parts of pipeline, pre-testing

diff --git a/.gitignore b/.gitignore
index e6e3288590488a852f0b185a2fee7f8cb2a00612..11468618ff041e1346bbdf2dea0af83aac659b56 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+cosign.*
 __pycache__
 output
 *.bak

diff --git a/README.md b/README.md
index 39076f78d66419644cc000598aa4de15c116540a..3d8e5b3b6b5c115632b9744f8c1091a2eab068f3 100644 (file)
--- a/README.md
+++ b/README.md
@@ -35,3 +35,9 @@ docker build -t vexingworkshop/letters:latest
 ```shell
 docker run --rm -p 8080:80 vexingworkshop/letters
 ```
+
+## Installation
+
+## Build Pipeline
+
+The `pipeline` chart depends upon Tekton Pipelines and Triggers.

diff --git a/charts/pipeline/.helmignore b/charts/pipeline/.helmignore
new file mode 100644 (file)
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/pipeline/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

diff --git a/charts/pipeline/Chart.yaml b/charts/pipeline/Chart.yaml
new file mode 100644 (file)
index 0000000..c61df16
--- /dev/null
+++ b/charts/pipeline/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: pipeline
+description: A deployment pipeline for Letters
+type: application
+version: 0.1.0
+appVersion: "0.1.0"

diff --git a/charts/pipeline/helm_vars/secrets.yaml b/charts/pipeline/helm_vars/secrets.yaml
new file mode 100644 (file)
index 0000000..acbab9d
--- /dev/null
+++ b/charts/pipeline/helm_vars/secrets.yaml
@@ -0,0 +1,26 @@
+CR_PAT: ENC[AES256_GCM,data:YZI3d8cA1LHck1HROS83ad0h/AnnjA2A+MWzwZJVQs/CkgJ0wjX7fg==,iv:pH9iINbNDd3f7NVf93cZ9LW805OxmlwctPL9DJQnA9E=,tag:pe78jcr+NcMWJPFY18O+eA==,type:str]
+dockerconfigjson: ENC[AES256_GCM,data:b3R9lbb9oZmnAdNmuNX1/pLNpO39Z0ww3jDheGqnCapMAnbZ2uuT6uZ2boBHX73QOuNUS6ygPfwEo3l0hULhcISeV/+qdQBAKa6uUAXAB30LTakG5QAAVU4ZxT6E/h3vQ35UQgguac1bwFdZhR6SgLClvME9xfddyFZGllHyBVqMas2WWv62sY50VbU4vfTyryAy5oe4F1SslsM9Ui3bTRfYqCdyYdY+sBbp2XkTVJQVopYeAlQu7+T9vleJ3bMx3wOAwlMbZ+b15pPczRWtH+AHOd5ytL5w7sFPIGHyRtajR6Y8UtnQoKuUT4+HCrZNrfgWedhr+J+6yxIVShew4OY5mFaK9tJqq54oyygKG9Scc720L/cdrw==,iv:1zZ9T5mZ3cTxuxmHOtTOFjzvJ3zzzoyZ5j3VfUnpDMo=,tag:lbzBff4JzBh2Vh48OPMz6A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2021-11-02T22:35:23Z'
+    mac: ENC[AES256_GCM,data:RhZ78qeYRdJBu62vYBKHFeK2TU3B1+KtdbFgU6sEYEb8bXIOnZaIjCbIV4XqozmTbVcyh1DNw4CP1xKu4WAV+A9keDOJbsp0sbTL0MAMhpx0tOm7f2+9QgaT1dnTgd8QaNH0JJerNh+RVHPW5V1U1RKPO2BrsWAN+AluS91NkO0=,iv:51TW0NuDy7ul2CBpKL1+xek6rmerSr3DXfkBmn8CdsE=,tag:NRMgmIYPpVggrm/+jb5gig==,type:str]
+    pgp:
+    -   created_at: '2021-11-02T22:20:13Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA1ZcWAF5W+pcAQf+MbkE3zi8Q1ehP7Mfn+xAGsGjR9tdS+8wZHRIh3RyTM6V
+            ZBeUOxWVE94vF4msfxMD+NDAsM7s4nzQm+L7DsNi4GVLHMl0J8AHw5ed4cJoqDdO
+            3xNk6AaayDc7nwDAmkGo/j3JRJ4vlUbXsdUnMq3A0sHKfPu/Eft5oC9cBM6O+gJE
+            ZiLwYEbuwf/t3bys29nG8XsyLkh/9FS6p2iQtiH4DYiq168CMtv7YdL12cQ0jvKF
+            PYexirLy3oa3iGRxjh3j14pVmYAvJi48+6xhbiwytGZzqqgMUEStYrh/crwGki+w
+            SFEF+AZ1kaDKuPJH6pkGkRgfXqHHKfemAkpEwO74NNJeAU39PWIvZym2/ksw7PLk
+            WiGqnAH8HDoeKSQfbX5Wft048HHSMPc1mVw+tYl/qUqT3iEtyGZUr9Yb7EP7zcwh
+            OSyym+znjCb/jUXetNQ6GUqvTCQ9s+0NMitbyFLHTw==
+            =Zlav
+            -----END PGP MESSAGE-----
+        fp: 900E8D917F74DE26D78EC5CA439943DBA05D9F36
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0

diff --git a/charts/pipeline/templates/pipeline.yaml b/charts/pipeline/templates/pipeline.yaml
new file mode 100644 (file)
index 0000000..c0a293b
--- /dev/null
+++ b/charts/pipeline/templates/pipeline.yaml
@@ -0,0 +1,46 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: letters-deploy
+spec:
+  params:
+    - name: repo-url
+      type: string
+      description: git repo to clone
+    - name: branch
+      type: string
+      description: git branch to clone
+    - name: image
+      type: string
+      description: name of the image to build
+  workspaces:
+    - name: source
+      description: shared space containing source code
+    - name: dockerconfig
+      description: secret containing dockerconfigjson value
+  tasks:
+    - name: pull-source
+      taskRef:
+        name: git-clone
+        bundle: gcr.io/tekton-releases/catalog/upstream/git-clone:0.4
+      params:
+        - name: url
+          value: $(params.repo-url)
+        - name: branch
+          value: $(params.branch)
+      workspaces:
+        - name: output
+          workspace: source
+    - name: build-container
+      taskRef:
+        name: kaniko
+        bundle: gcr.io/tekton-releases/catalog/upstream/kaniko:0.5
+      runAfter:
+        - pull-source
+      params:
+        - name: IMAGE
+          value: $(params.image)
+      workspaces:
+        - name: source
+          workspace: source
+    - name: deploy

diff --git a/charts/pipeline/templates/rbac.yaml b/charts/pipeline/templates/rbac.yaml
new file mode 100644 (file)
index 0000000..b62b905
--- /dev/null
+++ b/charts/pipeline/templates/rbac.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: event-listener-role
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: event-listener-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.listener }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: event-listener-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/vv1
+kind: Role
+metadata:
+  name: pipeline-role
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/vv1
+kind: Role
+metadata:
+  name: pipeline-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.listener }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: pipeline-role
+  apiGroup: rbac.authorization.k8s.io

diff --git a/charts/pipeline/templates/secret.yaml b/charts/pipeline/templates/secret.yaml
new file mode 100644 (file)
index 0000000..ea9aaa5
--- /dev/null
+++ b/charts/pipeline/templates/secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  config.json: {{ .Values.dockerconfigjson }}
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: github-docker-config

diff --git a/charts/pipeline/templates/service-account.yaml b/charts/pipeline/templates/service-account.yaml
new file mode 100644 (file)
index 0000000..ea378d8
--- /dev/null
+++ b/charts/pipeline/templates/service-account.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.listener }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.pipeline }}

diff --git a/charts/pipeline/templates/trigger.yaml b/charts/pipeline/templates/trigger.yaml
new file mode 100644 (file)
index 0000000..91ce862
--- /dev/null
+++ b/charts/pipeline/templates/trigger.yaml
@@ -0,0 +1,89 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+  name: cluster-listener
+serviceAccountName: {{ .Values.serviceAccount.listener }}
+spec:
+  triggers:
+    - triggerRef: letters-trigger
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: Trigger
+metadata:
+  name: letters-trigger
+spec:
+  interceptors:
+    - ref:
+        name: "github"
+        kind: ClusterInterceptor
+        apiVersion: triggers.tekton.dev
+      params:
+        - name: "secretRef"
+          value:
+            secretName: github-secret
+            secretKey: secretToken
+        - name: "eventTypes"
+          value: ["push"]
+    - ref:
+        name: "cel"
+      params:
+        - name: "filter"
+          value: "body.ref == ['refs/head/main']"
+  bindings:
+    - ref: letters-binding
+  template:
+    ref: letters-template
+---
+apiVersion: trigger.tekton.dev/v1beta1
+kind: TriggerBinding
+metadata:
+  name: letters-binding
+spec:
+  params:
+    - name: repo-url
+      value: $(body.repository.url)
+    - name: branch
+      value: main
+    - name: image
+      value: $()
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: letters-template
+spec:
+  params:
+    - name: repo-url
+      description: git repo to clone
+    - name: branch
+      description: git branch to clone
+      default: main
+    - name: image
+      description: published image
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1beta1
+      kind: PipelineRun
+      metadata:
+        generateName: letters-run-
+      pipelineRef:
+        name: letters-deploy
+      workspaces:
+        - name: source
+          volumeClaimTemplate:
+            spec:
+              accessModes:
+                - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 1Gi
+              storageClassName: do-block-storage
+        - name: dockerconfig
+          secret:
+            secretName: github-docker-config
+      params:
+        - name: repo-url
+          value: $(tt.params.repo-url)
+        - name: branch
+          value: $(tt.params.branch)
+        - name: image
+          value: $(tt.params.image)

diff --git a/charts/pipeline/values.yaml b/charts/pipeline/values.yaml
new file mode 100644 (file)
index 0000000..9602d49
--- /dev/null
+++ b/charts/pipeline/values.yaml
@@ -0,0 +1,3 @@
+serviceAccount:
+  pipeline: letters-pipeline
+  listener: cluster-listener