From 0714686802bc9b32199abd590c44dfdbfbcd2edc Mon Sep 17 00:00:00 2001 From: "Adam A.G. Shamblin" Date: Fri, 12 Nov 2021 10:30:29 -0700 Subject: [PATCH] parts of pipeline, pre-testing --- .gitignore | 1 + README.md | 6 ++ charts/pipeline/.helmignore | 23 +++++ charts/pipeline/Chart.yaml | 6 ++ charts/pipeline/helm_vars/secrets.yaml | 26 ++++++ charts/pipeline/templates/pipeline.yaml | 46 ++++++++++ charts/pipeline/templates/rbac.yaml | 53 +++++++++++ charts/pipeline/templates/secret.yaml | 7 ++ .../pipeline/templates/service-account.yaml | 10 +++ charts/pipeline/templates/trigger.yaml | 89 +++++++++++++++++++ charts/pipeline/values.yaml | 3 + 11 files changed, 270 insertions(+) create mode 100644 charts/pipeline/.helmignore create mode 100644 charts/pipeline/Chart.yaml create mode 100644 charts/pipeline/helm_vars/secrets.yaml create mode 100644 charts/pipeline/templates/pipeline.yaml create mode 100644 charts/pipeline/templates/rbac.yaml create mode 100644 charts/pipeline/templates/secret.yaml create mode 100644 charts/pipeline/templates/service-account.yaml create mode 100644 charts/pipeline/templates/trigger.yaml create mode 100644 charts/pipeline/values.yaml diff --git a/.gitignore b/.gitignore index e6e3288..1146861 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +cosign.* __pycache__ output *.bak diff --git a/README.md b/README.md index 39076f7..3d8e5b3 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,9 @@ docker build -t vexingworkshop/letters:latest ```shell docker run --rm -p 8080:80 vexingworkshop/letters ``` + +## Installation + +## Build Pipeline + +The `pipeline` chart depends upon Tekton Pipelines and Triggers. diff --git a/charts/pipeline/.helmignore b/charts/pipeline/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/pipeline/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/pipeline/Chart.yaml b/charts/pipeline/Chart.yaml new file mode 100644 index 0000000..c61df16 --- /dev/null +++ b/charts/pipeline/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: pipeline +description: A deployment pipeline for Letters +type: application +version: 0.1.0 +appVersion: "0.1.0" diff --git a/charts/pipeline/helm_vars/secrets.yaml b/charts/pipeline/helm_vars/secrets.yaml new file mode 100644 index 0000000..acbab9d --- /dev/null +++ b/charts/pipeline/helm_vars/secrets.yaml @@ -0,0 +1,26 @@ +CR_PAT: ENC[AES256_GCM,data:YZI3d8cA1LHck1HROS83ad0h/AnnjA2A+MWzwZJVQs/CkgJ0wjX7fg==,iv:pH9iINbNDd3f7NVf93cZ9LW805OxmlwctPL9DJQnA9E=,tag:pe78jcr+NcMWJPFY18O+eA==,type:str] +dockerconfigjson: ENC[AES256_GCM,data:b3R9lbb9oZmnAdNmuNX1/pLNpO39Z0ww3jDheGqnCapMAnbZ2uuT6uZ2boBHX73QOuNUS6ygPfwEo3l0hULhcISeV/+qdQBAKa6uUAXAB30LTakG5QAAVU4ZxT6E/h3vQ35UQgguac1bwFdZhR6SgLClvME9xfddyFZGllHyBVqMas2WWv62sY50VbU4vfTyryAy5oe4F1SslsM9Ui3bTRfYqCdyYdY+sBbp2XkTVJQVopYeAlQu7+T9vleJ3bMx3wOAwlMbZ+b15pPczRWtH+AHOd5ytL5w7sFPIGHyRtajR6Y8UtnQoKuUT4+HCrZNrfgWedhr+J+6yxIVShew4OY5mFaK9tJqq54oyygKG9Scc720L/cdrw==,iv:1zZ9T5mZ3cTxuxmHOtTOFjzvJ3zzzoyZ5j3VfUnpDMo=,tag:lbzBff4JzBh2Vh48OPMz6A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2021-11-02T22:35:23Z' + mac: ENC[AES256_GCM,data:RhZ78qeYRdJBu62vYBKHFeK2TU3B1+KtdbFgU6sEYEb8bXIOnZaIjCbIV4XqozmTbVcyh1DNw4CP1xKu4WAV+A9keDOJbsp0sbTL0MAMhpx0tOm7f2+9QgaT1dnTgd8QaNH0JJerNh+RVHPW5V1U1RKPO2BrsWAN+AluS91NkO0=,iv:51TW0NuDy7ul2CBpKL1+xek6rmerSr3DXfkBmn8CdsE=,tag:NRMgmIYPpVggrm/+jb5gig==,type:str] + pgp: + - created_at: '2021-11-02T22:20:13Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1ZcWAF5W+pcAQf+MbkE3zi8Q1ehP7Mfn+xAGsGjR9tdS+8wZHRIh3RyTM6V + ZBeUOxWVE94vF4msfxMD+NDAsM7s4nzQm+L7DsNi4GVLHMl0J8AHw5ed4cJoqDdO + 3xNk6AaayDc7nwDAmkGo/j3JRJ4vlUbXsdUnMq3A0sHKfPu/Eft5oC9cBM6O+gJE + ZiLwYEbuwf/t3bys29nG8XsyLkh/9FS6p2iQtiH4DYiq168CMtv7YdL12cQ0jvKF + PYexirLy3oa3iGRxjh3j14pVmYAvJi48+6xhbiwytGZzqqgMUEStYrh/crwGki+w + SFEF+AZ1kaDKuPJH6pkGkRgfXqHHKfemAkpEwO74NNJeAU39PWIvZym2/ksw7PLk + WiGqnAH8HDoeKSQfbX5Wft048HHSMPc1mVw+tYl/qUqT3iEtyGZUr9Yb7EP7zcwh + OSyym+znjCb/jUXetNQ6GUqvTCQ9s+0NMitbyFLHTw== + =Zlav + -----END PGP MESSAGE----- + fp: 900E8D917F74DE26D78EC5CA439943DBA05D9F36 + unencrypted_suffix: _unencrypted + version: 3.4.0 diff --git a/charts/pipeline/templates/pipeline.yaml b/charts/pipeline/templates/pipeline.yaml new file mode 100644 index 0000000..c0a293b --- /dev/null +++ b/charts/pipeline/templates/pipeline.yaml @@ -0,0 +1,46 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: letters-deploy +spec: + params: + - name: repo-url + type: string + description: git repo to clone + - name: branch + type: string + description: git branch to clone + - name: image + type: string + description: name of the image to build + workspaces: + - name: source + description: shared space containing source code + - name: dockerconfig + description: secret containing dockerconfigjson value + tasks: + - name: pull-source + taskRef: + name: git-clone + bundle: gcr.io/tekton-releases/catalog/upstream/git-clone:0.4 + params: + - name: url + value: $(params.repo-url) + - name: branch + value: $(params.branch) + workspaces: + - name: output + workspace: source + - name: build-container + taskRef: + name: kaniko + bundle: gcr.io/tekton-releases/catalog/upstream/kaniko:0.5 + runAfter: + - pull-source + params: + - name: IMAGE + value: $(params.image) + workspaces: + - name: source + workspace: source + - name: deploy diff --git a/charts/pipeline/templates/rbac.yaml b/charts/pipeline/templates/rbac.yaml new file mode 100644 index 0000000..b62b905 --- /dev/null +++ b/charts/pipeline/templates/rbac.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: event-listener-role +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: event-listener-rolebinding +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.listener }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: event-listener-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/vv1 +kind: Role +metadata: + name: pipeline-role +rules: + - apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - create +--- +apiVersion: rbac.authorization.k8s.io/vv1 +kind: Role +metadata: + name: pipeline-rolebinding +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.listener }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: pipeline-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/pipeline/templates/secret.yaml b/charts/pipeline/templates/secret.yaml new file mode 100644 index 0000000..ea9aaa5 --- /dev/null +++ b/charts/pipeline/templates/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + config.json: {{ .Values.dockerconfigjson }} +kind: Secret +metadata: + creationTimestamp: null + name: github-docker-config diff --git a/charts/pipeline/templates/service-account.yaml b/charts/pipeline/templates/service-account.yaml new file mode 100644 index 0000000..ea378d8 --- /dev/null +++ b/charts/pipeline/templates/service-account.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.listener }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.pipeline }} diff --git a/charts/pipeline/templates/trigger.yaml b/charts/pipeline/templates/trigger.yaml new file mode 100644 index 0000000..91ce862 --- /dev/null +++ b/charts/pipeline/templates/trigger.yaml @@ -0,0 +1,89 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: EventListener +metadata: + name: cluster-listener +serviceAccountName: {{ .Values.serviceAccount.listener }} +spec: + triggers: + - triggerRef: letters-trigger +--- +apiVersion: triggers.tekton.dev/v1beta1 +kind: Trigger +metadata: + name: letters-trigger +spec: + interceptors: + - ref: + name: "github" + kind: ClusterInterceptor + apiVersion: triggers.tekton.dev + params: + - name: "secretRef" + value: + secretName: github-secret + secretKey: secretToken + - name: "eventTypes" + value: ["push"] + - ref: + name: "cel" + params: + - name: "filter" + value: "body.ref == ['refs/head/main']" + bindings: + - ref: letters-binding + template: + ref: letters-template +--- +apiVersion: trigger.tekton.dev/v1beta1 +kind: TriggerBinding +metadata: + name: letters-binding +spec: + params: + - name: repo-url + value: $(body.repository.url) + - name: branch + value: main + - name: image + value: $() +--- +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerTemplate +metadata: + name: letters-template +spec: + params: + - name: repo-url + description: git repo to clone + - name: branch + description: git branch to clone + default: main + - name: image + description: published image + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + generateName: letters-run- + pipelineRef: + name: letters-deploy + workspaces: + - name: source + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: do-block-storage + - name: dockerconfig + secret: + secretName: github-docker-config + params: + - name: repo-url + value: $(tt.params.repo-url) + - name: branch + value: $(tt.params.branch) + - name: image + value: $(tt.params.image) diff --git a/charts/pipeline/values.yaml b/charts/pipeline/values.yaml new file mode 100644 index 0000000..9602d49 --- /dev/null +++ b/charts/pipeline/values.yaml @@ -0,0 +1,3 @@ +serviceAccount: + pipeline: letters-pipeline + listener: cluster-listener -- 2.39.5