred --from-file=config.json=kustomization/base/tekton/secret/dockerconfig/config.json
+
 deploy-dev: ## Déploie le projet dans le cluster (nécessite la variable $HARBOR_USER_NAME)
 	skaffold dev -p dev --cleanup=false --default-repo reg.cadoles.com/${HARBOR_USER_NAME}
 

kustomization/base/tekton/kustomization.yaml

@@ -3,11 +3,10 @@ kind: Kustomization
 namespace: tekton
 resources:
 - namespace/namespace.yaml
-- configmap/configmap-php-cs-fixer.yaml
-- pipeline/pipeline.yaml
 - secret/secret.yaml
 - serviceaccount/service-account.yaml
 - https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml
-- task/show-readme.yaml
+- https://api.hub.tekton.dev/v1/resource/tekton/task/kaniko/0.6/raw
-- task/php-cs-fixer.yaml
+- https://api.hub.tekton.dev/v1/resource/tekton/task/trivy-scanner/0.2/raw
-- task/php-security-check.yaml
+- task/symfonyapp/
+- pipeline/pipeline-symfonyapp.yaml

kustomization/base/tekton/pipeline/pipeline-symfonyapp.yaml

@@ -0,0 +1,97 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: symfonyapp
+spec:
+  description: |
+    This pipeline clones a git repo, then echoes the README file to the stout.
+  params:
+  - name: repo-url
+    type: string
+    description: The git repo URL to clone from.
+  - name: image
+    type: string
+    description: Full name of image repo.
+  - name: dockerfile
+    type: string
+    description: 'The path to the Dockerfile to execute (default: ./Dockerfile)'
+  workspaces:
+  - name: shared-data
+    description: |
+      This workspace contains the cloned repo files, so they can be read by the
+      next task.
+  - name: config
+  - name: docker-credentials
+  tasks:
+  # Clone du repo git
+  - name: fetch-source
+    taskRef:
+      name: git-clone
+    workspaces:
+    - name: output
+      workspace: shared-data
+    params:
+    - name: url
+      value: $(params.repo-url)
+  # Lecture du readme du projet
+  - name: show-readme
+    runAfter: ["fetch-source"]
+    taskRef:
+      name: show-readme
+    workspaces:
+    - name: source
+      workspace: shared-data
+  # Execution des tests php-security-check
+  - name: php-security-check
+    runAfter: ["fetch-source"]
+    taskRef:
+      name: php-security-check
+    workspaces:
+    - name: source
+      workspace: shared-data
+  # Execution des tests phpstan
+  - name: phpstan
+    runAfter: ["fetch-source"]
+    taskRef:
+      name: phpstan
+    workspaces:
+    - name: source
+      workspace: shared-data
+  # Execution des tests php-cs-fixer
+  - name: php-cs-fixer
+    runAfter: ["fetch-source"]
+    taskRef:
+      name: php-cs-fixer
+    workspaces:
+    - name: source
+      workspace: shared-data
+    - name: config
+      workspace: config
+
+  - name: kaniko-build
+    taskRef:
+      name: kaniko
+    params:
+      - name: IMAGE
+        value: $(params.image)
+      - name: DOCKERFILE
+        value: $(params.dockerfile)
+      - name: EXTRA_ARGS
+        value:
+          - --skip-tls-verify
+          - --insecure
+    workspaces:
+      - name: source
+        workspace: shared-data
+      - name: dockerconfig
+        workspace: docker-credentials
+    runAfter:
+      - fetch-source
+      # - php-cs-fixer
+      # - phpstan
+      # - php-security-check
+    retries: 3
+
+  #
+
+

kustomization/base/tekton/pipeline/pipeline.yaml

@@ -1,50 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: clone-read
-spec:
-  description: | 
-    This pipeline clones a git repo, then echoes the README file to the stout.
-  params:
-  - name: repo-url
-    type: string
-    description: The git repo URL to clone from.
-  workspaces:
-  - name: shared-data
-    description: | 
-      This workspace contains the cloned repo files, so they can be read by the
-      next task.
-  tasks:
-  - name: fetch-source
-    taskRef:
-      name: git-clone
-    workspaces:
-    - name: output
-      workspace: shared-data
-    params:
-    - name: url
-      value: $(params.repo-url)
-
-  - name: show-readme
-    runAfter: ["fetch-source"]
-    taskRef:
-      name: show-readme
-    workspaces:
-    - name: source
-      workspace: shared-data
-
-  - name: php-security-check
-    runAfter: ["fetch-source"]
-    taskRef:
-      name: php-security-check
-    workspaces:
-    - name: source
-      workspace: shared-data
-
-  - name: php-cs-fixer
-    runAfter: ["fetch-source"]
-    taskRef:
-      name: php-cs-fixer
-    workspaces:
-    - name: source
-      workspace: shared-data

kustomization/base/tekton/pipeline/pipelinerun.yaml

@@ -1,11 +1,11 @@
 apiVersion: tekton.dev/v1beta1
 kind: PipelineRun
 metadata:
-  generateName: clone-read-run-
+  generateName: symfonyapp-run-
 spec:
   serviceAccountName: build-bot
   pipelineRef:
-    name: clone-read
+    name: symfonyapp
   podTemplate:
     securityContext:
       fsGroup: 65532
@@ -18,7 +18,16 @@ spec:
         resources:
           requests:
             storage: 1Gi
+  - name: config
+    configmap:
+      name: config-php-cs-fixer
+  - name: docker-credentials
+    secret:
+      secretName: regcred
   params:
   - name: repo-url
     value: https://forge.cadoles.com/Cadoles/hydra-dispatcher.git
-  
+  - name: image
+    value: reg.cadoles.com/mlamalle/testtekton
+  - name: dockerfile
+    value: misc/docker/Dockerfile

kustomization/base/tekton/secret/secret.yaml.dist

@@ -1,12 +1,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ssh-key
   annotations:
-    tekton.dev/git-0: forge.cadoles.com # Described below
+    tekton.dev/git-0: https://forge.cadoles.com
-type: kubernetes.io/ssh-auth
+  name: basic-auth
+type: kubernetes.io/basic-auth
 stringData:
-  ssh-privatekey: ""
+  username: <login>
-  # This is non-standard, but its use is encouraged to make this more secure.
+  password: <password>
-  # If it is not provided then the git server's public key will be requested
-  # when the repo is first fetched.

kustomization/base/tekton/serviceaccount/service-account.yaml

@@ -3,4 +3,5 @@ kind: ServiceAccount
 metadata:
   name: build-bot
 secrets:
-  - name: basic-auth
+  - name: basic-auth
+  - name: regcred

kustomization/base/tekton/task/symfonyapp/configmap/configmap-php-cs-fixer.yaml

@@ -3,11 +3,13 @@ kind: ConfigMap
 metadata:
   name: config-php-cs-fixer
 data:
-  .php-cs-fixer.dist.php: |
+  php-cs-fixer.dist.php: |
     <?php
-    $finder = PhpCsFixer\Finder::create()
+    $finder = (new PhpCsFixer\Finder())
-        ->in(__DIR__.'/src')
+    ->ignoreDotFiles(false)
-        ->name('*.php');
+    ->ignoreVCSIgnored(true)
+    ->exclude(['dev-tools/phpstan', 'tests/Fixtures'])
+    ->in(__DIR__);
     // TODO: Définir les règles de style communes
     // spécifiques au projet
     return (new PhpCsFixer\Config())

kustomization/base/tekton/task/symfonyapp/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: tekton
+resources:
+- configmap/configmap-php-cs-fixer.yaml
+- task/show-readme.yaml
+- task/php-cs-fixer.yaml
+- task/php-security-check.yaml
+- task/phpstan.yaml

kustomization/base/tekton/task/symfonyapp/task/php-cs-fixer.yaml

@@ -6,17 +6,14 @@ spec:
   description: PHP-CS-Fixer on modified code
   workspaces:
   - name: source
+  - name: config
   steps:
-  - name: read
+  - name: exec
     image:  ghcr.io/php-cs-fixer/php-cs-fixer:3-php8.3
-    volumeMounts:
+    command:
-      - name: config-php-cs-fixer
+      - /bin/sh
-        mountPath: "/conf/"
     args:
-    - --dry-run
+      - '-c'
-    - fix
+      - |
-  
+        set -ex
-  volumes:
+        php-cs-fixer fix --dry-run --config=$(workspaces.config.path)/php-cs-fixer.dist.php $(workspaces.source.path)
-    - name: config-php-cs-fixer
-      configMap:
-        name: config-php-cs-fixer

kustomization/base/tekton/task/symfonyapp/task/php-security-check.yaml

@@ -7,13 +7,13 @@ spec:
   workspaces:
   - name: source
   steps:
-  - name: check
+  - name: exec
     image:  alpine:latest
-    script: | 
+    script: |
       #!/bin/sh
       export PHP_SECURITY_CHECKER_VERSION=1.0.0
       export ARG JQ_VERSION=1.6
       wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
       && chmod +x /usr/local/bin/local-php-security-checker
       cd $(workspaces.source.path)
-      local-php-security-checker --format=markdown || true
+      local-php-security-checker --format=markdown || true

kustomization/base/tekton/task/symfonyapp/task/phpstan.yaml

@@ -0,0 +1,28 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: phpstan
+spec:
+  description: PHP-CS-Fixer on modified code
+  workspaces:
+  - name: source
+  steps:
+  - name: exec
+    image:  ghcr.io/phpstan/phpstan:1
+    command:
+      - /bin/sh
+    args:
+      - '-c'
+      - |
+        set -ex
+        composer require phpstan/phpstan-symfony
+        composer require phpstan/phpstan-doctrine
+        cat << EOF > /app/phpstan.neon
+        includes:
+            - /app/vendor/phpstan/phpstan-symfony/extension.neon
+            - /app/vendor/phpstan/phpstan-doctrine/extension.neon
+            - /app/vendor/phpstan/phpstan-doctrine/rules.neon
+        EOF
+        phpstan analyse -l 1 --error-format=table $(workspaces.source.path)
+
+

kustomization/base/tekton/task/symfonyapp/task/show-readme.yaml

@@ -7,8 +7,9 @@ spec:
   workspaces:
   - name: source
   steps:
-  - name: read
+  - name: showreadme
     image: alpine:latest
-    script: | 
+    script: |
       #!/usr/bin/env sh
-      cat $(workspaces.source.path)/README.md
+      cat $(workspaces.source.path)/README.md
+      ls $(workspaces.source.path)

resources/com/cadoles/symfony/.php-cs-fixer.dist.php

@@ -5,8 +5,6 @@ $finder = PhpCsFixer\Finder::create()
     ->name('*.php')
 ;
 
-// TODO: Définir les règles de style communes
-// spécifiques au projet
 return (new PhpCsFixer\Config())
     ->setRules([
         '@Symfony' => true,
@@ -22,8 +20,6 @@ return (new PhpCsFixer\Config())
         'ternary_operator_spaces' => true,
         'class_definition' => ['single_line' => true],
         'whitespace_after_comma_in_array' => true,
-
-        // phpdoc
         'phpdoc_add_missing_param_annotation' => ['only_untyped' => true],
         'phpdoc_order' => true,
         'phpdoc_types_order' => [

resources/com/cadoles/symfony/Dockerfile

@@ -0,0 +1,47 @@
+ARG PHP_SECURITY_CHECKER_VERSION=1.0.0
+ARG JQ_VERSION=1.6
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        wget tar curl ca-certificates \
+        openssl bash git unzip \
+        php-cli php-dom php-mbstring php-ctype php-xml php-iconv
+        
+COPY add-letsencrypt-ca.sh /root/add-letsencrypt-ca.sh
+
+RUN bash /root/add-letsencrypt-ca.sh \
+    && rm -f /root/add-letsencrypt-ca.sh
+
+RUN wget -O /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \
+    && chmod +x /usr/local/bin/jq
+
+# Install local-php-security-checker
+RUN wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
+    && chmod +x /usr/local/bin/local-php-security-checker
+
+# Install junit2md
+RUN junit2md_download_url=$(curl "https://forge.cadoles.com/api/v1/repos/Cadoles/junit2md/releases" -H "accept:application/json" | jq -r 'sort_by(.published_at) | reverse | .[0] | .assets[] | select(.name == "junit2md-linux-amd64.tar.gz") | .browser_download_url') \
+    && wget -O junit2md-linux-amd64.tar.gz "$junit2md_download_url" \
+    && tar -xzf junit2md-linux-amd64.tar.gz \
+    && cp junit2md-linux-amd64/junit2md /usr/local/bin/junit2md
+
+# Install composer
+RUN wget https://raw.githubusercontent.com/composer/getcomposer.org/76a7060ccb93902cd7576b67264ad91c8a2700e2/web/installer -O - -q | php -- --force --install-dir /usr/local/bin --filename composer \
+    && chmod +x /usr/local/bin/composer
+
+# Install php-cs-fixer
+RUN mkdir --parents /tools/php-cs-fixer \
+    && composer require --working-dir=/tools/php-cs-fixer friendsofphp/php-cs-fixer \
+    && ln -s /tools/php-cs-fixer/vendor/bin/php-cs-fixer /usr/local/bin/php-cs-fixer
+
+# Install php-stan 
+RUN mkdir --parents /tools/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan \
+    && ln -s /tools/phpstan/vendor/bin/phpstan /usr/local/bin/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-symfony \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-doctrine
+
+# Install Symfony
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash \
+    && apt update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y symfony-cli

resources/com/cadoles/symfony/phpstan.neon

@@ -0,0 +1,4 @@
+includes:
+    - /tools/phpstan/vendor/phpstan/phpstan-symfony/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/rules.neon

symfony/.php-cs-fixer.dist.php

@@ -0,0 +1,41 @@
+<?php
+
+$finder = PhpCsFixer\Finder::create()
+    ->in(__DIR__.'/src')
+    ->name('*.php')
+;
+
+return (new PhpCsFixer\Config())
+    ->setRules([
+        '@Symfony' => true,
+        'concat_space' => ['spacing' => 'none'],
+        'array_syntax' => ['syntax' => 'short'],
+        'combine_consecutive_issets' => true,
+        'explicit_indirect_variable' => true,
+        'no_useless_return' => true,
+        'ordered_imports' => true,
+        'no_unused_imports' => true,
+        'no_spaces_after_function_name' => true,
+        'no_spaces_inside_parenthesis' => true,
+        'ternary_operator_spaces' => true,
+        'class_definition' => ['single_line' => true],
+        'whitespace_after_comma_in_array' => true,
+        'phpdoc_add_missing_param_annotation' => ['only_untyped' => true],
+        'phpdoc_order' => true,
+        'phpdoc_types_order' => [
+            'null_adjustment' => 'always_last',
+            'sort_algorithm' => 'alpha',
+        ],
+        'phpdoc_no_empty_return' => false,
+        'phpdoc_summary' => false,
+        'general_phpdoc_annotation_remove' => [
+            'annotations' => [
+                'expectedExceptionMessageRegExp',
+                'expectedException',
+                'expectedExceptionMessage',
+                'author',
+            ],
+        ],
+    ])
+    ->setFinder($finder)
+;

symfony/Dockerfile

@@ -0,0 +1,47 @@
+ARG PHP_SECURITY_CHECKER_VERSION=1.0.0
+ARG JQ_VERSION=1.6
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        wget tar curl ca-certificates \
+        openssl bash git unzip \
+        php-cli php-dom php-mbstring php-ctype php-xml php-iconv
+        
+COPY add-letsencrypt-ca.sh /root/add-letsencrypt-ca.sh
+
+RUN bash /root/add-letsencrypt-ca.sh \
+    && rm -f /root/add-letsencrypt-ca.sh
+
+RUN wget -O /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \
+    && chmod +x /usr/local/bin/jq
+
+# Install local-php-security-checker
+RUN wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
+    && chmod +x /usr/local/bin/local-php-security-checker
+
+# Install junit2md
+RUN junit2md_download_url=$(curl "https://forge.cadoles.com/api/v1/repos/Cadoles/junit2md/releases" -H "accept:application/json" | jq -r 'sort_by(.published_at) | reverse | .[0] | .assets[] | select(.name == "junit2md-linux-amd64.tar.gz") | .browser_download_url') \
+    && wget -O junit2md-linux-amd64.tar.gz "$junit2md_download_url" \
+    && tar -xzf junit2md-linux-amd64.tar.gz \
+    && cp junit2md-linux-amd64/junit2md /usr/local/bin/junit2md
+
+# Install composer
+RUN wget https://raw.githubusercontent.com/composer/getcomposer.org/76a7060ccb93902cd7576b67264ad91c8a2700e2/web/installer -O - -q | php -- --force --install-dir /usr/local/bin --filename composer \
+    && chmod +x /usr/local/bin/composer
+
+# Install php-cs-fixer
+RUN mkdir --parents /tools/php-cs-fixer \
+    && composer require --working-dir=/tools/php-cs-fixer friendsofphp/php-cs-fixer \
+    && ln -s /tools/php-cs-fixer/vendor/bin/php-cs-fixer /usr/local/bin/php-cs-fixer
+
+# Install php-stan 
+RUN mkdir --parents /tools/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan \
+    && ln -s /tools/phpstan/vendor/bin/phpstan /usr/local/bin/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-symfony \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-doctrine
+
+# Install Symfony
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash \
+    && apt update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y symfony-cli

symfony/phpstan.neon

@@ -0,0 +1,4 @@
+includes:
+    - /tools/phpstan/vendor/phpstan/phpstan-symfony/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/rules.neon