mlamalle/mse-tekton
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Compare commits

base: mlamalle:94b8589b7c0e1a6e83aba5b5b32c863e6f9e1452
Branches Tags
mlamalle:develop
mlamalle:tekton2
mlamalle:ns
mlamalle:phpstan_baseline
mlamalle:mse
mlamalle:triggers
..
compare: mlamalle:0b0b1ceb37a0c0bfe5fcb03386323622f891fd3a
Branches Tags
mlamalle:tekton2
mlamalle:ns
mlamalle:develop
mlamalle:phpstan_baseline
mlamalle:mse
mlamalle:triggers

No commits in common. "94b8589b7c0e1a6e83aba5b5b32c863e6f9e1452" and "0b0b1ceb37a0c0bfe5fcb03386323622f891fd3a" have entirely different histories.
94b8589b7c ... 0b0b1ceb37

54 changed files with 2041 additions and 88 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
kustomization/base/tekton/secret/gitea/access_token
kustomization/base/tekton/secret/gitea/basicauth
kustomization/base/tekton/secret/dockerconfig/.dockerconfigjson
kustomization/base/tekton/secret/ssh/id_ed25519
kustomization/base/tekton/secret/ssh/known_hosts

49
Makefile Normal file
View File

@ -0,0 +1,49 @@
DESTDIR=./
REG_CRED=$(shell kubectl get secret -n tekton -l type=regcred -o jsonpath='{.items[0].metadata.name}')
SUBNET=$(shell docker network inspect kind --format '{{ (index .IPAM.Config 0).Subnet }}')
BASEIP=$(shell docker network inspect kind --format '{{ (index .IPAM.Config 0).Subnet }}' | cut -d "/" -f 1)
.PHONY: help
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
.PHONY: deploy
create-cluster: ## Créer un cluster kubernetes avec Kind
kind create cluster --name tekton --config kind/kind-tekton.yaml
@echo "SubNet Docker :" $(SUBNET)
@echo -e " \x1b[32m✓\x1b[0m Cluster Kind déployé"
.PHONY: setup-cluster
setup-cluster: create cluster
kubectl apply -k kind/cluster --server-side
kubectl --namespace ingress-nginx rollout status --timeout 5m deployment/ingress-nginx-controller
kubectl --namespace metallb-system rollout status --timeout 5m deployment controller
sed -i "/mse.dev.local/ s/.*/ $(BASEIP)\tmse.dev.local/g" kind/cluster/coredns/custom-dns.yaml
kubectl apply -f kind/cluster/coredns/custom-dns.yaml
kubectl -n kube-system rollout restart deployment/coredns
kubectl -n kube-system rollout status --timeout 5m deployment/coredns
@yq -i ".spec.addresses = [\"$(SUBNET)\"]" kind/cluster/lb/resources/ipaddresspoool.yaml
kubectl apply -k kind/cluster/lb --server-side
deploy-dev: ## Déploie le projet dans le cluster (nécessite la variable $HARBOR_USER_NAME)
skaffold dev --cleanup=false
delete-cluster: ## Supprime le cluster kubernetes Kind
kind delete clusters tekton
docker-secret:
cp kustomization/base/tekton/secret/gitea/access_token.dist kustomization/base/tekton/secret/gitea/access_token
cp kustomization/base/tekton/secret/gitea/basicauth.dist kustomization/base/tekton/secret/gitea/basicauth
cp kustomization/base/tekton/secret/ssh/id_ed25519.dist kustomization/base/tekton/secret/ssh/id_ed25519
cp kustomization/base/tekton/secret/ssh/known_hosts.dist kustomization/base/tekton/secret/ssh/known_hosts
docker login reg.cadoles.com
docker --config kustomization/base/tekton/secret/dockerconfig login reg.cadoles.com
mv kustomization/base/tekton/secret/dockerconfig/config.json kustomization/base/tekton/secret/dockerconfig/.dockerconfigjson
.mktools:
rm -rf .mktools
curl -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | $(SHELL)
-include .mktools/*.mk

64
README.md Normal file
View File

@ -0,0 +1,64 @@
# MSE Tekton
CI du projet MSE
### Lancement de l'environnement
#### Lancer l'environnement
```
make create-cluster
```
Si vous disposez déjà d'un environnement kubernetes, appliquez uniquement les CRDs :
```
kubectl apply -k kind/cluster --server-side
```
Il se peut qu'il y ait besoin de relancer la commande s'il n'arrive pas a charger `TektonConfig` correctement
Puis
```
make deploy-dev
```
#### Préparer les secrets
Créer les fichiers en renseignant et en copiant les fichiers `.dist` correspondants:
- `kustomization/base/tekton/secret/gitea/access_token`
- `kustomization/base/tekton/secret/gitea/basicauth`
- `kustomization/base/tekton/secret/ssh/id_ed25519`
- `kustomization/base/tekton/secret/ssh/known_hosts`
Générer le secret docker
```
make docker-secret
```
### Lancement d'un pipeline
```
kubectl create -f kustomization/base/tekton/pipeline/pipelinerun.yaml
```
### Lister et voir les logs des pipelines
```
tkn pipelinerun list
tkn pipelinerun logs clone-read-run-dqwcx -f
```
Pour installer le cli tekton : [Tekton CLI](https://tekton.dev/docs/cli/#installation)
### Accès au Dashboard
[Doc Tekton](https://tekton.dev/docs/dashboard/install/)
On crée un port-forward pour accéder au dashboard
```
kubectl --namespace tekton-pipelines port-forward svc/tekton-dashboard 9097:9097
```
Accéder au dashboard : http://localhost:9097

10
doc/mesproject.md Normal file
View File

@ -0,0 +1,10 @@
# Mse Project
## Evénements et triggers
Lors de l'émission d'un événement par Gitea, selon la nature de l'événement, les pipelines `symfonycheck` ou `buildimage` seront déclenchés.
- Pull request créé, ou push sur une pull request : `symfonycheck`
- merge d'une PR : `buildimage`

76
doc/tekton.md Normal file
View File

@ -0,0 +1,76 @@
# Tekton CI
## Webhook, Événements et Triggers
Un webhook Gitea configuré, envoi des événements sur un endpoint défini par en `EventListener`.
Cet `EventListener`, selon les filtres et overlays définis, peut alors déclencher des `TriggerTemplates` (configuré selon un `TriggerBinding`), qui alors configurerons a leur tour des `PipelineRun`, qui exécuterons des `Pipelines`, qui configurerons des `TaskRun`, qui alors exécuterons des `Task`.
```mermaid
flowchart LR
A[Webhook Event] --> B(EventListener
filter et overlays)
B --> D(Pipeline Binding)
B --> E(Pipeline Template)
D --> E
E --> F(PipelineRun)
F --> G(Pipeline)
```
Les `Webhooks`, événements et triggers dans Tekton CI permettent de déclencher des actions automatisées en réponse à des événements spécifiques dans un système de gestion de code source.
### Filter et overlay
Le `filter` permet de déclencher les Triggers pour les événements répondant au critère du filtre
Les `overlays` permettent de récupérer une valeur de la requête pour la passer en paramètre
### Workspaces
Les workspaces sont des volumes qui sont monté à la demande dans les conteneurs des différentes `Task` dans le répertoire `/workspace`.
### Exemples
- [EventListener MSE](kustomization/base/tekton/event/mseproject.yaml)
- [TriggerBinding MSE](kustomization/base/tekton/event/msebuild-binding.yaml)
- [TriggerTemplate MSE](kustomization/base/tekton/event/msebuild-template.yaml)
## Pipelines
Les `Pipeline` dans Tekton CI décrivent une série d'étapes ou de tâches à exécuter pour automatiser un processus de déploiement ou de test logiciel.
Un `PipelineRun` permet d'exécuter un `Pipeline` en lui donnant des paramètres
L'option `runAfter:` permet de définir si une `Task` doit s'exécuter une fois qu'une autre Task est terminé. Si `runAfter` n'est par défini, la `Task` sera exécuté en parallèle
```mermaid
flowchart LR
G(PipelineRun) --> H(Pipeline)
H --> I(TaskRun)
I --> J(Task)
```
### Exemples
- [SymfonyCheck](../kustomization/base/tekton/pipeline/symfonycheck.yaml)
## Tasks
Les `Task` dans Tekton CI représentent des actions individuelles à effectuer dans un pipeline. Elles peuvent inclure des opérations telles que la construction, le déploiement, les tests, etc.
Une `TaskRun` permet d'exécuter une `Task` en lui donnant des paramètres.
Les `Task` vont alors enchainer les différentes steps.
Les `Task` peuvent émettre des résultats, qui seront alors accessible par d'autres `Task`
L'option `OnError` permet de déclencher un évenement à la suite d'une erreur d'une `step`.
On peut alors s'en servir pour passer à la st`ep suivante, sans bloquer l'exécution de la `Task`.
### Exemple
- [ImageFormater](kustomization/base/tekton/task/common/imageformater.yaml)

31
kind/cluster/coredns/custom-dns.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: v1
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
hosts {
# Liste des noms de dommaine à résoudre dans le cluster.local
172.18.0.0 mse.dev.local
fallthrough
}
}
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system

17
kind/cluster/kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://raw.githubusercontent.com/ory/k8s/v0.30.0/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop
- https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop
- https://forge.cadoles.com/CadolesKube/c-kustom//base/metallb?ref=develop
- https://forge.cadoles.com/CadolesKube/c-kustom//base/nginx?ref=develop
- https://storage.googleapis.com/tekton-releases/operator/latest/release.yaml
- https://raw.githubusercontent.com/tektoncd/operator/main/config/crs/kubernetes/config/all/operator_v1alpha1_config_cr.yaml
- https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
- https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
- https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
- https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml

7
kind/cluster/lb/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: metallb-system
resources:
- ./resources/ipaddresspoool.yaml
- ./resources/advertise.yaml

9
kind/cluster/lb/resources/advertise.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2-ip-pool-ad
namespace: metallb-system
spec:
ipAddressPools:
- main-pool

8
kind/cluster/lb/resources/ipaddresspoool.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: main-pool
namespace: metallb-system
spec:
addresses:
- 172.18.0.0/16

45
kind/kind-tekton.yaml Normal file
View File

@ -0,0 +1,45 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: tekton-pipelines
nodes:
- role: control-plane
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 31000
hostPort: 31000
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
- containerPort: 80
hostPort: 8080
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
labels:
ingress-ready: true
- role: worker
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
system-reserved: memory=2Gi
- role: worker
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
system-reserved: memory=2Gi
- role: worker
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
system-reserved: memory=2Gi

13
kind/scripts/init-kind.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
${ENGINE} create cluster --config kind/kind-mse.yaml
sleep 5
kubectl apply -k kind/cluster --server-side
sleep 5
docker network inspect kind | jq '.[0].IPAM.Config[0].Subnet' -r
echo "Si tout est ok :"
echo "kubectl apply -k kind/cluster/lb --server-side"
echo "skaffold dev -p dev --cleanup=false "

13
kustomization.yaml
View File

@ -1,13 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://storage.googleapis.com/tekton-releases/operator/latest/release.yaml
- https://raw.githubusercontent.com/tektoncd/operator/main/config/crs/kubernetes/config/all/operator_v1alpha1_config_cr.yaml
# Catalog
- https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.6/git-clone.yaml
secretGenerator:
- name: git-credentials
envs:
- secrets/gitcred.txt

6
kustomization/base/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- tekton/
- tekton-pipelines/ingress/dashboard.yaml

25
kustomization/base/tekton-pipelines/ingress/dashboard.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard
namespace: tekton-pipelines
spec:
ingressClassName: nginx
rules:
- host: tekton.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tekton-dashboard
port:
number: 9097
- path: /mseproject
pathType: Prefix
backend:
service:
name: el-mseproject
port:
number: 9000

49
kustomization/base/tekton/configmap/configmap-phpcsfixer.yaml Normal file
View File

@ -0,0 +1,49 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config-phpcsfixer
data:
php-cs-fixer.dist.php: |
<?php
$finder = (new PhpCsFixer\Finder())
->ignoreDotFiles(false)
->ignoreVCSIgnored(true)
->exclude(['dev-tools/phpstan', 'tests/Fixtures'])
->in(__DIR__);
// TODO: Définir les règles de style communes
// spécifiques au projet
return (new PhpCsFixer\Config())
->setRules([
'@Symfony' => true,
'concat_space' => ['spacing' => 'none'],
'array_syntax' => ['syntax' => 'short'],
'combine_consecutive_issets' => true,
'explicit_indirect_variable' => true,
'no_useless_return' => true,
'ordered_imports' => true,
'no_unused_imports' => true,
'no_spaces_after_function_name' => true,
'no_spaces_inside_parenthesis' => true,
'ternary_operator_spaces' => true,
'class_definition' => ['single_line' => true],
'whitespace_after_comma_in_array' => true,
// phpdoc
'phpdoc_add_missing_param_annotation' => ['only_untyped' => true],
'phpdoc_order' => true,
'phpdoc_types_order' => [
'null_adjustment' => 'always_last',
'sort_algorithm' => 'alpha',
],
'phpdoc_no_empty_return' => false,
'phpdoc_summary' => false,
'general_phpdoc_annotation_remove' => [
'annotations' => [
'expectedExceptionMessageRegExp',
'expectedException',
'expectedExceptionMessage',
'author',
],
],
])
->setFinder($finder);

18
kustomization/base/tekton/event/imagebuild.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: imagebuild
spec:
serviceAccountName: tekton-robot
triggers:
- name: imagebuild-trigger
interceptors:
- ref:
name: "cel"
params:
- name: "filter"
value: "body.action != 'deleted'"
bindings:
- ref: imagebuild-binding
template:
ref: imagebuild-template

26
kustomization/base/tekton/event/msebuild.yaml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: msebuild
spec:
serviceAccountName: tekton-robot
triggers:
- name: msebuild-trigger
interceptors:
- ref:
name: "cel"
params:
# Filtre par événement
- name: "filter"
value: "body.action != 'deleted'"
# Récupération du queryParam registry
- name: "overlays"
value:
- key: registry
expression: "requestURL.parseURL().query['registry']"
bindings:
- ref: msebuild-binding
- name: registry
value: $(extensions.registry)
template:
ref: msebuild-template

39
kustomization/base/tekton/event/mseproject.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: mseproject
spec:
serviceAccountName: tekton-robot
triggers:
- name: mse-symfonycheck-trigger
interceptors:
- ref:
name: "cel"
params:
# Filtre par événement
- name: "filter"
value: "body.action in ['opened', 'synchronized']"
bindings:
- ref: symfonycheck-binding
template:
ref: symfonycheck-template
- name: mse-build-trigger
interceptors:
- ref:
name: "cel"
params:
# Filtre par événement
- name: "filter"
value: "body.pull_request.merged == true"
# Récupération du queryParam registry
- name: "overlays"
value:
- key: registry
expression: "requestURL.parseURL().query['registry']"
bindings:
- ref: msebuild-binding
- name: registry
value: $(extensions.registry)
template:
ref: msebuild-template

18
kustomization/base/tekton/event/symfonycheck.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: symfonycheck
spec:
serviceAccountName: tekton-robot
triggers:
- name: symfonycheck-trigger
interceptors:
- ref:
name: "cel"
params:
- name: "filter"
value: "body.action != 'closed'"
bindings:
- ref: symfonycheck-binding
template:
ref: symfonycheck-template

68
kustomization/base/tekton/kustomization.yaml Normal file
View File

@ -0,0 +1,68 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: tekton-pipelines
resources:
- namespace/namespace.yaml
- serviceaccount/service-account.yaml
- serviceaccount/rbac.yaml
- configmap/configmap-phpcsfixer.yaml
- resources/
# Tasks
- https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml
- https://api.hub.tekton.dev/v1/resource/tekton/task/kaniko/0.6/raw
- task/common/giteacomment.yaml
- task/common/imageformater.yaml
- task/common/cleanup.yaml
- task/common/crane.yaml
- task/common/trivy.yaml
- task/symfonyapp/phpcsfixer.yaml
- task/symfonyapp/phpsecuritycheck.yaml
- task/symfonyapp/phpstan.yaml
- task/symfonyapp/phpunittest.yaml
- task/symfonyapp/phpfunctionaltest.yaml
# Pipelines
- pipeline/imagebuild.yaml
- pipeline/symfonycheck.yaml
# Triggers
- trigger/msebuild-binding.yaml
- trigger/msebuild-template.yaml
- trigger/imagebuild-binding.yaml
- trigger/imagebuild-template.yaml
- trigger/symfonycheck-binding.yaml
- trigger/symfonycheck-template.yaml
# Events
- event/mseproject.yaml
# # Ingress
# - ingress/dashboard.yaml
generatorOptions:
disableNameSuffixHash: true
secretGenerator:
- name: regcred
type: kubernetes.io/dockerconfigjson
files:
- secret/dockerconfig/.dockerconfigjson
- name: basic-auth
type: kubernetes.io/basic-auth
options:
annotations:
tekton.dev/git-0: https://forge.cadoles.com
envs:
- secret/gitea/basicauth
- name: gitea-access-token
files:
- secret/gitea/access_token
- name: git-credentials
files:
- secret/ssh/id_ed25519
- secret/ssh/known_hosts

4
kustomization/base/tekton/namespace/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: tekton-pipelines

170
kustomization/base/tekton/pipeline/imagebuild.yaml Normal file
View File

@ -0,0 +1,170 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: imagebuild
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stout.
params:
- name: url
type: string
description: The git repo URL to clone from.
- name: revision
type: string
description: The git repo branch to checkout.
- name: image
type: string
description: The image to build.
- name: context
type: string
description: The context of image to build.
- name: tag
type: string
description: The image tag.
- name: dockerfile
type: string
description: Path to the Dockerfile to build.
- name: registry
description: Registry of the Docker image
- name: apiurl
type: string
description: The gitea api url.
- name: requesttype
type: string
description: The gitea request type = "pullrequest / release".
- name: requestid
type: string
description: The gitea request id.
workspaces:
- name: shared-data
- name: docker-credentials
- name: git-credentials
- name: gitea-access-token
tasks:
# 📥 Clone du repo git
- name: gitclone
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
- name: ssh-directory
workspace: git-credentials
params:
- name: url
value: $(params.url)
- name: revision
value: $(params.revision)
- name: submodules
value: 'false'
- name: depth
value: '50'
# ⭐ Image Tag Formater
- name: imageformater
taskRef:
name: imageformater
runAfter: ["gitclone"]
workspaces:
- name: source
workspace: shared-data
params:
- name: revision
value: $(params.revision)
# 🔨 Build de l'image
- name: kaniko-build
taskRef:
name: kaniko
runAfter: ["imageformater"]
params:
- name: IMAGE
value: $(params.registry)/$(params.image):$(tasks.imageformater.results.imagetag)
- name: BUILDER_IMAGE
value: gcr.io/kaniko-project/executor:v1.20.0
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.context)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- --insecure
- --no-push
- --tarPath=$(workspaces.source.path)/image.tar
- --destination=$(params.registry)/$(params.image):$(tasks.imageformater.results.imagetag)
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
# 🔎 Scan de l'image
- name: trivy-scan
taskRef:
name: trivy-scanner
kind: Task
params:
- name: IMAGE_PATH
value: "$(workspaces.manifest-dir.path)/image.tar"
workspaces:
- name: manifest-dir
workspace: shared-data
runAfter:
- kaniko-build
# 📨 Envoyer du resulat de trivy à gitea
- name: trivy-giteacomment
taskRef:
name: giteacomment
workspaces:
- name: source
workspace: shared-data
- name: gitea-access-token
workspace: gitea-access-token
params:
- name: apiurl
value: $(params.apiurl)
- name: requestid
value: $(params.requestid)
- name: title
value: "TRIVY"
- name: filepath
value: "temp_trivy.txt"
runAfter:
- trivy-scan
# 🚀 Publication de l'image
- name: publish
taskRef:
name: crane-task
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
params:
- name: IMAGE_TAG
value: $(tasks.imageformater.results.imagetag)
- name: IMAGE
value: $(params.image)
- name: REGISTRY
value: $(params.registry)
runAfter:
- trivy-scan
finally:
# 🧹 Cleanup
- name: cleanup-workspace
taskRef:
name: cleanup-workspace
kind: Task
workspaces:
- name: source
workspace: shared-data

166
kustomization/base/tekton/pipeline/symfonycheck.yaml Normal file
View File

@ -0,0 +1,166 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: symfonycheck
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stout.
params:
- name: url
type: string
description: The git repo URL to clone from.
- name: revision
type: string
description: The git repo branch to checkout.
- name: destination
type: string
description: The branch to merge to.
- name: apiurl
type: string
description: The gitea api url.
- name: requesttype
type: string
description: The gitea request type = "pullrequest / release".
- name: requestid
type: string
description: The gitea request id.
workspaces:
- name: shared-data
description: This workspace contains the cloned repo files, so they can be read by the next task.
- name: config
- name: docker-credentials
- name: gitea-access-token
tasks:
# 📥 Clone du repo git
- name: gitclone
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.url)
- name: revision
value: $(params.revision)
- name: submodules
value: 'false'
- name: depth
value: '50'
# ⭐ Exécution des tests phpsecuritycheck
- name: phpsecuritycheck
runAfter: ["gitclone"]
taskRef:
name: phpsecuritycheck
workspaces:
- name: source
workspace: shared-data
# ⭐ Exécution des tests phpstan
- name: phpstan
runAfter: ["gitclone"]
taskRef:
name: phpstan
workspaces:
- name: source
workspace: shared-data
params:
- name: apiurl
value: $(params.apiurl)
- name: requestid
value: $(params.requestid)
# ⭐ Exécution des tests php-cs-fixer
- name: phpcsfixer
runAfter: ["gitclone"]
taskRef:
name: phpcsfixer
workspaces:
- name: source
workspace: shared-data
- name: config
workspace: config
params:
- name: destination
value: $(params.destination)
# ⭐ Execution des tests unitaires et fonctionnels
- name: phpunittest
runAfter: ["gitclone"]
taskRef:
name: phpunittest
workspaces:
- name: source
workspace: shared-data
finally:
# 📨 Envoie du resulat de php-cs-fixer à gitea
- name: phpcsfixer-giteacomment
taskRef:
name: giteacomment
workspaces:
- name: source
workspace: shared-data
- name: gitea-access-token
workspace: gitea-access-token
params:
- name: apiurl
value: $(params.apiurl)
- name: requestid
value: $(params.requestid)
- name: title
value: "PHP-CS-FIXER"
- name: filepath
value: "temp_phpcsfixer.txt"
# 📨 Envoi du resulat de phpstan à gitea
- name: phpstan-giteacomment
taskRef:
name: giteacomment
workspaces:
- name: source
workspace: shared-data
- name: gitea-access-token
workspace: gitea-access-token
params:
- name: apiurl
value: $(params.apiurl)
- name: requestid
value: $(params.requestid)
- name: title
value: "PHPSTAN"
- name: filepath
value: "temp_phpstan.txt"
# 📨 Envoie le resulat de phpsecuritychecker à gitea
- name: phpsecuritychecker-giteacomment
taskRef:
name: giteacomment
workspaces:
- name: source
workspace: shared-data
- name: gitea-access-token
workspace: gitea-access-token
params:
- name: apiurl
value: $(params.apiurl)
- name: requestid
value: $(params.requestid)
- name: title
value: "PHP-SECURITY-CHECK"
- name: filepath
value: "temp_phpsecuritychecker.txt"
# 🧹 Cleanup
- name: cleanup-workspace
taskRef:
name: cleanup-workspace
kind: Task
workspaces:
- name: source
workspace: shared-data

5
kustomization/base/tekton/resources/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./redis/redis-cluster.yaml

22
kustomization/base/tekton/resources/redis/redis-cluster.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
name: tekton-redis
spec:
sentinel:
replicas: 3
resources:
requests:
cpu: 100m
limits:
memory: 100Mi
redis:
image: reg.cadoles.com/proxy_cache/library/redis:6.2.6-alpine
replicas: 3
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 400m
memory: 500Mi

1
kustomization/base/tekton/secret/gitea/access_token.dist Normal file
View File

@ -0,0 +1 @@
TOKEN_HERE

2
kustomization/base/tekton/secret/gitea/basicauth.dist Normal file
View File

@ -0,0 +1,2 @@
username=<login>
password=<password>

1
kustomization/base/tekton/secret/ssh/id_ed25519.dist Normal file
View File

@ -0,0 +1 @@
YOUR_PRIVATE_KEY_HERE

1
kustomization/base/tekton/secret/ssh/known_hosts.dist Normal file
View File

@ -0,0 +1 @@
KNOWN_HOST_HERE

29
kustomization/base/tekton/serviceaccount/rbac.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-robot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: triggers-example-eventlistener-binding
subjects:
- kind: ServiceAccount
name: tekton-robot
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-roles
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: triggers-example-eventlistener-clusterbinding
subjects:
- kind: ServiceAccount
name: tekton-robot
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-eventlistener-clusterroles

7
kustomization/base/tekton/serviceaccount/service-account.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-auth
- name: regcred

24
kustomization/base/tekton/task/common/cleanup.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: cleanup-workspace
spec:
workspaces:
- name: source
steps:
- name: cleanup
image: alpine:latest
command:
- /bin/sh
args:
- '-c'
- |
#set -e
echo ""
echo "== CLEAN UP WORKSPACES ==================================="
rm -rf /workspace/*
echo ""
echo ""

39
kustomization/base/tekton/task/common/crane.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: crane-task
spec:
workspaces:
- name: source
- name: dockerconfig
params:
- name: IMAGE_TAG
type: string
description: "The image to push."
- name: IMAGE
type: string
description: "The image to push."
- name: REGISTRY
description: Docker Registry
steps:
- name: push-image-tar
image: gcr.io/go-containerregistry/crane:debug
script: |
#!/busybox/sh
set -eu -o pipefail
echo ""
echo "== CONFIGURE CREDENTIALS ==================================="
mkdir ~/.docker
cp $(workspaces.dockerconfig.path)/config.json ~/.docker/config.json
echo ""
echo "== PUSH IMAGE ==================================="
crane push $(workspaces.source.path)/image.tar $(params.REGISTRY)/$(params.IMAGE):$(params.IMAGE_TAG)
echo ""
echo ""

55
kustomization/base/tekton/task/common/giteacomment.yaml Normal file
View File

@ -0,0 +1,55 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: giteacomment
spec:
description: Send file content to a comment of the pullrequest gitea
workspaces:
- name: source
- name: gitea-access-token
params:
- name: apiurl
- name: requestid
- name: title
- name: filepath
steps:
- name: exec
image: alpine
command:
- /bin/sh
args:
- '-c'
- |
#set -e
cd $(workspaces.source.path)
echo ""
echo "== INSTALL DEPENDENCIES ==================================="
apk add jq curl
echo ""
echo "== SEND COMMENT TO GITEA ================================="
if [[ -n "$(params.title)" ]]; then
sed -i '1i\# $(params.title)' $(params.filepath)
fi
RESULT=$(cat $(params.filepath))
rm -f $(params.filepath)
TOKEN_PATH="$(workspaces.gitea-access-token.path)"
GITEA_ACCESS_TOKEN="$(cat ${TOKEN_PATH}/access_token)"
APIURL=$(params.apiurl)/issues/$(params.requestid)/comments?access_token=${GITEA_ACCESS_TOKEN}
RESULT_ESCAPED=$(jq --null-input --arg result "${RESULT}" '$result')
BODY="{\"body\": ${RESULT_ESCAPED}}"
echo ${BODY}
curl -X 'POST' \
${APIURL} \
-s \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d "${BODY}"
echo ""
echo ""

35
kustomization/base/tekton/task/common/imageformater.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: imageformater
spec:
description: transform image name to standart name
workspaces:
- name: source
params:
- name: revision
results:
- name: imagetag
steps:
- name: exec
image: alpine:3.19
script: |
#!/usr/bin/env sh
set -eu
set +x
apk add make curl bash git
cd $(workspaces.source.path)
git config --global --add safe.directory /workspace/source
git checkout $(params.revision)
set -x
echo ""
echo "== IMAGE NAME FORMATER ==================================="
make .mktools
version=$(make mkt-project-version)
echo -n "${version}" > "$(results.imagetag.path)"
echo ""
echo ""

46
kustomization/base/tekton/task/common/trivy.yaml Normal file
View File

@ -0,0 +1,46 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: trivy-scanner
labels:
app.kubernetes.io/version: "0.2"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/categories: Security
tekton.dev/tags: CLI, trivy
tekton.dev/displayName: "trivy scanner"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/390x"
spec:
description: >-
Trivy is a simple and comprehensive scanner for
vulnerabilities in container images,file systems
,and Git repositories, as well as for configuration issues.
This task can be used to scan for vulnenrabilities on the source code
in stand alone mode.
workspaces:
- name: manifest-dir
params:
- name: TRIVY_IMAGE
default: docker.io/aquasec/trivy@sha256:944a044451791617cc0ed2ee4d1942a4f66b790d527fcd0575a6b399ccbc05a1 # 0.43.1
description: Trivy scanner image to be used
- name: IMAGE_PATH
description: Image or Path to be scanned by trivy.
type: string
- name: AIR_GAPPED_ENABLED
default: "false"
description: a flag enabling Air-Gapped mode
type: string
steps:
- name: trivy-scan
image: $(params.TRIVY_IMAGE)
workingDir: $(workspaces.manifest-dir.path)
script: |
#!/usr/bin/env sh
echo ""
echo "== SCAN IMAGE ==================================="
echo "Running trivy task with command below"
trivy image --exit-code 1 --severity CRITICAL --no-progress -o temp_trivy.txt --input $(params.IMAGE_PATH)
cat temp_trivy.txt

35
kustomization/base/tekton/task/symfonyapp/phpcsfixer.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpcsfixer
spec:
description: PHP-CS-Fixer on modified code
workspaces:
- name: source
- name: config
params:
- name: destination
steps:
- name: exec
image: ghcr.io/php-cs-fixer/php-cs-fixer:3-php8.3
command:
- /bin/sh
args:
- '-c'
- |
#set -e
apk add git
cd $(workspaces.source.path)
git config --global --add safe.directory /workspace/source
git fetch origin $(params.destination)
CHANGED_FILES=$(git diff --name-only --diff-filter=ACMRTUXB origin/$(params.destination) -- | grep -F ".php" | tr "\n" " ")
if ! echo "${CHANGED_FILES}" | grep -qE "^(\\.php-cs-fixer(\\.dist)\\.php?|composer\\.lock)$"; then EXTRA_ARGS=$(printf -- '--path-mode=intersection -- %s' "${CHANGED_FILES}"); else EXTRA_ARGS=''; fi
echo ""
echo "== RUN PHP-CS-FIXER ======================================"
php-cs-fixer fix --dry-run --config=$(workspaces.config.path)/php-cs-fixer.dist.php ${EXTRA_ARGS} > temp_phpcsfixer.txt 2>&1
cat temp_phpcsfixer.txt
echo ""
echo ""

70
kustomization/base/tekton/task/symfonyapp/phpfunctionaltest.yaml Normal file
View File

@ -0,0 +1,70 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpfunctionaltest
spec:
description: PHP functional test with bdd sidecar
workspaces:
- name: source
sidecars:
- name: database
image: postgres:16
env:
- name: POSTGRES_PASSWORD
value: not_so_secret
- name: POSTGRES_HOST_AUTH_METHOD
value: trust
- name: redis
image: redis:4.0
steps:
- name: exec
image: reg.cadoles.com/cadoles/symfony:alpine-php-7.4-base-20230926
env:
- name: PHP_FPM_MEMORY_LIMIT
value: 512m
- name: MSE_DATABASE_DRIVER
value: pdo_pgsql
- name: MSE_DATABASE_HOST
value: localhost
- name: MSE_DATABASE_PORT
value: '5432'
- name: MSE_DATABASE_NAME
value: postgres
- name: MSE_DATABASE_USER
value: postgres
- name: MSE_DATABASE_PASSWORD
value: not_so_secret
- name: MSE_REDIS_SERVER
value: localhost
- name: MSE_REDIS_PORT
value: '6379'
- name: MSE_REDIS_SERVER
value: rfs-tekton-redis
command:
- /bin/sh
args:
- '-c'
- |
set -e
apk add bash=5.1.16-r0 \
postgresql-client \
php7-gd=7.4.33-r1 \
php7-xsl=7.4.33-r1 \
php7-pdo=7.4.33-r1 \
php7-pgsql=7.4.33-r1 \
php7-pdo_pgsql=7.4.33-r1 \
php7-soap=7.4.33-r1 \
php7-ldap=7.4.33-r1 \
php7-pdo_mysql=7.4.33-r1 \
php7-bcmath=7.4.33-r1 \
php7-intl=7.4.33-r1 \
php7-fileinfo=7.4.33-r1 \
php7-iconv=7.4.33-r1 \
php7-pecl-amqp=1.11.0-r0 \
php7-pecl-redis=5.3.6-r0
cd $(workspaces.source.path)
app/console doctrine:migrations:migrate -n
./scripts/run-php-tests.sh --group integration --stderr --testdox -d memory_limit=512M

32
kustomization/base/tekton/task/symfonyapp/phpsecuritycheck.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpsecuritycheck
spec:
description: Check PHP security issues
workspaces:
- name: source
steps:
- name: exec
image: alpine:latest
script: |
#!/bin/sh
#set -e
echo ""
echo "== INSTALL PHP-SECURITY-CHECKER =========================="
export PHP_SECURITY_CHECKER_VERSION=1.0.0
export ARG JQ_VERSION=1.6
wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
&& chmod +x /usr/local/bin/local-php-security-checker
echo ""
echo "== RUN PHP-SECURITY-CHECKER =============================="
cd $(workspaces.source.path)
local-php-security-checker --format=markdown > temp_phpsecuritychecker.txt 2>&1
RESULT=$(cat temp_phpsecuritychecker.txt)
echo "${RESULT}"
echo ""
echo ""

20
kustomization/base/tekton/task/symfonyapp/phpstan.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpstan
spec:
description: Phpstan on modified code
workspaces:
- name: source
params:
- name: apiurl
- name: requestid
steps:
- name: analyse
image: reg.cadoles.com/cadoles/phpstan
script: |
#!/bin/sh
echo "== RUN PHPSTAN ==========================================="
cd $(workspaces.source.path)
phpstan analyse -l 5 --configuration phpstan-pipeline.neon --error-format table --no-progress > temp_phpstan.txt 2>&1
cat temp_phpstan.txt

119
kustomization/base/tekton/task/symfonyapp/phpunittest.yaml Normal file
View File

@ -0,0 +1,119 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: phpunittest
spec:
description: PHP unit test
workspaces:
- name: source
sidecars:
- name: database
image: postgres:16
env:
- name: POSTGRES_PASSWORD
value: not_so_secret
- name: POSTGRES_HOST_AUTH_METHOD
value: trust
steps:
- name: php-unit
image: reg.cadoles.com/cadoles/symfony:alpine-php-7.4-base-20230926
env:
- name: PHP_FPM_MEMORY_LIMIT
value: 512m
- name: MSE_DATABASE_DRIVER
value: pdo_pgsql
- name: MSE_DATABASE_HOST
value: localhost
- name: MSE_DATABASE_PORT
value: '5432'
- name: MSE_DATABASE_NAME
value: postgres
- name: MSE_DATABASE_USER
value: postgres
- name: MSE_DATABASE_PASSWORD
value: not_so_secret
- name: MSE_REDIS_SERVER
value: localhost
- name: MSE_REDIS_PORT
value: '6379'
command:
- /bin/sh
args:
- '-c'
- |
set -e
apk add bash=5.1.16-r0 \
postgresql-client \
php7-gd=7.4.33-r1 \
php7-xsl=7.4.33-r1 \
php7-pdo=7.4.33-r1 \
php7-pgsql=7.4.33-r1 \
php7-pdo_pgsql=7.4.33-r1 \
php7-soap=7.4.33-r1 \
php7-ldap=7.4.33-r1 \
php7-pdo_mysql=7.4.33-r1 \
php7-bcmath=7.4.33-r1 \
php7-intl=7.4.33-r1 \
php7-fileinfo=7.4.33-r1 \
php7-iconv=7.4.33-r1 \
php7-pecl-amqp=1.11.0-r0 \
php7-pecl-redis=5.3.6-r0
echo "memory_limit = 512M" >> /etc/php7/conf.d/03_base.ini
echo "memory_limit = 512M" >> /etc/php8/conf.d/03_base.ini
cd $(workspaces.source.path)
./bin/phpunit -c ./app --group unit --stderr --testdox -d memory_limit=1024M $(PHPUNIT_ARGS)
onError: continue
- name: php-functional
image: reg.cadoles.com/cadoles/symfony:alpine-php-7.4-base-20230926
env:
- name: PHP_FPM_MEMORY_LIMIT
value: 512m
- name: MSE_DATABASE_DRIVER
value: pdo_pgsql
- name: MSE_DATABASE_HOST
value: localhost
- name: MSE_DATABASE_PORT
value: '5432'
- name: MSE_DATABASE_NAME
value: postgres
- name: MSE_DATABASE_USER
value: postgres
- name: MSE_DATABASE_PASSWORD
value: not_so_secret
- name: MSE_REDIS_SERVER
value: rfs-portal-redis
- name: MSE_REDIS_PORT
value: '26379'
- name: MSE_REDIS_SERVER
value: rfs-tekton-redis
command:
- /bin/sh
args:
- '-c'
- |
set -e
apk add bash=5.1.16-r0 \
postgresql-client \
php7-gd=7.4.33-r1 \
php7-xsl=7.4.33-r1 \
php7-pdo=7.4.33-r1 \
php7-pgsql=7.4.33-r1 \
php7-pdo_pgsql=7.4.33-r1 \
php7-soap=7.4.33-r1 \
php7-ldap=7.4.33-r1 \
php7-pdo_mysql=7.4.33-r1 \
php7-bcmath=7.4.33-r1 \
php7-intl=7.4.33-r1 \
php7-fileinfo=7.4.33-r1 \
php7-iconv=7.4.33-r1 \
php7-pecl-amqp=1.11.0-r0 \
php7-pecl-redis=5.3.6-r0
echo "memory_limit = 512M" >> /etc/php7/conf.d/03_base.ini
echo "memory_limit = 512M" >> /etc/php8/conf.d/03_base.ini
cd $(workspaces.source.path)
/bin/sh ./sidecar-scripts/init_database.sh
./bin/phpunit -c ./app --group integration --stderr --testdox -d memory_limit=1024M $(PHPUNIT_ARGS)

19
kustomization/base/tekton/trigger/imagebuild-binding.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: imagebuild-binding
spec:
params:
- name: url
value: $(body.repository.clone_url)
- name: revision
value: $(body.pull_request.base.ref)
- name: image
value: $(body.repository.full_name)
- name: tag
value: $(body.release.target_commitish)-$(body.release.tag_name)
- name: apiurl
value: $(body.release.url)
- name: requestid
value: $(body.release.id)

66
kustomization/base/tekton/trigger/imagebuild-template.yaml Normal file
View File

@ -0,0 +1,66 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: imagebuild-template
spec:
params:
- name: url
- name: revision
- name: image
- name: tag
- name: dockerfile
- name: registry
- name: apiurl
- name: requestid
- name: requesttype
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: imagebuild-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: hydra-sql-theme
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/hydra-sql-mse-theme/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest

18
kustomization/base/tekton/trigger/msebuild-binding.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: msebuild-binding
spec:
params:
- name: url
value: $(body.repository.clone_url)
- name: revision
value: $(body.pull_request.base.ref)
- name: image
value: $(body.repository.full_name)
- name: apiurl
value: $(body.pull_request.base.repo.url)
- name: requestid
value: $(body.pull_request.number)

389
kustomization/base/tekton/trigger/msebuild-template.yaml Normal file
View File

@ -0,0 +1,389 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: msebuild-template
spec:
params:
- name: url
- name: revision
- name: image
- name: tag
- name: dockerfile
- name: registry
- name: apiurl
- name: requestid
- name: requesttype
resourcetemplates:
# Portal
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-portal-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: portal
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/portal/Dockerfile
- name: context
value: ./
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest
# Hydra Dispatcher Theme
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-hydra-dispatcher-theme-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: hydra-dispatcher-theme
- name: context
value: misc/k8s/images/hydra-dispatcher-mse-theme
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/hydra-dispatcher-mse-theme/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest
# Hydra SQL Theme
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-hydra-sql-theme-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: hydra-sql-theme
- name: context
value: misc/k8s/images/hydra-sql-mse-theme
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/hydra-sql-mse-theme/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest
# Job Base
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-job-base-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: job-base
- name: context
value: misc/k8s/images/job-base
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/job-base/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest
# Mock
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-mock-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: mock
- name: context
value: misc/k8s/images/mock
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/mock/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest
# Ines
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-ines-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: ines
- name: context
value: misc/k8s/images/ines
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/ines/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest
# Shibboleth-sp
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: msebuild-shibboleth-sp-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: imagebuild
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: docker-credentials
secret:
secretName: regcred
- name: git-credentials
secret:
secretName: git-credentials
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: image
value: shibboleth-sp
- name: context
value: misc/k8s/images/sp
- name: tag
value: $(tt.params.tag)
- name: dockerfile
value: ./misc/k8s/images/sp/Dockerfile
- name: registry
value: $(tt.params.registry)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest

16
kustomization/base/tekton/trigger/symfonycheck-binding.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: symfonycheck-binding
spec:
params:
- name: url
value: $(body.pull_request.head.repo.clone_url)
- name: revision
value: $(body.pull_request.head.ref)
- name: apiurl
value: $(body.pull_request.head.repo.url)
- name: requestid
value: $(body.pull_request.number)
- name: destination
value: $(body.pull_request.base.ref)

56
kustomization/base/tekton/trigger/symfonycheck-template.yaml Normal file
View File

@ -0,0 +1,56 @@
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: symfonycheck-template
spec:
params:
- name: url
- name: revision
- name: requestid
- name: destination
- name: apiurl
- name: requesttype
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: symfonycheck-run-
namespace: tekton-pipelines
spec:
serviceAccountName: build-bot
pipelineRef:
name: symfonycheck
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: config
configmap:
name: config-phpcsfixer
- name: docker-credentials
secret:
secretName: regcred
- name: gitea-access-token
secret:
secretName: gitea-access-token
params:
- name: url
value: $(tt.params.url)
- name: revision
value: $(tt.params.revision)
- name: destination
value: $(tt.params.destination)
- name: apiurl
value: $(tt.params.apiurl)
- name: requestid
value: $(tt.params.requestid)
- name: requesttype
value: pullrequest

33
resources/pipeline/test-clone.yaml
View File

@ -1,33 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: test-clone
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stdout.
params:
- name: repo-url
type: string
description: The git repo URL to clone from.
workspaces:
- name: shared-data
description: |
This workspace contains the cloned repo files, so they can be read by the
next task.
tasks:
- name: git-clone
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: show-readme
runAfter: ["git-clone"]
taskRef:
name: show-readme
workspace:
- name: source
workspace: shared-data

24
resources/pipelinerun/test-clone-run.yaml
View File

@ -1,24 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: test-clone-run-
spec:
pipelineRef:
name: test-clone
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: git-credentials
params:
- name: repo-url
value: https://forge.cadoles.com/CNOUS/mse.git

14
resources/task/common/show-readme.yaml
View File

@ -1,14 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: show-readme
spec:
description: Read and display README file.
workspaces:
- name: source
steps:
- name: read
image: alpine:latest
script: |
#!/usr/bin/env sh
cat $(workspaces.source.path)/README.md

1
secrets/.gitignore vendored
View File

@ -1 +0,0 @@
/gitcred.txt

3
secrets/gitcred.txt.dist
View File

@ -1,3 +0,0 @@
id_rsa=
known_hosts=
config=

11
skaffold.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: skaffold/v3
kind: Config
metadata:
name: tekton-pipelines
manifests:
kustomize:
paths:
- kustomization/base