diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..28af760 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +delete-* \ No newline at end of file diff --git a/ace/.keep b/ace/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/config/argocd/ci/ci-app-rest.yaml b/ace/config/argocd/ci/ci-app-rest.yaml new file mode 100644 index 0000000..62d6b59 --- /dev/null +++ b/ace/config/argocd/ci/ci-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-ace-rest-ci-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: ci + server: https://kubernetes.default.svc + project: applications + source: + path: ace/environments/ci + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/ace/config/argocd/ci/ci-scc.yaml b/ace/config/argocd/ci/ci-scc.yaml new file mode 100644 index 0000000..a5dc957 --- /dev/null +++ b/ace/config/argocd/ci/ci-scc.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ci-scc + annotations: + argocd.argoproj.io/sync-wave: "250" + labels: + gitops.tier.group: cntk + gitops.tier.layer: applications + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: ci + server: https://kubernetes.default.svc + project: applications + source: + path: shared/config/ci/instances/scc + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/ace/config/argocd/ci/ci-shared-secrets.yaml b/ace/config/argocd/ci/ci-shared-secrets.yaml new file mode 100644 index 0000000..db8ff23 --- /dev/null +++ b/ace/config/argocd/ci/ci-shared-secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: shared-secrets + annotations: + argocd.argoproj.io/sync-wave: "260" + labels: + gitops.tier.group: cloudpak + gitops.tier.layer: applications + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: tools + server: https://kubernetes.default.svc + project: applications + source: + path: shared/config/tools/secrets/ + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/ace/config/argocd/dev/dev-app-rest.yaml b/ace/config/argocd/dev/dev-app-rest.yaml new file mode 100644 index 0000000..2567c36 --- /dev/null +++ b/ace/config/argocd/dev/dev-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-ace-rest-dev-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: dev + server: https://kubernetes.default.svc + project: applications + source: + path: ace/environments/overlays/dev + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/ace/config/argocd/prod/prod-app-rest.yaml b/ace/config/argocd/prod/prod-app-rest.yaml new file mode 100644 index 0000000..db40e97 --- /dev/null +++ b/ace/config/argocd/prod/prod-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-ace-rest-prod-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prod + server: https://kubernetes.default.svc + project: applications + source: + path: ace/environments/overlays/prod + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/ace/config/argocd/staging/stage-app-rest.yaml b/ace/config/argocd/staging/stage-app-rest.yaml new file mode 100644 index 0000000..1a0792a --- /dev/null +++ b/ace/config/argocd/staging/stage-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-ace-rest-staging-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: staging + server: https://kubernetes.default.svc + project: applications + source: + path: ace/environments/overlays/staging + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/ace/environments/base/configurations/.keep b/ace/environments/base/configurations/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/base/configurations/ibm_ace_server_jks.yaml b/ace/environments/base/configurations/ibm_ace_server_jks.yaml new file mode 100644 index 0000000..bed8cff --- /dev/null +++ b/ace/environments/base/configurations/ibm_ace_server_jks.yaml @@ -0,0 +1,7 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: Configuration +metadata: + name: ibm-ace-server.jks +spec: + type: keystore + secretName: ibm-ace-server.jks diff --git a/ace/environments/base/configurations/ibm_ca_jks.yaml b/ace/environments/base/configurations/ibm_ca_jks.yaml new file mode 100644 index 0000000..79d6e88 --- /dev/null +++ b/ace/environments/base/configurations/ibm_ca_jks.yaml @@ -0,0 +1,7 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: Configuration +metadata: + name: ibm-ca.jks +spec: + type: truststore + secretName: ibm-ca.jks diff --git a/ace/environments/base/configurations/ibm_rest_dbparms_txt.yaml b/ace/environments/base/configurations/ibm_rest_dbparms_txt.yaml new file mode 100644 index 0000000..19690c5 --- /dev/null +++ b/ace/environments/base/configurations/ibm_rest_dbparms_txt.yaml @@ -0,0 +1,7 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: Configuration +metadata: + name: ibm-rest-dbparms.txt +spec: + type: setdbparms + secretName: ibm-rest-dbparms.txt diff --git a/ace/environments/base/configurations/ibm_rest_policy.yaml b/ace/environments/base/configurations/ibm_rest_policy.yaml new file mode 100644 index 0000000..eadb07f --- /dev/null +++ b/ace/environments/base/configurations/ibm_rest_policy.yaml @@ -0,0 +1,7 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: Configuration +metadata: + name: ibm-rest-policy +spec: + type: policyproject + contents: UEsDBAoAAAAAAPeb+1IAAAAAAAAAAAAAAAAQABwAaWJtLXJlc3QtcG9saWN5L1VUCQADIV8AYV9fAGF1eAsAAQRjAAAABGMAAABQSwMEFAAIAAgA95v7UgAAAAAAAAAAAQEAADcAHABpYm0tcmVzdC1wb2xpY3kvU2VjdXJpdHlQcm9maWxlcy1TZWNQcm9mTG9jYWwucG9saWN5eG1sVVQJAAMhXwBhIV8AYXV4CwABBGMAAAAEYwAAAG2PwQrCMAyG73uKkrtObx62DhF2EhWcD1C7bAa6drSduLe3WwfC8BSS70/y/1nx6RR7o3VkdA777Q4Yamlq0m0Oj6rcHKDgSdYbRZLQ8YQxFruRxVKNPeZwRzlY8uPNmoYUOljoRXSRTuBspFAw35jOiMG/UHuSwofvfKZZupr+F5+MbqjlT+FIHgO5hgiWalyvL7rZdRodhTTpL84XUEsHCEBX54qeAAAAAQEAAFBLAwQUAAgACAD3m/tSAAAAAAAAAADpAAAAJAAcAGlibS1yZXN0LXBvbGljeS9iYWNrZW5kdXJsLnBvbGljeXhtbFVUCQADIV8AYSFfAGF1eAsAAQRjAAAABGMAAABdjjsOwjAMhveeIspOA6JDVfWxACNTOUBIDERN46gOhd6eVAUhmCz7f/grm2dv2QgDGXQV36RrzsAp1MZdK35qD6ucN3VSerRGGaA6YWxZJraMdvIQnQTDDi7GgeZv4Sj7KJyl6sDp+2A/9xZ6b2X4C83FsZpQ+r3THo0L9S0ET4UQ8zFaI2UaEC2lNKoiz7KteFApfiIznlj+RGrxxX4BUEsHCBUbUxigAAAA6QAAAFBLAQIeAwoAAAAAAPeb+1IAAAAAAAAAAAAAAAAQABgAAAAAAAAAEADtQQAAAABpYm0tcmVzdC1wb2xpY3kvVVQFAAMhXwBhdXgLAAEEYwAAAARjAAAAUEsBAh4DFAAIAAgA95v7UkBX54qeAAAAAQEAADcAGAAAAAAAAQAAAKSBSgAAAGlibS1yZXN0LXBvbGljeS9TZWN1cml0eVByb2ZpbGVzLVNlY1Byb2ZMb2NhbC5wb2xpY3l4bWxVVAUAAyFfAGF1eAsAAQRjAAAABGMAAABQSwECHgMUAAgACAD3m/tSFRtTGKAAAADpAAAAJAAYAAAAAAABAAAApIFpAQAAaWJtLXJlc3QtcG9saWN5L2JhY2tlbmR1cmwucG9saWN5eG1sVVQFAAMhXwBhdXgLAAEEYwAAAARjAAAAUEsFBgAAAAADAAMAPQEAAHcCAAAAAA== diff --git a/ace/environments/base/configurations/ibm_rest_serverconf_yaml.yaml b/ace/environments/base/configurations/ibm_rest_serverconf_yaml.yaml new file mode 100644 index 0000000..03540f4 --- /dev/null +++ b/ace/environments/base/configurations/ibm_rest_serverconf_yaml.yaml @@ -0,0 +1,7 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: Configuration +metadata: + name: ibm-rest-serverconf.yaml +spec: + type: serverconf + contents: UmVzb3VyY2VNYW5hZ2VyczoKICBKVk06CiAgICB0cnVzdHN0b3JlVHlwZTogJ0pLUycKICAgIHRydXN0c3RvcmVGaWxlOiAnL2hvbWUvYWNldXNlci90cnVzdHN0b3Jlcy9pYm0tY2EuamtzJwogICAgdHJ1c3RzdG9yZVBhc3M6ICdzZXRkYnBhcm1zOjp0cnVzdHN0b3JlJwoKICAgIGtleXN0b3JlVHlwZTogJ0pLUycKICAgIGtleXN0b3JlRmlsZTogJy9ob21lL2FjZXVzZXIva2V5c3RvcmVzL2libS1hY2Utc2VydmVyLmprcycKICAgIGtleXN0b3JlUGFzczogJ3NldGRicGFybXM6OmtleXN0b3JlJwoKICBIVFRQU0Nvbm5lY3RvcjoKICAgIFJlcUNsaWVudEF1dGg6IHRydWUKICAgIENpcGhlclNwZWM6ICdUTFNfRUNESEVfRUNEU0FfV0lUSF9BRVNfMjU2X0dDTV9TSEEzODQnCgpEZWZhdWx0czoKICBwb2xpY3lQcm9qZWN0OiAnaWJtLXJlc3QtcG9saWN5JwogIFBvbGljaWVzOgogICAgSFRUUFNDb25uZWN0b3I6ICdIVFRQUycKCnNlcnZlckNvbmZWZXJzaW9uOiAxCmZvcmNlU2VydmVySFRUUFM6IHRydWUKZm9yY2VTZXJ2ZXJIVFRQU2VjdXJpdHlQcm9maWxlOiAnU2VjUHJvZkxvY2FsJwo= diff --git a/ace/environments/base/integrationServer/.keep b/ace/environments/base/integrationServer/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/base/integrationServer/IntegrationServer.yaml b/ace/environments/base/integrationServer/IntegrationServer.yaml new file mode 100644 index 0000000..1bc4408 --- /dev/null +++ b/ace/environments/base/integrationServer/IntegrationServer.yaml @@ -0,0 +1,29 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: IntegrationServer +metadata: + name: create-customer-details-rest +spec: + designerFlowsOperationMode: disabled + license: + accept: true + license: L-KSBM-C37J2R + use: CloudPakForIntegrationNonProduction + replicas: 1 + router: + timeout: 120s + service: + endpointType: https + useCommonServices: true + version: 12.0.1.0-r3 + adminServerSecure: true + pod: + containers: + runtime: + image: TO BE REPLACE BY PROMOTIONS PIPELINES + imagePullPolicy: Always + configurations: + - ibm-rest-dbparms.txt + - ibm-rest-serverconf.yaml + - ibm-rest-policy + - ibm-ace-server.jks + - ibm-ca.jks diff --git a/ace/environments/base/kustomization.yaml b/ace/environments/base/kustomization.yaml new file mode 100644 index 0000000..a5e67ec --- /dev/null +++ b/ace/environments/base/kustomization.yaml @@ -0,0 +1,12 @@ +resources: + - secrets/basic-auth-rest-secret.yaml + - secrets/ibm-ace-server-jks-secret.yaml + - secrets/ibm-ca-jks-secret.yaml + - secrets/ibm-client-key-certs-secret.yaml + - secrets/ibm-rest-dbparms-secret.yaml + - configurations/ibm_rest_serverconf_yaml.yaml + - configurations/ibm_rest_dbparms_txt.yaml + - configurations/ibm_ace_server_jks.yaml + - configurations/ibm_ca_jks.yaml + - configurations/ibm_rest_policy.yaml + - integrationServer/IntegrationServer.yaml diff --git a/ace/environments/base/secrets/.keep b/ace/environments/base/secrets/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/base/secrets/basic-auth-rest-secret.yaml b/ace/environments/base/secrets/basic-auth-rest-secret.yaml new file mode 100644 index 0000000..b1c4f84 --- /dev/null +++ b/ace/environments/base/secrets/basic-auth-rest-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: basic-auth-rest +spec: + encryptedData: + password: AgCLu21cCaL4k4d11oirSBWvelTZiBAEhCgo94DSRTc1ocOtmuLciqzcSwpOgJizmUwfzGJCpBq8BOq9RjQTve+vEhzmr/l9v4fRLxpIsJXLrJEHRv3XOkiYjIC7x0b3L9CIGe2fpnxdhGKPymWILCeRHDWAAlx4UP4q4Urikxpm7V+OBuRRa1tOHzgE7e89ltr1sfNbfrgvNjyCa4CMwAcbBFRJjQBW9i5XuXYyUx76OnOettiSlyZKyolfXPSKU5cXLLR+sUhwyiex5flksi4a0SBSgxTPKeKtoyDu/BQdfXoQZX/l5mFFIlJD+aWdKKjS9+U7OMVZQvq1OgOXt86S8Gz1TUaMUdFJZqqSXw6uNOa/edChmfGax2ScnXpZq8v6rcZzK3qVr7+aOu4zXSQ8KpTq1t+iwpYxcp1C4KTJt7CsNwl9Lw4B6j/of8aN1EJh0/fdiOor3HQskCpOYHG+nM6kpRmu62HeHFllNp5H7u5KOy/CG1OEKeMB66qKYlyYL993afCLYhEQ5AFlfdzZYz1eOSK0kRXEhM9IUvMxn6SCSbt1f6vcCT3ijPYksOyFheNTPxv4e8d7OHvbQXiWEVGIj6LykvX8uv9gABxvMFr6/JSeQZ7KJOTEjHr2CqMg61A1O9RpWvMIo0UHaLf+55fGW5Fsc9AmChEykuCVfeDaSRHIlkYHWhO3sO7i8qssOiucIKSAgQ== + username: AgAdHLzNR4Gx1S1eAnuagETfomukO+VQQXFZqtFblwgKQwtIj+m7n3r0/8EXbKCYOtD9QbHonJG9yT0/BFJ/66TYcosgGAOqF6zMxS6SqeGU6tNr4p1uFVe22/suDRwE7UxqPso46yLuuIf8RjxIhrdolBl3Xe8GrwbBwK5c+Bk4JaiFMNT9WUQ0oGpAYlYguDWjW1oChFDXAjw25oyFKBp5klKQh/2XL/T5dlBBjLFqDQQuUqSI5jRmGsJ/Ft8JyKH+4y3h2/UMQelVQR+M3WC8KIufj5I4b/jNcHAaUr077B3G/ApTuR79cwHSte7v1kkSH7UwOFFaycxfvnSqFwHaMaat5OGso85aaBOMxb5JQO3el9cHwAx6Ikw7BU4fzBJ1BTAup49GAwaUBMxIc/89o5EMPmvtv2ediEhbZO68bJphDBEaUH+UljSxeEGdx/emmFqQ+B7P4vbMuHvpwXYEIRXBF/yWJhwhCas1lvv0ZoSn+WVHR00zevxPgStoTEurm36uY+/b8Iy/UMWcUxS79RYDsm89fpJfX5c6OJu0nYieDVw7R16LGzcBDAsdgJJoFOqartZV5Kv1bjLr7fvSakFzlB/O4Yk7KyhPAUDfg0ZvhhcHlhuYvShYxKpqSkC54Eejds8MIhewRr/k+WfSdLuuafdovSdk6zRqL/wqtFkJxJKKNeWzJQUifWbx2uODmVhxFZAG + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: basic-auth-rest + type: Opaque + diff --git a/ace/environments/base/secrets/functional-test-secrets.sh b/ace/environments/base/secrets/functional-test-secrets.sh new file mode 100755 index 0000000..00f7804 --- /dev/null +++ b/ace/environments/base/secrets/functional-test-secrets.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Set variables +USERNAME= (aceuser) +PASSWORD= (changeit) +CERT_PATH= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret generic basic-auth-rest \ +--from-literal=username=${USERNAME} \ +--from-literal=password=${PASSWORD} \ +--type Opaque \ +--dry-run=true -o yaml > delete-basic-auth-rest-secret.yaml + +oc create secret generic ibm-client-key-certs \ +--from-file=ibm-ca.crt=${CERT_PATH}/ibm-ca.crt \ +--from-file=ibm-client.crt=${CERT_PATH}/ibm-client.crt \ +--from-file=ibm-client.key=${CERT_PATH}/ibm-client.key \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-client-key-certs-secret.yaml + + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-basic-auth-rest-secret.yaml > basic-auth-rest-secret.yaml +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-client-key-certs-secret.yaml > ibm-client-key-certs-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-basic-auth-rest-secret.yaml +rm delete-ibm-client-key-certs-secret.yaml \ No newline at end of file diff --git a/ace/environments/base/secrets/ibm-ace-server-jks-secret.yaml b/ace/environments/base/secrets/ibm-ace-server-jks-secret.yaml new file mode 100644 index 0000000..142c675 --- /dev/null +++ b/ace/environments/base/secrets/ibm-ace-server-jks-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ace-server.jks +spec: + encryptedData: + configuration: AgBIppieDw4vq9/1nuU3oVx4x653JqHH2rvtuQIsOGE/WL1eYxZqQsaTJm5gxGpYvWq7FEZkPxDPomKgUkvHDx3bsr9sgXs6IPqZRReiE9gPEVfbks8IS+CEl8hJltAt9sR5zTEBBKXbQjUUHSHkoI82Xe23idodjqhHR4hzYC0hmFua9VtR61czjf0J22ivKMMLjXUjKW8nc5dQliRC6KUUtXkR4GqKlhajO5B88vzwU521k3DZm+BiycbtXeqi9U3n2GIWahJ8gO7364osIYuNShFRBLgDn4X76nXXsPWpIY53U29AVB71SeFhLP6vr66x3LNGdc5NWRJkFum2wv/0YPjnAZjIRUk+kSnZctsVrWkS3qXiLxw+FqtKJ02RM+Zh5VkCJu1oxG133l9ynz4Lr5EctbErQw4yX9uYRi4SqA7qOCkik7lgGnIQ6EQu6lbixv+KW/uloJen1yNE6IXEWw2ijvOZ2LYeZuynxKo7IgkjJ8XxLpo3umEyMwtvGYKF0xYm4o94n5xyc+7QvGR/iE4DeLFu2lvVzLDp0HahdxUZ4B/1cz8jjcubq1SSXhfk9NVm6fdJC845Mbn4DDJucbG4a6XK8gowNaUDEQfzJuJutpRkLYk8KuIbKklhplaWivHfHBBNCB52xdOWP60zhAmUXcosjID+vYLI4+RxvtTz8fdV/fe+GDu1UL+LERkEL8CIhOMfjk6HJe/+URxN5ubbJMbGodPqVENIg8NIqAEobezg8Q1yZbzjLgc2OLCV3MRWRyWJTgP1QUNKtiOol5S4xktYRwIy0cyjlrTYJkojqzBCSg+1FaGaoIFWkBvusr9hUnsm0GWFcfATjmkxKe4/kquKJHzAVLbsieLsXg7gYBkWDz/ucWIfq67ENaqr0H3iKnhqT/IF444P+0RdVezCq6ZeI4a8aN13rwBY9xCiX+FIdZvrkfIU7SEETmvxxlHHCHPmdF+EEgPa8Og4OsMEUpYVSB1OQ3a5T6O12GuqRjVeo8yl0xxHa/owqG0sv4ysep8dysGBmi64pxbcyyjgKYB1X8PqHMZe4Q6z6EE+CjqDDJee5LjnW97pQ/HlHu0daZATDI0uBpuW4Ca79wCH53+GMqiFErlIuuJxGszFnBTM/jqAEZffVrJqbnHDyNIHjzMstTOc1h47RuUk/LPafcur+KY0t7kzKHUn1/19PoLT405UB6a7BN1YPsVTwuhp4OP21Yc21xCjkR2xDdg2eCtTatuQ/qHofYwQ5/n5B9/oQKb/SyIZK0jxxKnAB56O2/qIJXNSRcV+gEHB+swfgJhg45MiFA9DCvBmnsQZo0SllYVMU/QRqPFu+Dde7fD3egUOa2bDKUYVQwi/koeBLKTm0fpdG/wwM0qNiNvcII7WuSQ8VtJxdHY4CQ72nIGLxbLZgxThxAUPFjToL8M15IhAKDpt2pg+p5AL+ggYHkWwENiG7MqmLv5nRfKw59gp+wNb9EyJLwa1X1cJsBhp17qgtymYo5pMB4URyzEPVMNeRsYkB8airX8KrUHp0LNdvtiCUDpLn1wDgayjlOQGRozEyH+ryVbpbbgeZr6l1gyBmDi2/6qm3RRFBYkTcLzCvBp5bLOROA1T3MaZvmdIEf1FEXy0KrCn+cfPFbyuf8IWdGaKrS0QssIVsm6O04F/hAwk9pprXkf3lJxZ6Hey3IaVbeneQNpU+ke3RodlIEhP42tEjmCTeRAmPQn0FeHLvRsf3Ja8HZYKqBXK76+I6ktzbUaaL4cBG7/FPdafxEKTh2nqI2383GD9ipJ0AiNKV6w+d5jafeF8F+B+LHv+GQA5sn4+6lWhvogGomoy47JhpFDxXlavlDVrIyM2s7akfbem1Xdi/mPewGQYWHiGg7KwOTHVjH1a8UZUIm+nX/vzGQ7Xv8VahpHHc1J5rrK9NyjtVm1AOpRZFpsK/MNbPrhNzkrESP5vy5N70Ud6UJeuaxNL6HaWuYYaAG04Zbw7ClBtky1cY2zBJz7kvlYbYKMogyiHLCzbyIIvEV1VEKuSH12mj375L4cP9mLRX/fW8p9W2E9HuTEKjDw8LIL0/VebJAbQ+AKd8cZd9T04grC3qoRRH29biHiqzOjzxjIbZP+bQj1euQoQllVP3Rza5OpVppi0V6ltJVOBi8EaTEORSkkbB9DbRXKmY0LtutS9PmZRItn1TFPh6Wj8rhAhWcUaxOcmjw1jBK7v2ltK6LODcoMwiV0bC95CwqI2SnvUZpWdXpH6BJqWUODBdee1C7bwWoMUN3LpCO2b44EPAgPZLo7yRQBrt4V8j0XNEyxM+3ezKe3NIulNN0q5tBfz8MxrqKVzeJTxEW8srh0Zrh/f/xsy66m0FfxOme8YnMBPmXww0Dn7UGdBzIrwlbzSsSSUoe8gLXYPQ9ksGv4+VKf7woEsRj0JF0yBFvvTBjEXxk9FUfv6TslTVYiyAWE2tojSXtGposdlGhykBqzi1XIp6UOXvIwetYojCfzm8YmL1KOHSMQsjGp/ovFk1EdUFyGCaAM9mHGSrBW8bIfioEwouFrRS21QNDYdpG6VzxmRG/umvmK9Id92A5tu2M4DYWg+dZ6HqTSBzSVRSf4bN8TbeqWfAbHrpS0RkqhVOOiMjpLGy1TgIo1hYCZkB6VxCOd+tQLDLcPpWkePdC/jWUJXVCB6rPjeOWKJykQHNAG10DcLxNT/qhqEcaFwigR6q4vKSGB5cfokU2wex0lqzXwtfrTyJgxEb3ZLtf4stfAv57D2IZelfHzFN6BSTIfKC6UDeghG+EkDqecH8jgq8XLFurlKjeFU+GDME7yUEy1wxms3MZ703zC9A8TkJB9sAfStdsIPcNtFKrUqmFk593JDnH4KZRJLf7qWwHOKlokIFHoOkUy0z58w1RszLly7qzG5GBTLEkEPVB10FWYQel465qT616HbTi8+UIplFraRQEHW7DjzIQZlHm2Lyf45EF2hiHV05HsBiqZdcAaKcXG18yNCq1jsfTYNhploX89/or0S52CecKenU5zXoIXbrXff7lYtmf+z3qoS88uG3rpNzmHE5Jry7ZCynpyONCA6J4B+HtIw21+i4ZPADX8EUjsESrgKTYm1Tas+E4GjPLIbBZXlosEOW0SQ4yJz7efyACK8ZviZbJQUGrr4CgqQw05xETmtRIke1YbX0u0CHjdszkHPbN5SFm+Yoi3N4hf7hosLsRp8kulFrCTew1p6Cd8xJ/1oIpiWKIBV+XpNBZMVdO7PWu/PLRN5fI7rtkbKeOfGNvusO1wkUveMAAPaVts+7FYbXPU2zm8rTcd9iftFyXLOjOLmvbSIoa+gxbWDB5puL/viru8T+Mgq+zc+8EtscLKEnQ/Mdx5SL97Eu4jKWbBtTSBNJQlcf60iLlUrhO2E4NQyA8t4MY6rrnnREg2dcahFmy7VOKoDUIP5c4ZLhkH7P45WZ+72WhROLTA7xoZ7uAsnh/v2mlIUUru3eXa/IJEmsK+k6nl6nYBZO4gVraT1eajGrfa1b9o2AuyMKO0TzaLZK5G1k0ICKP4Z0N/q47ZOUEzvKJ2C3DxnQ92yE2CsehQ9QuyRwL8CazIhnHQ6GiiiGrd/gtDI6rIK2nW57t4FvtUhleJivtqgKtHF7CrOZ4VF9PotXksw6LkGbHcZJgman/xgilcLMwWPJ2j3T0604Bx/SHjg/JbKqhM9h1G314TLtaLILNuoFGPgQA8uEkubZCdyY+ufh/0PM7K5bCnH+P9aoVA8OgQE8St7ONObR+BYd2qBAuvnw5JknLaQ8Ty4+P0UlrvLdVMWViYb4rF0gzXdj+FVNW/YoaqURb4ONVBXpV+QGaqK40W/H8pTsdIoxnRAxsgpthuGlxyLOu1aSi3VVOilQ4xkJbMYYPYpLU2dVt1FV7oS2oQXKXi0DuT3IOmPptGECSI3Bi5SpcJfFTv2SkAK0V/R+1chwOA4WJwihBfspuXcCmgR6qK4miHBo4vIasP3fNLfgI6tD7TldgBvtldvE4MGfENzgiBg03GrlxWltRjG/qdnYbiE1KTKpCECo0PriuqFJxRnEyXqLKmcWoJDg9KgkEI52KdR4UiskkSDAFcxA+BQFTD1DjIa2twLTGfHa2yoEywDa+CNJx40a8jhMTlFp0ipV54R3AobCSLkvkMiMdXsEtVcDFvZuKkpYM0itoLyoYAg57Ndx0Xv + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ace-server.jks + type: Opaque + diff --git a/ace/environments/base/secrets/ibm-ca-jks-secret.yaml b/ace/environments/base/secrets/ibm-ca-jks-secret.yaml new file mode 100644 index 0000000..a39d003 --- /dev/null +++ b/ace/environments/base/secrets/ibm-ca-jks-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ca.jks +spec: + encryptedData: + configuration: AgBvSnG9/bYOpUfMETH32qW8cs6jxqtzL9LOTX32Ft9fNzIY7/8rbhhWYAiEOAdipR71tXu3NiSTybnUXzAubNnQsTYrSGAIgd02N8qqDGN9Dv4rwpGFwhtHUgiq6/E8cpAZaxQnjTVQtoLG+7y1E/CxBWe+ENArIaWh+AoRPfulZShE4LkxSBmv9s6Upri1PGmM21e4SMl/KYW+MoiiBzkuUPsHrcdDY7pvX1PqpfufQwktKwC2ULMV7GpsmYPkzuJtDTtoMUelck4FaTcsfUb0KcOwWRA2LKIMbqwInVDGU59VYX69eOR7R503lVJi2S6p1op1GINNSLJi3YcJ5HYMKdCktUGINdOCWYmXLfDu0+jFtt+c28nALH/zoAtMbh6mWfJFiT919q9nEhl+vxaXKYw0upsV+Kyf6P3kmCVIu3XpYxpoz2Bm9FFZQhvB5W9/S5XVhZNCwNRICb76ylAF1bswAO6XfMK3aWuIGlUzRpUenYZwZFld/7yz7OWmqn2aTn2SxdZ3XmTUCGUubfDXUkynXf6YBCFxPPx4S1eRkDgTFDf8NK3V/8TKxGgxBlUZvNlK1nh9HkCUzmvBSwFT4o0SsxikNXfYj2MQ1o1LakDm4Q7+xP9Qc6iD2zVwzx1aKdCIyFo+3RtvscZTWMiDYMt6DhKvVSXMIaHRB/HmaCn7S1uXm5vex/Zeqd3FFh9FSOx+Y0vmiougWZEUKFWXq+K1rkDRiqdYBwkppRdCQZCkvqMp5B0Un1JXXPqLiPp6UONIDvvCuxRgBcSk7fP201UmbVK7V/+nQGSWgPRpeHgycQT+Ap3bAfaXmAo85Y0uxDiCp4+ktoyix3kqMApU7LlBtJBg10tbhxDQFvAGAMJzQOjNP+zaREUqMKT3RFa1NnpQkPoQxwwXGIndsEtD7AQkMgVFfb/3jhTN4u08gPFUNS1xPhvQm9P5uORBrXvjPQDnVHwR4BNd5cclvaqO+H0EmSCxyqIOsXxnUzSYNw3i+ju3HIltq5rVCEuFzTQHzCw7YPFjVmZla3RJqFDvhd9P/CG9U9KRLEgbFCT8kUHRwfGaWM0UpN1WngFE67fhcLi27F96jw/Tng9/qkGUgQA+BKju70+RtEFjFIbEJLhspdL68drhkLj42pTlz5siLpjVYndUyZOBWSVfrt6zmsoGa3y71lhcBmHGPhMFVl01Zz5Eb27zZi7HSMV/XwtXZRYkIRAcSgrVCgPj5DljnFiboeH+h2U0BWNalOrJ7VSHh19yaG6F8Ep8vkbww7HHK5bYTB2nM2OpLDKf7wVvFwohsIvrc3n9ao3sLcHvKS2TUawtqulqGjvv9KG6RfZYfF+cr7IrLDd2V0umpPeItJiWF5VKAnlmda7CgxONsuVGYWKCr3YtHwSaw0gYf+NKYewWCgOPndzPj1HjUN4ryfLvgHF/2rQBudDo9MPclFFq1Ce1t1bbybH8BP0vSRvnOTxkC2AO3oXyd+H1tZaRS4JkLePSuvPPjzJXFnBaWrUsYwOS3A23c/7U5U9+1+DuLpV7j56TKyO/exu+BQzi5pgpfmVlD0OaUNwpP3De9kcmVXllri4TEgaOKzvePQCz/HXpDmYySgdIlLeSYDEXYUSJglAzdozhbIC7Mr6OxCBfhgkQRUKmHkmn0Cimr5SjK0hJlmkaNxIDND38YR6GVcF0RvLPP3kvxiZogAn9jYEvYuM/qIZ405+n1eJoip/F32guc4vgsKGK4RGBVIhuEuhPJnKP+inKVIPTLIxC7HOOO69NXGNbn2ROwpcII6X3xV36WX0So8gTKlG2JcSyg9B/Ags+EQmXuvzFuI5jKYyXMCHQc7Q5RWrV0WYEPAM8Rxg64oy0B51vC+oMsHrbCyjGQc5C89xSJixTPwpgeYb1ZrTkqwV8cc5Nzvx8gFbf0Ny7QYha2vU0ZvZEUXQdlnL5Z0fEDmVLntmbiFPbRZ/5c36aZSTkvUw/YjjVb3KyGOL+rV5bjrdUpHQ3JRqbFIz2PjYgLpp2mt3ZUUhTwqWlv3/4JiGmMkEJyvm8SLOnsVDNlJzrHwikGBfTFhhNMe52260UzgjjvR7UbYmODCiMsE1nP00gca8qiThlRgtAsuXzBjoWlqlAXV3rA/wNkqPMwQOxcVD53pInCJaTfj5Cqh7vE6Bm+k2NGv7LxmgBaZsKqPfHNYh88tSGZPNOb7GlTr3epPUII16CAHcInBH9cRPhi9UgrPTG7fm7DFcSdjWdeDJ8WW0j+9FE1vji2WB+SELqr3PBRzD4A5DsiSE0z4Qi7dC/tIdY1me4yBi0frlALwjoagR6pIf1Gw1gj2MhZ94rPsLIxGuzHch3y9cKgAosA6OJAB1bIAY6JBiNA4AlmflHjIqtg7rmM77s/d6MAGVWwgKW85QnCGUUu77dokCDr17scgg40xnqLK4GqCAthFSb0bhXf/XBIJHH0Fd5U0FcZKiK6+8VemAcOHFSTTNte3PwFI5Z2NK89lraiKnl+ztUkHqmsPySmgGF8yBFsydoPysN560Q1ENBfqKvfbYLmIiRPYHuCy6rfVmLzGO68bDXXMsVc/KBvuS/q7au/uGmz2Qp5klVFluporbaZVfaF1wWkeXhQB/4gzqkUrq+Ojhlp4Nr9jUVaJLbF27Xi+/q2mbidYSEiX3H4MHL67fgOAiRHwCcaz0bCjRL26nwBR3mXAvfM3v9EqNkawWN8teOdioLgzBs5M1HCwg8SlSC40cmKIoqP0G1Gss= + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ca.jks + type: Opaque + diff --git a/ace/environments/base/secrets/ibm-client-key-certs-secret.yaml b/ace/environments/base/secrets/ibm-client-key-certs-secret.yaml new file mode 100644 index 0000000..c4214df --- /dev/null +++ b/ace/environments/base/secrets/ibm-client-key-certs-secret.yaml @@ -0,0 +1,20 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-client-key-certs +spec: + encryptedData: + ibm-ca.crt: AgA4s+2pfz2upyUjBRlZKLHNRsZUeqcTYHcKQhCQYYgjtxIocMBIJqMTNeK3T9Y4GeE69lnUUIK8W8SP9yR0aYSlJ5N0rWiKDwh3CZaBvVVRdL2lStcxXN62x0vg0eYT9btybIHQTEPPugqd9rYgn5AI3+hEZ/iiAPkE7PaLBPVJOr9itpP9ZoRaTXUE9M9e47EZ2oFksndX0dz1aAS0j5Bk3BCaPoenPqSJYl+nTy+3Wu93e1MDWqeYoR3TV1TM98hJ5I0KC61rJcYiA7G6w7f5XFEGw3TeQ7St3UkWFIEG9+EavRsVAHUJSyqqu4M4AjaTgMmdoreTr34OMFoU4ageraJzMm/vhtL81x0DHnX8EFCFCsQh0LnA2DPboUBbZWZA8d/b5xvjgoyPmIackG23CqcEF64DRD0taFE7CjUOi+Xub06VUFENrjUA9WJfKan9Zj8V/JQdHZPN1DumVCZPjBvcWXaeEL4A4EmANAahTs62Hc74p7NNqSdQ42GG7E38HCv0a9XecJeVkw9W6kZN3gB58ylXFbgrsmuqipmsFTqOAbYCOvmofVQZjORzfivhWd8xIdKxsctRDu/zJspHBHF8YwvCN21yEj+/LZIWDm/5RW1zpf56dViaZuxIPVh46gDA3sATh79wkwhkvezq5SJS4ZOMTRN4wlJliRECa3qU6TR66Sb7YIqclJ9mZ+uLxJVOAIpPoxGb/19KuEQZzvwVArAMaIax4/j31QSRQDbflvDjNid+WijILgFVjAst43e3y2oHMoFl6SjBSyhxMPaVMoEz3LQZfNFcytRL0clJHh2yHHOUClbmg0zWeF6Ab55jAPSWAgycEqvIvbskTWdWqh36XR75y2ZXImputi6VAktrYFRSJvkXYwO2HkB5eLj/o9qw1HrjByoD2LR/pisOw+i2lXJjvqeRuOZrSSWV8nBbLWGVUq0Oph7RMRf+wWnEzUyi0KqeJO36rs6VjNySQYI8ozM4T8sWBuRAiY9tLGiea3aK8VdvBfbDadpw+5u0yUDECJHeyNoyu3XV6Ll1px+CCH+LOynOd9RB8Wh+RWgP5eCgPPd+N5XQ/3ZG+WL24guwdGC9X4gDOPJXZoXx4EWDOuScWZg2vAm7o9BYkGhHojHRyvqDvtDBqH0QGrASLF5k7kus+OMF+44kO4FMvXtEURUTCYESyzn92kYzX4hQM7FsQU7C5jastGNTWhplvadXBHMv4Egfv06LYsQkPhOdKHsIaMI/laQmkjF+Gm3wLtNzFu8iBikyU1nV4/1uQBm1WN7nYa2vG5ON/NXji6GvWQ/omdwOtee2Q7m+pEzV+B7+TfYp73xyARgbzCQI9Qd9dyB6clddNJQkj0KUqYVQ7qdbxfE43CpzE7Bv1x5mg7416ItSb0/+FxOxKjMJLU4aVf5ERmKvUjvoBor9KVSoUGxNmJ2t/JNIkwAsLr5ag/MqpcsI1VcJHzKFb+wbvjOezBAyk/yu44e5DO6EpYagbt72F391k7M6OIgqniPc+RkvcLN3+i9o1izS4pMv6eVTQLj8FTUm2RFJHBXdZSVEsSZNhSZBoqw8yYHzZ2dE8sNhx6kBb0RKyYQc+4S76AYeQoVGv17BcfwqY/Xsr+uBbs4WA7YIUI4yag/hA9xbGxZ+S5D0a4eYbnXYtP4BlhKelwAmnnFMOH0zAu8IDsywprr6rkzu9Oob4DR3P9q9p3L/ltkbW0a3WDeymhqE/NuZMcQonjvuKlTHLugjczat3dmn3eoML8uBm74sYC3697XRL9bqRwY2iU85Wu0aQNVuc/1LevXLhWau0lNz/OzIBjUnQSFFaASfhJgyN7HP5nCfICQ0bPnclADuE2dhq/mYW1TOh3QzUsZb/LwoCI3cvBLwhjVZ5ugAKlxMfytNAY7ivSVHJ7Q2sSenBPu5ycnSE3d2dqeBGQQX712zmR2sgqYA+faA6SOu/1C3dO/YChpDe0ftI1DB16dQcUy7EdHEJIPEmwOaNAnGrUwZpXBB57C1jikIgNm/JYx51azlBAdmu51INqQMF0RwWTIUG8YvMdZJxUdd0fq/QjkfYR/MUTGPp7t3qgJCsIUsWM4cuCVAATemb/Gti6giXWy3TqdHlwuSv51bCr4c8YN9f4cpvv4vI/8RCDjLe73Z8LMh6bCb0HDHiLQg6QayYm1nS95uj0ytet647cToSf1wdHDl/XhmzNgCcs5XLvLSh/ryuwPgbPW6OmIUltWP9bMTsO5kq432HDQGarbZjv04h7R6uh+yeEJc7rFiFzT6DE9eZmgb4xf3dN+yRzOL8tXhca6uv7hU9LWjEBIRv5r45DAwXr45O5q6tQQFaAMvNTbLZp8oNPkSSvUMRgH5cOXT0s9vokpJ6KiSAjsPM6+nZXgoGV6aHCZSDtR+thKW8OFAzTlUYRN4EMGd7eKK6mER2Xuj2PV1DJoisv9UDEiUFjOCDhz79SCI/cWET2XJoFD5gsILK5IaKFNwovsgawmC3cmlypyaGoN1dp57GCv4RKDlQcvyEje6vEq87pfXnHWrP7aN9wayBhsS3GYB0a8BclvCt1KgryBU6YozkM89g6Yqt7Ga7utvmpaOiFG2Yxk7WuRsHpj7v/rlzjEhj4EMlqjaBqgEmhgBC78cpyfVHa564jX/Brqi30sQEGMQhHKpYRJC+wLqpGbJcBJ4bAWjB0KKPUDJ3NihdHzOm9M2MJyOQeDWr3xQJDXG3vfalXppKJAQU6cIBQX8i5Faxb+ACt+Kh+8ryNftswXRVFAbiNs0dfcZ5ox1YGwY2ROfxTLz8ZnSjwbc/6S5EFfmXFswA5fFgpX+OHpkUC6z5WAMaNc8WdAhpnWLXbIOUT0arjM7Ihkb+RuxEEZJEGV51Prv1uYsQc+LBTilFmjRistKk4SEnBew0JvEOp3rxkzFCVfpR/h1SsiReAegSmBZnKZG5mCAQsPAJwTNa+h3u0nH/CLz7gmrYDupftwguXd7fMSkmJm2YTwfJ7659ETMl63JlpR0hw9vdca9QqT+nLtO59q39WZ2IsQzy50X7QDtOGsPn1bFszv9TU5X+UnRoYf/Nh2WCDQGxzk8iYC0Zd4DsN9BGVGZbRV3v77o5PxUqGt+oi/We+7hRdWKUO3RskTC4kPBINxE8wSUWtmiN4S45z3/mxcSaIu3eqkbJZJf3NNrzKHh+CEomMWml/mkNmlmWlEqkVqpsG/CgApp737/XvxK5ly1mc2xvOIIMwmmX2qZIPEh0VyxOUb8GJBIaox83kETqC5SmN14btEYrzDS1OkRd1rAA1wBymne/4RvYJZFoL0dOvnQg6zA88PT4p8tpwkViaRARRIYf107g/TqfaFbesLOvlorQ1hTXfURjU8TXGWyPQedZ0uPhM4MksnofkxzBufh0ZJGBrZyMwGzpBSWZvPJ + ibm-client.crt: AgB/zB8G3vZ7eq3JoC7szFte1V4mCVLHwLPpC0Why3ufVMtDVzXI+XV+CC0vcJn2w5maAwpMRZ5orkbC0BAQtngxxRB5wPKus1dDeEYmXm/Zit6CW9MzE3k9jnqCrMOrps521D/W9qWzKQXkEuPdH3svl99lr0WPMgNU9eZK/tnd4gyF1W1XkBAuwG1XB0SlRjTFgYPza+U/OUwNqaRlWo9h+A1ai988gOxkWVzJbkTVS8D27dGoKBvg3Jj3p5DP71ssRZWiw2n0b4wiUA9MRr1NCmGFIhc6sjzEwdlIUWzh7GxrLHn87+dMIMILCqtQnw3Wq3XGO6/sZZNhipjR4QM4D/hbhXix6pPZQpbTSw92gG8f+4cnII7jnZqfTfaQZ73mN2V++FV5mjJkAnhr1jXCW1QcEV2lksWj9QTDyfsUoL0A/FTdx1j9bW/rieBxfjGNl47qrwecEckGElEVZwdwJQN6HKwXpUbJFLZDWxgCJQyIkeKWDPNwE5hApZqQjM2o9+Y+49n8hvu0FWU5MDColcuEQGu/NP6mTlL42iJaotUpPk1sfAWJLPyps2zHwlJSUX9xmF1IIPR17fidFmIfLxj9VQ2P4Z95NLPFbIndIaK2Q/HegYVbQa7yv45RaxI6JudDOELMphmkQPbUNmWNKSDU2jVPs8dNldtQjvIXP4zlHcWERd//k/Z9js4IMPjSNcPcCURGfiIxqg7S01jU2OR59SHcSvWsYhjWYdyqi3zdyHWJV5efDzd3TqDrfJYwBifQcNLgmQUU8ECBv8XwoLMN20i+Mb1NdQTWvSuiBRv0MxbfOEef7TZ/Z6eQXtQhgMbmdiK+ihlA2J3FcU350Yynmvmv+J6/A38Vz3k2t84XsfjNS1gW7LHtBnRlODEmuyE/7fWyQadc1FkairWHkBAwnFydHkJ/DOPAKVHLw4lsKsff9QA2Xf6BHD+TMyM7mtLwZ1WXYNyPsaDXloCr1MjuFXDnVH70e/DNOfH4krgreVjGDq6qrz+pWj0cJdvkxU7AN1MCUhoegYfuDSaxA6LaXPl2e3y4LpAGy8hEQ3/Sm38T/IRx11lOzegWzq9+HBAgGsqThFdAOaW//vsTNuP/O8VnsmLk7iRnMpLgGA4RIM6JOq1HRBGt9FoTAD3dQpGfY4rqxkRgpXLPfSwBA1/nHtTOhAnkWrhXbbptjIFrIz67+/WA4NpIkKUIJxOok9QUBE8lA2GiWknwZ4jqLtsdjQ9sPR43pYu/cMIq3y5Er3PvvLKxId9LaKavxdaOu8vxIHR1TLPCeGzv7HTwCLIhGfyhWuUyTmgEtMGSaZXodjN8gwIZg1s/KPz1qsbNpzn1nsL2+wV9Z2ZPRkPp6TnyWLgAV7N8ECIRkFSSDwxj9rxH6593G95r22YsDquIjcPehUaUejILacgUMKcXTJNTx2fxCzvKgVCH1QpvZDOMO7/LvxUj+jUmGTE+9RKG+H+mCeu9fcV9WER/Dj/CeSNA5DKHZSxbD7QVuuy5ZJpyWSFhLWMS/6LaLX3gM/OwoZw6KTEWa/s92D4wnbZc1M0DtASxEnE6JiJNY0nMeuS8IOHWOmL3Vm4YcrFxrwBl6O3A8ppE1sA7W16Uxu4a5rDSo9mgQoewoyM8wdg2LQuaTwfqUNqi8O02uQmDyFmFL/7mlAWJKsCkfOO9AgXTzM7SdT1DPrd1VMAZ24x+n/1MZbrtwYDnFzOsoqGsyOT45Kw9rkEF3QCLDnlBSl4Q/IJKrtbbwje2HH8mF2jkxp8VtHwcMasXGZ9vLhqXOl39USgwRLidrJLpfwOD+Zv4Kd15dTl9S0Fo4X5HsZsnKT872GnVYGyVdA98mJdMDHZTapBPAjrNHvrOTx+obmu3zJt48G82LNUAvvaviA8sRRT9saz7fVElG7yW9QKdF09H+ZvkIuT7HUdJNk1hCV+tFn49YW5Z6RNyP8GZs7zHmTp0JhpQ6K/zgtzogIvkOHGeelfIzeLzgiXc+6g1tgAzXaokRa6dtinknY0e8HigJNchUBCYjzWpwvvE0mKoqm4JCdHwyUG5Oxu6My8Aodagad2CaLhS0xoAhBtjFRUkBk6rmYv6BqXxCL8iHJzqm1myileaRV4LjL0Ira0nyMH10ReHacf5o/3UF0Z4dBbC4BWrcwIhFLybnGV1XC3vtwXl9oi4/KkAwseVqTt7Wc9OXlY0xqglA7uF+Ui4PbRNfhD6BfFHqIsbbI7D2mRhOPRSF972PV78wum6ppJcMXhZhBCeLzFGDNUiWpCLv1ueCX0SivS2kFl5Gl2sfSNXTlaHm6yn0py2mqVgP34GekjsdlJY0XLL3C9w28HngF4+U22L+/GigPhkcee7OB/2GrACRlzXEC0u3RxD1it36DWTjGESl0vXp6bzeb/fDuSPS4d0ex4fdLRkL+7yFdkc/xk5416H8jUw8cekrbSr9Du91oawIIAQZr8evDdE724ZPjmYgMC8V04SOKu5lk9mfo4yiZhovjNP2gVj7x5dZP3av84r6zgCOkZG2Dzn4E5stjDlImRmBELjwoIR3Ox+dtyoPerNCMJa6KMtvQRyTUBZWEh1AzShyIXi6nWwhw1c6E3k+VN/emNdKx0bRGAPzm6xvU9gXrmFCmF9KbGR8rXNxBGlj8T5wIgmtoQ70CrqEPkyLXXAvnEg4AgOFnKJLvO+LVaw/2EFcL6Ww6SDjZJEFH5S0KI8KDgFepnv16tldY6aLHg8oJUwNVV982HOd5GLTCERNCiS2grUVf50P/HJgL5caZtEeJSYS/DhxrBf6HCXAdW8kS+/P6gXaqZoAbGPkb1QrkR8MhEWftWofSuoaWaqHOzq5w7TPwsIafogKLivEbEnyIBYULDpwp4siHlweW4ZE6O9WNsVyMTonGRItjdRq/Z4z0X9qTFfTAjJ0ArfYOVk4PhedVlqYoM5fSwxERqaqu0Ygo1Ey4posiXibLwNsAOD//8GVz4aazmxnbG2IgKWdHI1ApioQ0qmpMQFLxuFlqIHp0sBapPqj+Bs38/JbwnDbVf+axSq6A== + ibm-client.key: AgAIWDtH87zP2E/QL6bqkQbGFi3oyVxMHBIkTmiWCP7fEwSIkjGw/nyYb+qTJf0iht3o5e6w+LJ+Vs5G7jNtUp6RO8pRStQbeoRoFnSutSVNtX94Un0FFN2MK2mhsJi3d+6Fg1l+cSQor87EtyP/q9yRidiaPK1ooXz6Pwqe6OxR8DfgmiX/vZH/oYvbY5eYrKeywFGkYIzJRNKoFqnShZHQPfeYu+dsgRcB0jGbZMg89a/ORxKHucuNa6xlVRNmg7t4bPaL4hQmfDtxPcZIYjKr6SjTbIcQ5H8hRY0YRSmlvnQCDuLjfEy01OHKKgbroTOovFYaNBhwIv9eqe5ssOrOSxD0MsluX4PjXkTygsZvjVHl4kVvW/X/rBZmoV2S/NZQGorGe4xPaZxylB5tqya7WmI7bIxrP86dPargPxvwInJCNowecWVl9xyKVNJD824eY/Aa2oxv3ObyAphDvAh6dijlnrRgdb2T3FTZj8+TSyik7/xRc1HD2pLdgEY3zIZugDjpjIDzR6kAp7Ooa84ZqL6lLhdmLAf0zvZ8sNDCnnnrND7t3bfheDZh4/+8URMXStEjXcZe/MY91a5mZCY5JJWhz+Y6W4pd8WpwBJWStpjDk+4zF+I8y/JT2p2FNsdiWXQ9AcfLmX1HIEYtZhd2U7UEM8h6+lxiZY6wg9+hv2smi9jjpTa1tOM2NwuUkDGjNd12hZoWP6VAITIL7aIz4VvpCDHhcM3K0YVYxeTfGhyv+PANLp4v7xUQ5u42Q23Q0/xtWduvtPftuKV5R0ZkKZs6r+zAflfOgHvJCe4VABUM8uubH4JMD9QoDVaJwnO+D/ze/X1QEzUNzfwSNIjPi35/7F04UeKADsPK0yWxIwS0klWC4FHpH0Z7+WuSnGYKv3CLrKqsSHYZRceHcJtNPP1S7+YHYhS4PzajBNqYD26ZV/JB2rTc0PET/kDVkMBrVOrsA+MArawrIwDb5XQIhBt2ZiArZ0++zz4tdGso3gYbwvAJMiV2jIEEjJSKhZ0Jle8FkCa2tsAxcUnlf/fkLHL5IBVnYvWdJ20p5PKFk3vG5vMTpRoLxNgkH6e1TMsIlZpLVAZtRBKqHiH8ecrouSSoOtjqQ4s1GMlgbzlNGa2w8tJBxuKUt0EoVawA30c/0DqkqHdwkIiUp5ULocl08wP7oVmukXdpxeMzz1u0AJlr3uftarEdtEVXajhYhzI6Wcr5DBkebvNGQjWLibluOlSPQte25lhnWSekxuiRR6zhQxnjggLIqliPbRlL8zLtWRVi0W2Z3y7v8CFeI7yj9Qg94f1ZIzNHVhBQWbHPtIq5P7mm6E4KN1gm+LceFNL/IxDRQunK6xMLjvETYSeOarBDh/ViGdzvxJY/pdGMjq43dAXbRXGWS6ljbR8rTX5BpK2FQa7bjJcWAaRA1neRLmrUk/ZUkt/PeEKqWJpSKATsGwSqERA00vkRnTgwjWe+SRaCXbvo/MDi26dN1cgdu+amuOyOwWuqdGkIMFnl/s3NHpNV6Afv/RXQHiFpYIOEVk7r6oq+rIqZoIrIKY/2u1II8oayMEgQ0hqL67joZ9uJ3awNz/aTjPt06lAh/+gm1CcZTrgSFAdhgzJqHQ/Z0IlQLSQO4jhaCYRC3eFiudFL3eCcKBbD7a40MlyhReuXvGx+wt7x03n7JK+Ie/fi3Ei47+itCFjL4vKghMkasMhoIJqY3VzsfLckwjXq2s0mtPSPS5Ds/N58OsrZvh1jVkcFC9CNp/UaHPfgPubZV+SbBam0M8JeFA7XowtQ4SLgR6wNGTAlUnrFIk+0VCU7+dM5JDA2OOFAZI0K6NLyERZzCNybLd1ju2MJ07y0WLYRu9fyfQ9EktX/wbpsdJC/fcQzhx60N4+ZKae6sP6iMoOB9qxxdXwVyWIYG0VU9ie3fosQ0H5kEi1rROeNsimEjlT4TF8NqF9q7Bon0dEgQE8vHXRqkz+d+HXug1IPK3kfLy8taZ4TxNhYlBuY4YG/2O8AY3V8dq77qTSKwZp8xGxqBJwYvCNH+av8EaFK5LBVoSF+JEgDJlF+wpf2wBXTNggUfKWAoWXUgWeJw+KEaBpQm7jhxWDoYR6dFBjuJ0l9fowfuf8cbgHrDnL1bny2Be/LWp2EDaac21lp1eClLn1J9CpuO75IW0HfVN2iEkTzetLFdI0B3+vKkLiRNQc63uZvaF6QuQNT2PLPPvXT4UuG4Ib4FJ9PfsJCQr622F3j2j7ZVFpagodqnEgwazFXlmj7tZ4SBfZxnax1EQ18p6U/LQjof8ESZ4VpInczB0bRvde3cOqzorizIl8L2oWOZJIltfyfyi3yTHRCJw18S6Ifijh4WcxSv1OxfTQPWSXlzqOuxrkpT1WiTXAuIcSq7fbyB+QxiH8mVbRgqaCcYHQWSNkPAcqy1GcWJHjwD3oRsiHPutP2StrDXpKqNAK7R0ABRjaDWjaRZ4Z2ut95wlEpMOTJV5Ak2tBCZSUWgrSyA2/Wm6/a1ClehlDqCkhvAMSWZG8o0TImrkHI62iWZa5qY0l9Pnb7s63rWeCfHgK3qtjupv+BH0Pt2oN7gNdY6l4+MvpS197KRNH7mP4yk7qzUpJIMZjCK5tJCW2Dpe9qKaCjA0V104sVtDrctOitt7ELKuHjhKAYo1o7B6g8anVhS136NN6w5YZgmFkUjHXiGj8Nt3d3n911osvk8R/iQZ5PTjNIPIltdD5hq/0E9tLeSwmSSraSyg6K+fpYvqvTYvNerr1X64KD/JSx+iQPfzGGH9k2l87VvTtb3WPRhgj2I6H9CtXwEHunUXcFIwXSdQOgBtTRXEptQ8apJ5LO0dEMf5KhMEoKyxhSShKFDgPfv38dIV3LFBjcbsHwOCz1hlmdggYpj8bwTOJCuH6sRENUgph6EeA8XFJ0XbkwBh1KB41g1pPvasMMZKBl2g== + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-client-key-certs + type: Opaque + diff --git a/ace/environments/base/secrets/ibm-rest-dbparams-secret.sh b/ace/environments/base/secrets/ibm-rest-dbparams-secret.sh new file mode 100755 index 0000000..3b3a8a7 --- /dev/null +++ b/ace/environments/base/secrets/ibm-rest-dbparams-secret.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# Set variables +IBM_REST_DBPARMS_PATH= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# cat file ibm-rest-dbparms.txt +#mqsisetdbparms -w /home/aceuser/ace-server -n setdbparms::truststore -u "truststorepwd" -p passw0rd +#mqsisetdbparms -w /home/aceuser/ace-server -n setdbparms::keystore -u "keystorepwd" -p passw0rd +#mqsisetdbparms -w /home/aceuser/ace-server -n local::basicAuthOverride -u aceuser -p changeit + + +# Create Kubernetes Secret yaml +oc create secret generic ibm-rest-dbparms.txt \ +--from-file=configuration=${IBM_REST_DBPARMS_PATH}/ibm-rest-dbparms.txt \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-rest-dbparms-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-rest-dbparms-secret.yaml > ibm-rest-dbparms-secret.yaml + +# NOTE, do not check delete-*-secret.yaml into git! +rm delete-ibm-rest-dbparms-secret.yaml diff --git a/ace/environments/base/secrets/ibm-rest-dbparms-secret.yaml b/ace/environments/base/secrets/ibm-rest-dbparms-secret.yaml new file mode 100644 index 0000000..fecc4fb --- /dev/null +++ b/ace/environments/base/secrets/ibm-rest-dbparms-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-rest-dbparms.txt +spec: + encryptedData: + configuration: AgBGnFIDPLWjWUz0b7ZeJhRCwI0WmuB3d6Gm6Sx8bVAowzQOq49RVWmreAwVFWOBRyEHoOZP6JpXHmju3BTV6rBisBoLim3yYaihJ5Kan7Sf6/e6kzRaUckgdUj1dBY4dUjwK9wFA/Qp/0nUzP/8sYvJW6G3o56vQ7MngCTADIKigg9nEvacyPx3QXeS1tjLqty6fe+tn1ijnNBPYdK2exwQIp9zu7ozbieHatnKNxW6qiODusC9G1OZhOceQ5A2IRCmpIDoVgDKWqcQYPJWVYV4xhK/8xSsRZzepdHZyYrDNSB1LiNEK7fTT5muyKukaoGgspIbb2jzIqRSODqLvKr+Q3Kbgtu5m2PC8MSpT0Br1828SHwq0vI/CRpycPWTXeeMNw8WzsBRsaW7lWw2XmAMfX/4fxbPDbQmlKeF4hETUoS1J3uihBfke2qa6i0XrQ2oULFxy9IfjNdWCGKO0uKpKhDSS380dAVTHMJ2MT16rrNGCTM7U573WnjLNz6E/8N1XcEWmfkNrtPJEcJXPdbCYlgjfuRns6S2f/99xJrabVM4gtzgJMFa3nRjyoK1Ddgm7RyMSbYAXqQUS+bdZu2FZR5s3uQDspJ2juyOBqVdcn6H7mGfEYUdb4+YGPmA4C6RMFYyLo90MIB54FsDjB52AT/HhNVdvDBbkkI4h1+ABYnQMFLGzL4nrr67c7Y8sV2tc682NF5ImufqbWf9rgwSbXJa9ygMUZGj2Yxga5jPfD0vFSoqFqU94QBPLpn5Rl3u5leZAcb5anKeScAROld8nAj2f9VJ1YZe5/xPGNeUozzyxWjrdaFrClRQuPHXdRD4oO9bA1QFXF934r20nyQ4uyEcM/XpOXXMIx3jOvK6B+4hG5HYsY5w3h0nIAZM/lS8Bt9Uu0d+9ykAa36D+dWPHoEAFyfI2BVP91LlNY86d70wj/DwdLrUsDEdZ1GgdDFk/jjzJRB9mGlNiO3MfiHHCf0WlZ8aBL3/chY8i66Ql07sSztYbeS5P2VlxkUGiESAtnfwM2y8nmq16aCbKINLRqo/BWuFmDEtUfVi0Mve10J/wCtTH4lyqd3Rl46zD2JHXQ== + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-rest-dbparms.txt + type: Opaque + diff --git a/ace/environments/base/secrets/jks-secret.sh b/ace/environments/base/secrets/jks-secret.sh new file mode 100755 index 0000000..5ddf415 --- /dev/null +++ b/ace/environments/base/secrets/jks-secret.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# Set variables +CERT_PATH= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret generic ibm-ace-server.jks \ +--from-file=configuration=${CERT_PATH}/ibm-ace-server.jks \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-ace-server-jks-secret.yaml + +oc create secret generic ibm-ca.jks \ +--from-file=configuration=${CERT_PATH}/ibm-ca.jks \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-ca-jks-secret.yaml + + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-ace-server-jks-secret.yaml > ibm-ace-server-jks-secret.yaml +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-ca-jks-secret.yaml > ibm-ca-jks-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-ace-server-jks-secret.yaml +rm delete-ibm-ca-jks-secret.yaml \ No newline at end of file diff --git a/ace/environments/ci/.keep b/ace/environments/ci/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/configmaps/.keep b/ace/environments/ci/configmaps/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/configmaps/gitops-repo-configmap.sh b/ace/environments/ci/configmaps/gitops-repo-configmap.sh new file mode 100755 index 0000000..5fe5a2d --- /dev/null +++ b/ace/environments/ci/configmaps/gitops-repo-configmap.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Set variables +if [ -z ${GIT_HOST} ]; then echo "Please set GIT_HOST when running script"; exit 1; fi +if [ -z ${GIT_ORG} ]; then echo "Please set GIT_ORG when running script"; exit 1; fi +if [ -z ${GIT_GITOPS_APPLICATIONS} ]; then echo "Please set GIT_GITOPS_APPLICATIONS when running script"; exit 1; fi +if [ -z ${GIT_GITOPS_APPLICATIONS_BRANCH} ]; then echo "Please set GIT_GITOPS_APPLICATIONS_BRANCH when running script"; exit 1; fi +if [ -z ${GIT_USER} ]; then echo "Please set GIT_USER when running script"; exit 1; fi + + +# Create Kubernetes Secret yaml +cat < gitops-repo-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: multi-tenancy-gitops + group: pipeline + type: git + name: gitops-repo-ace +data: + branch: ${GIT_GITOPS_APPLICATIONS_BRANCH} + host: ${GIT_HOST} + org: ${GIT_ORG} + owner: ${GIT_USER} + parentdir: . + protocol: https + repo: ${GIT_GITOPS_APPLICATIONS} + url: https://${GIT_HOST}/${GIT_ORG}/${GIT_GITOPS_APPLICATIONS}.git +EOF diff --git a/ace/environments/ci/configmaps/gitops-repo-configmap.yaml b/ace/environments/ci/configmaps/gitops-repo-configmap.yaml new file mode 100644 index 0000000..acb5c0e --- /dev/null +++ b/ace/environments/ci/configmaps/gitops-repo-configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitops-repo-ace +data: + branch: ocp47-2021-2 + host: github.com + org: cloud-native-toolkit-demos + owner: cloud-native-toolkit-demos + parentdir: . + protocol: https + repo: multi-tenancy-gitops-apps + url: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git diff --git a/ace/environments/ci/eventlisteners/.keep b/ace/environments/ci/eventlisteners/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/eventlisteners/ace-bar-event-listener.yaml b/ace/environments/ci/eventlisteners/ace-bar-event-listener.yaml new file mode 100644 index 0000000..161f17b --- /dev/null +++ b/ace/environments/ci/eventlisteners/ace-bar-event-listener.yaml @@ -0,0 +1,12 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: EventListener +metadata: + name: ace-bar +spec: + serviceAccountName: pipeline + triggers: + - bindings: + - kind: TriggerBinding + ref: ace-bar + template: + ref: ace-bar diff --git a/ace/environments/ci/eventlisteners/ace-config-event-listener.yaml b/ace/environments/ci/eventlisteners/ace-config-event-listener.yaml new file mode 100644 index 0000000..66f9225 --- /dev/null +++ b/ace/environments/ci/eventlisteners/ace-config-event-listener.yaml @@ -0,0 +1,12 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: EventListener +metadata: + name: ace-config +spec: + serviceAccountName: pipeline + triggers: + - bindings: + - kind: TriggerBinding + ref: ace-config + template: + ref: ace-config diff --git a/ace/environments/ci/kustomization.yaml b/ace/environments/ci/kustomization.yaml new file mode 100644 index 0000000..bcef789 --- /dev/null +++ b/ace/environments/ci/kustomization.yaml @@ -0,0 +1,38 @@ +resources: +- configmaps/gitops-repo-configmap.yaml +- eventlisteners/ace-bar-event-listener.yaml +- pipelines/ace-promote-dev-stage-pipeline.yaml +- pipelines/ace-promote-stage-prod-pipeline.yaml +- pipelines/ace-bar-pipeline.yaml +- pvc/ace-bar-pvc.yaml +- pvc/ace-test-pvc.yaml +- roles/custom-pipeline-clusterrole.yaml +- roles/custom-pipeline-clusterrolebinding.yaml +- routes/ace-bar-webhook-event-listener.yaml +- secrets/basic-auth-rest-secret.yaml +- secrets/git-credentials-secret.yaml +- secrets/ibm-ace-server-jks-secret.yaml +- secrets/ibm-ca-jks-secret.yaml +- secrets/ibm-client-jks-secret.yaml +- secrets/ibm-client-key-certs-secret.yaml +- secrets/ibm-entitled-key-secret.yaml +- serviceaccount/pipeline-serviceaccount.yaml +- tasks/0-setup.yaml +- tasks/2-build-tag-push-ace-bar.yaml +- tasks/4-deploy.yaml +- tasks/5-health-check.yaml +- tasks/7-tag-release.yaml +- tasks/8-image-release.yaml +- tasks/9-helm-release.yaml +- tasks/9-img-scan.yaml +- tasks/10-gitops.yaml +- tasks/11-update-image.yaml +- tasks/12-argo-tests.yaml +- tasks/gitops-ace.yaml +- tasks/ace-tasks.yaml +- tasks/custom-buildah.yaml +- tasks/functional-test-task.yaml +- tasks/ibm-gitops-for-ace-task.yaml +- tasks/ibm-jmeter-performance-test.yaml +- triggerbindings/ace-bar-trigger-binding.yaml +- triggertemplates/ace-bar-trigger-template.yaml diff --git a/ace/environments/ci/pipelines/.keep b/ace/environments/ci/pipelines/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/pipelines/ace-bar-pipeline.yaml b/ace/environments/ci/pipelines/ace-bar-pipeline.yaml new file mode 100644 index 0000000..34611bd --- /dev/null +++ b/ace/environments/ci/pipelines/ace-bar-pipeline.yaml @@ -0,0 +1,143 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ace-build-bar-promote-dev + +spec: + params: + + - name: ace-base-image + type: string + default: cp.icr.io/cp/appc/ace-server-prod:12.0.1.0-r3-20210722-112920 + + - name: is-source-repo-url + type: string + default: https://github.com/cloud-native-toolkit-demos/ace-customer-details.git + - default: "" + name: is-source-revision + type: string + - default: is-source + name: is-source-directory + type: string + - name: is-source-repo-private-key + type: string + default: '""' + + - default: Dockerfile + name: dockerfile-relative-path-to-src + type: string + + - name: git-ops-repo-url + type: string + default: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + - name: git-ops-repo-private-key + type: string + default: '""' + - name: git-ops-parent-directory-relative-to-workspace + type: string + default: integration_server + + - name: git-ops-destination-directory + type: string + default: ace/environments/dev/integrationServer + - name: git-ops-kustomization-path + type: string + default: ace/environments/dev/kustomization.yaml + + - description: Points to the dev + name: destination-env + type: string + default: dev + + + tasks: + + - name: clone-is-source + params: + - name: url + value: $(params.is-source-repo-url) + - name: revision + value: $(params.is-source-revision) + - name: subdirectory + value: $(params.is-source-directory) + - name: deleteExisting + value: "true" + - name: sshPrivateKey + value: $(params.is-source-repo-private-key) + taskRef: + kind: Task + name: git-clone + workspaces: + - name: output + workspace: shared-workspace + + + - name: resolve-props + params: + - name: is-source-directory + value: $(params.is-source-directory) + runAfter: + - clone-is-source + taskRef: + kind: Task + name: resolve-props + workspaces: + - name: input + workspace: shared-workspace + + - name: generate-bar + params: + - name: is-source-directory + value: $(params.is-source-directory) + - name: is-application-names + value: $(tasks.resolve-props.results.is-application-names) + - name: bar-location + value: $(workspaces.workspace.path)/bars + - name: bar-filename + value: $(tasks.resolve-props.results.release-name).bar + runAfter: + - resolve-props + taskRef: + kind: Task + name: generate-bar + workspaces: + - name: workspace + workspace: shared-workspace + + - name: build-is-image + params: + - name: BUILD_EXTRA_ARGS + value: --build-arg BASE=$(params.ace-base-image) + - name: TLSVERIFY + value: "false" + - name: IMAGE + value: $(tasks.resolve-props.results.registry-host)/$(context.pipelineRun.namespace)/$(tasks.resolve-props.results.release-name):$(tasks.clone-is-source.results.commit) + - name: DOCKERFILE + value: $(workspaces.source.path)/$(params.is-source-directory)/$(params.dockerfile-relative-path-to-src) + - name: CONTEXT + value: $(workspaces.source.path)/bars + runAfter: + - generate-bar + taskRef: + kind: Task + name: buildah + workspaces: + - name: source + workspace: shared-workspace + + - name: gitops-for-ace + params: + - name: destination-env + value: $(params.destination-env) + - name: git-pr + value: "false" + - name: destination-image + value: $(tasks.resolve-props.results.registry-host)/$(context.pipelineRun.namespace)/$(tasks.resolve-props.results.release-name):$(tasks.clone-is-source.results.commit) + runAfter: + - build-is-image + taskRef: + kind: Task + name: ibm-gitops-for-ace + + workspaces: + - name: shared-workspace diff --git a/ace/environments/ci/pipelines/ace-promote-dev-stage-pipeline.yaml b/ace/environments/ci/pipelines/ace-promote-dev-stage-pipeline.yaml new file mode 100644 index 0000000..c46367e --- /dev/null +++ b/ace/environments/ci/pipelines/ace-promote-dev-stage-pipeline.yaml @@ -0,0 +1,113 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ace-promote-dev-stage +spec: + params: + - default: https://github.com/cloud-native-toolkit-demos/ace-customer-details.git + name: is-source-repo-url + type: string + - default: is-source + name: is-source-directory + type: string + - default: '""' + name: is-source-repo-private-key + type: string + + - default: ibm-client-key-certs + name: key-certs-secret-name + type: string + - default: ibm-client.key + name: client-key + type: string + - default: ibm-client.crt + name: client-cert + type: string + - default: ibm-ca.crt + name: ca-cert + type: string + - description: Points to the dev/staging env + name: source-env + type: string + default: dev + - description: Points to the staging/prod env + name: destination-env + type: string + default: staging + + + tasks: + + - name: clone-is-source + params: + - name: url + value: $(params.is-source-repo-url) + - name: subdirectory + value: $(params.is-source-directory) + - name: deleteExisting + value: "true" + - name: sshPrivateKey + value: $(params.is-source-repo-private-key) + taskRef: + kind: Task + name: git-clone + workspaces: + - name: output + workspace: shared-workspace + + - name: resolve-props + params: + - name: is-source-directory + value: $(params.is-source-directory) + runAfter: + - clone-is-source + taskRef: + kind: Task + name: resolve-props + workspaces: + - name: input + workspace: shared-workspace + + - name: functional-test + params: + - name: source-env + value: $(params.source-env) + - name: is-source-directory + value: $(params.is-source-directory) + - name: release-name + value: create-customer-details-rest + - name: endpoint-path + value: v1/createcustomer + - name: key-certs-secret-name + value: $(params.key-certs-secret-name) + - name: client-key + value: $(params.client-key) + - name: client-cert + value: $(params.client-cert) + - name: ca-cert + value: $(params.ca-cert) + runAfter: + - resolve-props + taskRef: + kind: Task + name: functional-test + workspaces: + - name: workspace + workspace: shared-workspace + + + - name: gitops-for-ace + params: + - name: source-env + value: $(params.source-env) + - name: destination-env + value: $(params.destination-env) + - name: git-pr + value: "true" + runAfter: + - functional-test + taskRef: + kind: Task + name: ibm-gitops-for-ace + workspaces: + - name: shared-workspace diff --git a/ace/environments/ci/pipelines/ace-promote-stage-prod-pipeline.yaml b/ace/environments/ci/pipelines/ace-promote-stage-prod-pipeline.yaml new file mode 100644 index 0000000..d89a1b9 --- /dev/null +++ b/ace/environments/ci/pipelines/ace-promote-stage-prod-pipeline.yaml @@ -0,0 +1,95 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ace-promote-stage-prod + annotations: + app.openshift.io/runtime: test +spec: + params: + - default: https://github.com/cloud-native-toolkit-demos/ace-customer-details.git + name: is-source-repo-url + type: string + - default: is-source + name: is-source-directory + type: string + - default: '""' + name: is-source-repo-private-key + type: string + - default: ibm-client.jks + name: key-certs-secret-name + type: string + - description: Points to the dev/staging env + name: source-env + type: string + default: staging + - description: Points to the staging/prod env + name: destination-env + type: string + default: prod + - description: User Load + name: jmeter-users + type: string + default: "250" + tasks: + - name: clone-is-source + params: + - name: url + value: $(params.is-source-repo-url) + - name: subdirectory + value: $(params.is-source-directory) + - name: deleteExisting + value: "true" + - name: sshPrivateKey + value: $(params.is-source-repo-private-key) + taskRef: + kind: Task + name: git-clone + workspaces: + - name: output + workspace: shared-workspace + + - name: resolve-props + params: + - name: is-source-directory + value: $(params.is-source-directory) + runAfter: + - clone-is-source + taskRef: + kind: Task + name: resolve-props + workspaces: + - name: input + workspace: shared-workspace + + - name: performance-testing + taskRef: + name: ibm-jmeter-performance-test + runAfter: + - resolve-props + params: + - name: is-source-directory + value: $(params.is-source-directory) + - name: key-certs-secret-name + value: $(params.key-certs-secret-name) + - name: jmeter-users + value: $(params.jmeter-users) + workspaces: + - name: workspace + workspace: shared-workspace + + - name: gitops-for-ace + params: + - name: source-env + value: $(params.source-env) + - name: destination-env + value: $(params.destination-env) + - name: git-pr + value: "true" + runAfter: + - performance-testing + taskRef: + kind: Task + name: ibm-gitops-for-ace + + workspaces: + - name: shared-workspace diff --git a/ace/environments/ci/pvc/.keep b/ace/environments/ci/pvc/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/pvc/ace-bar-pvc.yaml b/ace/environments/ci/pvc/ace-bar-pvc.yaml new file mode 100644 index 0000000..b562500 --- /dev/null +++ b/ace/environments/ci/pvc/ace-bar-pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ace-bar-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeMode: Filesystem \ No newline at end of file diff --git a/ace/environments/ci/pvc/ace-test-pvc.yaml b/ace/environments/ci/pvc/ace-test-pvc.yaml new file mode 100644 index 0000000..bcd49a2 --- /dev/null +++ b/ace/environments/ci/pvc/ace-test-pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ace-test-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeMode: Filesystem diff --git a/ace/environments/ci/roles/.keep b/ace/environments/ci/roles/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/roles/custom-pipeline-clusterrole.yaml b/ace/environments/ci/roles/custom-pipeline-clusterrole.yaml new file mode 100644 index 0000000..42d8c09 --- /dev/null +++ b/ace/environments/ci/roles/custom-pipeline-clusterrole.yaml @@ -0,0 +1,37 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipelines-clusterrole +rules: + - verbs: + - '*' + apiGroups: + - tekton.dev + resources: + - pipelines + - pipelineruns + - tasks + - taskruns + - pipelineresources + - verbs: + - '*' + apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + - verbs: + - '*' + apiGroups: + - '' + resources: + - pods + - services + - verbs: + - '*' + apiGroups: + - 'route.openshift.io' + resources: + - routes diff --git a/ace/environments/ci/roles/custom-pipeline-clusterrolebinding.yaml b/ace/environments/ci/roles/custom-pipeline-clusterrolebinding.yaml new file mode 100644 index 0000000..f3bb86a --- /dev/null +++ b/ace/environments/ci/roles/custom-pipeline-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipelines-rolebinding +subjects: + - kind: ServiceAccount + name: pipeline + namespace: ci +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-pipelines-clusterrole diff --git a/ace/environments/ci/routes/.keep b/ace/environments/ci/routes/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/routes/ace-bar-webhook-event-listener.yaml b/ace/environments/ci/routes/ace-bar-webhook-event-listener.yaml new file mode 100644 index 0000000..f148d25 --- /dev/null +++ b/ace/environments/ci/routes/ace-bar-webhook-event-listener.yaml @@ -0,0 +1,14 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: ace-bar-webhook-event-listener +spec: + to: + kind: Service + name: el-ace-bar + port: + targetPort: http-listener + tls: + termination: edge + wildcardPolicy: None + diff --git a/ace/environments/ci/routes/ace-config-webhook-event-listener.yaml b/ace/environments/ci/routes/ace-config-webhook-event-listener.yaml new file mode 100644 index 0000000..c98277e --- /dev/null +++ b/ace/environments/ci/routes/ace-config-webhook-event-listener.yaml @@ -0,0 +1,14 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: ace-config-webhook-event-listener +spec: + to: + kind: Service + name: el-ace-config + port: + targetPort: http-listener + tls: + termination: edge + wildcardPolicy: None + diff --git a/ace/environments/ci/secrets/.keep b/ace/environments/ci/secrets/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/secrets/basic-auth-rest-secret.yaml b/ace/environments/ci/secrets/basic-auth-rest-secret.yaml new file mode 100644 index 0000000..b1c4f84 --- /dev/null +++ b/ace/environments/ci/secrets/basic-auth-rest-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: basic-auth-rest +spec: + encryptedData: + password: AgCLu21cCaL4k4d11oirSBWvelTZiBAEhCgo94DSRTc1ocOtmuLciqzcSwpOgJizmUwfzGJCpBq8BOq9RjQTve+vEhzmr/l9v4fRLxpIsJXLrJEHRv3XOkiYjIC7x0b3L9CIGe2fpnxdhGKPymWILCeRHDWAAlx4UP4q4Urikxpm7V+OBuRRa1tOHzgE7e89ltr1sfNbfrgvNjyCa4CMwAcbBFRJjQBW9i5XuXYyUx76OnOettiSlyZKyolfXPSKU5cXLLR+sUhwyiex5flksi4a0SBSgxTPKeKtoyDu/BQdfXoQZX/l5mFFIlJD+aWdKKjS9+U7OMVZQvq1OgOXt86S8Gz1TUaMUdFJZqqSXw6uNOa/edChmfGax2ScnXpZq8v6rcZzK3qVr7+aOu4zXSQ8KpTq1t+iwpYxcp1C4KTJt7CsNwl9Lw4B6j/of8aN1EJh0/fdiOor3HQskCpOYHG+nM6kpRmu62HeHFllNp5H7u5KOy/CG1OEKeMB66qKYlyYL993afCLYhEQ5AFlfdzZYz1eOSK0kRXEhM9IUvMxn6SCSbt1f6vcCT3ijPYksOyFheNTPxv4e8d7OHvbQXiWEVGIj6LykvX8uv9gABxvMFr6/JSeQZ7KJOTEjHr2CqMg61A1O9RpWvMIo0UHaLf+55fGW5Fsc9AmChEykuCVfeDaSRHIlkYHWhO3sO7i8qssOiucIKSAgQ== + username: AgAdHLzNR4Gx1S1eAnuagETfomukO+VQQXFZqtFblwgKQwtIj+m7n3r0/8EXbKCYOtD9QbHonJG9yT0/BFJ/66TYcosgGAOqF6zMxS6SqeGU6tNr4p1uFVe22/suDRwE7UxqPso46yLuuIf8RjxIhrdolBl3Xe8GrwbBwK5c+Bk4JaiFMNT9WUQ0oGpAYlYguDWjW1oChFDXAjw25oyFKBp5klKQh/2XL/T5dlBBjLFqDQQuUqSI5jRmGsJ/Ft8JyKH+4y3h2/UMQelVQR+M3WC8KIufj5I4b/jNcHAaUr077B3G/ApTuR79cwHSte7v1kkSH7UwOFFaycxfvnSqFwHaMaat5OGso85aaBOMxb5JQO3el9cHwAx6Ikw7BU4fzBJ1BTAup49GAwaUBMxIc/89o5EMPmvtv2ediEhbZO68bJphDBEaUH+UljSxeEGdx/emmFqQ+B7P4vbMuHvpwXYEIRXBF/yWJhwhCas1lvv0ZoSn+WVHR00zevxPgStoTEurm36uY+/b8Iy/UMWcUxS79RYDsm89fpJfX5c6OJu0nYieDVw7R16LGzcBDAsdgJJoFOqartZV5Kv1bjLr7fvSakFzlB/O4Yk7KyhPAUDfg0ZvhhcHlhuYvShYxKpqSkC54Eejds8MIhewRr/k+WfSdLuuafdovSdk6zRqL/wqtFkJxJKKNeWzJQUifWbx2uODmVhxFZAG + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: basic-auth-rest + type: Opaque + diff --git a/ace/environments/ci/secrets/functional-test-secrets.sh b/ace/environments/ci/secrets/functional-test-secrets.sh new file mode 100755 index 0000000..21f6a66 --- /dev/null +++ b/ace/environments/ci/secrets/functional-test-secrets.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Set variables +USERNAME= +PASSWORD= +CERT_PATH= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret generic basic-auth-rest \ +--from-literal=username=${USERNAME} \ +--from-literal=password=${PASSWORD} \ +--type Opaque \ +--dry-run=true -o yaml > delete-basic-auth-rest-secret.yaml + +oc create secret generic ibm-client-key-certs \ +--from-file=ibm-ca.crt=${CERT_PATH}/ibm-ca.crt \ +--from-file=ibm-client.crt=${CERT_PATH}/ibm-client.crt \ +--from-file=ibm-client.key=${CERT_PATH}/ibm-client.key \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-client-key-certs-secret.yaml + + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-basic-auth-rest-secret.yaml > basic-auth-rest-secret.yaml +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-client-key-certs-secret.yaml > ibm-client-key-certs-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-basic-auth-rest-secret.yaml +rm delete-ibm-client-key-certs-secret.yaml \ No newline at end of file diff --git a/ace/environments/ci/secrets/git-credentials-secret.sh b/ace/environments/ci/secrets/git-credentials-secret.sh new file mode 100755 index 0000000..b17614e --- /dev/null +++ b/ace/environments/ci/secrets/git-credentials-secret.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +set -eo pipefail + +# Set variables +if [ -z ${GIT_BASEURL} ]; then echo "Please set GIT_BASEURL when running script"; exit 1; fi +if [ -z ${GIT_USER} ]; then echo "Please set GIT_USER when running script"; exit 1; fi +if [ -z ${GIT_TOKEN} ]; then echo "Please set GIT_TOKEN when running script"; exit 1; fi + + +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +cat < delete-git-credentials-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: git-credentials + annotations: + tekton.dev/git-0: ${GIT_BASEURL} +type: kubernetes.io/basic-auth +stringData: + username: ${GIT_USER} + password: ${GIT_TOKEN} +EOF + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-git-credentials-secret.yaml > git-credentials-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-git-credentials-secret.yaml diff --git a/ace/environments/ci/secrets/git-credentials-secret.yaml b/ace/environments/ci/secrets/git-credentials-secret.yaml new file mode 100644 index 0000000..fba1004 --- /dev/null +++ b/ace/environments/ci/secrets/git-credentials-secret.yaml @@ -0,0 +1,20 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: git-credentials +spec: + encryptedData: + password: AgBQbHF4FvUAwA35wdmw5OjX1jXpLEi8dkh+wTYAOadYro1BGzIICrwCG8K+9h3e5/zI+u2SUQ/tPSPvpvLGgW/lVJ0n952KPv0/b5WxHH2muc5hed+yKlSdqpscMVg71dis7sptkbOxWQUaqKezkGKCtdQVKNEmKWHS+CbSj1ZW2Vde5NuKzQTC39tROC1zwDXVAj6mFxfboGWt0a7rEHPvw3k1CsC0XXti6D1KZLGRGsjAeQkBaU4EjXVor9jPdN/ougj9xWBh8Zwj30KqBRvYpIN2toMi47gtv+cmItPeu9lcBs9feQbk7N8Dh2JVum9MDVq+ABTBAoeKGVINZePQtabzWpbPZu6s4ccC/+ZzyhHJh8AwubOYPxlAWuOx2n87dIGYfx8uRKv12Seb8b8wLkf1Fg6SJY0GbRoo+uuWhsl39EBkQS61fyj084ECjDfbpcIYDz6oTP418qhqSWxXefcKT3BO8ntR349l6lcZJ5uxtystLI4UDNbTRnS2k/h8J1NkbYWXliZoLsXb82T7D6FM9I+dkgFeReesNaFf7JbNmxTf+H9pEWzYtL/T/MW5poBm31fpI/syUQUCjZVb0Mx5bLsgAM+we3d/1VsstaQ9/HZrpHTsm1qHQp56tWCrO9i3cOXsBwowZDn28ByujS4ghFgRgtoc0bl8CXzuEdAB6dJme0K0G3pDWFGQyFM4BadJKKYEwnEqezggyFQ/992p9+jGkDaoDqwhZE91aJRr1BUXoNQz + username: AgBOuOEj29WQick5k4FbEn0jyz0D7YB2tR7AhWeYJCNdzdvQgRhQ4dPEuw2TGlFwlPdnCvnZn8tk47dg6GmXIcB1IPq1M0qmQnM/uB5MlL4QThO2ZVgxhTqIDR86OR9hAeQ5ujgiIoIiRzTXTpVxxIcRxiNkfug6TeUUtKL1yWc0dZA9gyIijrv/FRB263CyxVRRzcQc+QMNUTepippsks66Mi5m/WJUqRNXk7/454rUAzQP/MQMx91MP9vbBVXYdrz7AbQmgtci7NSabv1F6IXUM1qPYEQa2kyiKk+DYzFGMIa/69Z3hZ1OCOJS2iwt7kKtj0wdvfObzye+QhTgD83sf+URknikmLge2IMRNZT9VlF1hcRkavqHiSykiAI6T0i1h/J378C9/KSUxqYZakv84NhbMm2x2ygoxqqLZmVxY0diC33eygsoECvfKPXqHc41jcexarVMqTu6n4TmvptNCqxuEnvid0aiE+sYPU70pZRdCpNFvs1MyW5nBoTNQjAHA2nYE07SqXtHMqi2CtdNhcX0IGnQ58iEWzZKvnbpDXy6Yioj304Nej3jgednKHw9PKkUhblk64v+dM4UZwRtz614SfhJwaJCCEbAZt0QiBcdUbY/XFhaOmk1R2UCkQqsnLxBxZ3K5s3OmEbzKAsgsvFnOqLqWF5RnIamBAZ3aSWKC0Jl/bDJs8HtIaQAN/hA90yBTaQ/Dkb+hYEDn5ATiCu7O0o9XdE= + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + tekton.dev/git-0: https://github.com + creationTimestamp: null + name: git-credentials + type: kubernetes.io/basic-auth + diff --git a/ace/environments/ci/secrets/ibm-ace-server-jks-secret.yaml b/ace/environments/ci/secrets/ibm-ace-server-jks-secret.yaml new file mode 100644 index 0000000..142c675 --- /dev/null +++ b/ace/environments/ci/secrets/ibm-ace-server-jks-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ace-server.jks +spec: + encryptedData: + configuration: AgBIppieDw4vq9/1nuU3oVx4x653JqHH2rvtuQIsOGE/WL1eYxZqQsaTJm5gxGpYvWq7FEZkPxDPomKgUkvHDx3bsr9sgXs6IPqZRReiE9gPEVfbks8IS+CEl8hJltAt9sR5zTEBBKXbQjUUHSHkoI82Xe23idodjqhHR4hzYC0hmFua9VtR61czjf0J22ivKMMLjXUjKW8nc5dQliRC6KUUtXkR4GqKlhajO5B88vzwU521k3DZm+BiycbtXeqi9U3n2GIWahJ8gO7364osIYuNShFRBLgDn4X76nXXsPWpIY53U29AVB71SeFhLP6vr66x3LNGdc5NWRJkFum2wv/0YPjnAZjIRUk+kSnZctsVrWkS3qXiLxw+FqtKJ02RM+Zh5VkCJu1oxG133l9ynz4Lr5EctbErQw4yX9uYRi4SqA7qOCkik7lgGnIQ6EQu6lbixv+KW/uloJen1yNE6IXEWw2ijvOZ2LYeZuynxKo7IgkjJ8XxLpo3umEyMwtvGYKF0xYm4o94n5xyc+7QvGR/iE4DeLFu2lvVzLDp0HahdxUZ4B/1cz8jjcubq1SSXhfk9NVm6fdJC845Mbn4DDJucbG4a6XK8gowNaUDEQfzJuJutpRkLYk8KuIbKklhplaWivHfHBBNCB52xdOWP60zhAmUXcosjID+vYLI4+RxvtTz8fdV/fe+GDu1UL+LERkEL8CIhOMfjk6HJe/+URxN5ubbJMbGodPqVENIg8NIqAEobezg8Q1yZbzjLgc2OLCV3MRWRyWJTgP1QUNKtiOol5S4xktYRwIy0cyjlrTYJkojqzBCSg+1FaGaoIFWkBvusr9hUnsm0GWFcfATjmkxKe4/kquKJHzAVLbsieLsXg7gYBkWDz/ucWIfq67ENaqr0H3iKnhqT/IF444P+0RdVezCq6ZeI4a8aN13rwBY9xCiX+FIdZvrkfIU7SEETmvxxlHHCHPmdF+EEgPa8Og4OsMEUpYVSB1OQ3a5T6O12GuqRjVeo8yl0xxHa/owqG0sv4ysep8dysGBmi64pxbcyyjgKYB1X8PqHMZe4Q6z6EE+CjqDDJee5LjnW97pQ/HlHu0daZATDI0uBpuW4Ca79wCH53+GMqiFErlIuuJxGszFnBTM/jqAEZffVrJqbnHDyNIHjzMstTOc1h47RuUk/LPafcur+KY0t7kzKHUn1/19PoLT405UB6a7BN1YPsVTwuhp4OP21Yc21xCjkR2xDdg2eCtTatuQ/qHofYwQ5/n5B9/oQKb/SyIZK0jxxKnAB56O2/qIJXNSRcV+gEHB+swfgJhg45MiFA9DCvBmnsQZo0SllYVMU/QRqPFu+Dde7fD3egUOa2bDKUYVQwi/koeBLKTm0fpdG/wwM0qNiNvcII7WuSQ8VtJxdHY4CQ72nIGLxbLZgxThxAUPFjToL8M15IhAKDpt2pg+p5AL+ggYHkWwENiG7MqmLv5nRfKw59gp+wNb9EyJLwa1X1cJsBhp17qgtymYo5pMB4URyzEPVMNeRsYkB8airX8KrUHp0LNdvtiCUDpLn1wDgayjlOQGRozEyH+ryVbpbbgeZr6l1gyBmDi2/6qm3RRFBYkTcLzCvBp5bLOROA1T3MaZvmdIEf1FEXy0KrCn+cfPFbyuf8IWdGaKrS0QssIVsm6O04F/hAwk9pprXkf3lJxZ6Hey3IaVbeneQNpU+ke3RodlIEhP42tEjmCTeRAmPQn0FeHLvRsf3Ja8HZYKqBXK76+I6ktzbUaaL4cBG7/FPdafxEKTh2nqI2383GD9ipJ0AiNKV6w+d5jafeF8F+B+LHv+GQA5sn4+6lWhvogGomoy47JhpFDxXlavlDVrIyM2s7akfbem1Xdi/mPewGQYWHiGg7KwOTHVjH1a8UZUIm+nX/vzGQ7Xv8VahpHHc1J5rrK9NyjtVm1AOpRZFpsK/MNbPrhNzkrESP5vy5N70Ud6UJeuaxNL6HaWuYYaAG04Zbw7ClBtky1cY2zBJz7kvlYbYKMogyiHLCzbyIIvEV1VEKuSH12mj375L4cP9mLRX/fW8p9W2E9HuTEKjDw8LIL0/VebJAbQ+AKd8cZd9T04grC3qoRRH29biHiqzOjzxjIbZP+bQj1euQoQllVP3Rza5OpVppi0V6ltJVOBi8EaTEORSkkbB9DbRXKmY0LtutS9PmZRItn1TFPh6Wj8rhAhWcUaxOcmjw1jBK7v2ltK6LODcoMwiV0bC95CwqI2SnvUZpWdXpH6BJqWUODBdee1C7bwWoMUN3LpCO2b44EPAgPZLo7yRQBrt4V8j0XNEyxM+3ezKe3NIulNN0q5tBfz8MxrqKVzeJTxEW8srh0Zrh/f/xsy66m0FfxOme8YnMBPmXww0Dn7UGdBzIrwlbzSsSSUoe8gLXYPQ9ksGv4+VKf7woEsRj0JF0yBFvvTBjEXxk9FUfv6TslTVYiyAWE2tojSXtGposdlGhykBqzi1XIp6UOXvIwetYojCfzm8YmL1KOHSMQsjGp/ovFk1EdUFyGCaAM9mHGSrBW8bIfioEwouFrRS21QNDYdpG6VzxmRG/umvmK9Id92A5tu2M4DYWg+dZ6HqTSBzSVRSf4bN8TbeqWfAbHrpS0RkqhVOOiMjpLGy1TgIo1hYCZkB6VxCOd+tQLDLcPpWkePdC/jWUJXVCB6rPjeOWKJykQHNAG10DcLxNT/qhqEcaFwigR6q4vKSGB5cfokU2wex0lqzXwtfrTyJgxEb3ZLtf4stfAv57D2IZelfHzFN6BSTIfKC6UDeghG+EkDqecH8jgq8XLFurlKjeFU+GDME7yUEy1wxms3MZ703zC9A8TkJB9sAfStdsIPcNtFKrUqmFk593JDnH4KZRJLf7qWwHOKlokIFHoOkUy0z58w1RszLly7qzG5GBTLEkEPVB10FWYQel465qT616HbTi8+UIplFraRQEHW7DjzIQZlHm2Lyf45EF2hiHV05HsBiqZdcAaKcXG18yNCq1jsfTYNhploX89/or0S52CecKenU5zXoIXbrXff7lYtmf+z3qoS88uG3rpNzmHE5Jry7ZCynpyONCA6J4B+HtIw21+i4ZPADX8EUjsESrgKTYm1Tas+E4GjPLIbBZXlosEOW0SQ4yJz7efyACK8ZviZbJQUGrr4CgqQw05xETmtRIke1YbX0u0CHjdszkHPbN5SFm+Yoi3N4hf7hosLsRp8kulFrCTew1p6Cd8xJ/1oIpiWKIBV+XpNBZMVdO7PWu/PLRN5fI7rtkbKeOfGNvusO1wkUveMAAPaVts+7FYbXPU2zm8rTcd9iftFyXLOjOLmvbSIoa+gxbWDB5puL/viru8T+Mgq+zc+8EtscLKEnQ/Mdx5SL97Eu4jKWbBtTSBNJQlcf60iLlUrhO2E4NQyA8t4MY6rrnnREg2dcahFmy7VOKoDUIP5c4ZLhkH7P45WZ+72WhROLTA7xoZ7uAsnh/v2mlIUUru3eXa/IJEmsK+k6nl6nYBZO4gVraT1eajGrfa1b9o2AuyMKO0TzaLZK5G1k0ICKP4Z0N/q47ZOUEzvKJ2C3DxnQ92yE2CsehQ9QuyRwL8CazIhnHQ6GiiiGrd/gtDI6rIK2nW57t4FvtUhleJivtqgKtHF7CrOZ4VF9PotXksw6LkGbHcZJgman/xgilcLMwWPJ2j3T0604Bx/SHjg/JbKqhM9h1G314TLtaLILNuoFGPgQA8uEkubZCdyY+ufh/0PM7K5bCnH+P9aoVA8OgQE8St7ONObR+BYd2qBAuvnw5JknLaQ8Ty4+P0UlrvLdVMWViYb4rF0gzXdj+FVNW/YoaqURb4ONVBXpV+QGaqK40W/H8pTsdIoxnRAxsgpthuGlxyLOu1aSi3VVOilQ4xkJbMYYPYpLU2dVt1FV7oS2oQXKXi0DuT3IOmPptGECSI3Bi5SpcJfFTv2SkAK0V/R+1chwOA4WJwihBfspuXcCmgR6qK4miHBo4vIasP3fNLfgI6tD7TldgBvtldvE4MGfENzgiBg03GrlxWltRjG/qdnYbiE1KTKpCECo0PriuqFJxRnEyXqLKmcWoJDg9KgkEI52KdR4UiskkSDAFcxA+BQFTD1DjIa2twLTGfHa2yoEywDa+CNJx40a8jhMTlFp0ipV54R3AobCSLkvkMiMdXsEtVcDFvZuKkpYM0itoLyoYAg57Ndx0Xv + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ace-server.jks + type: Opaque + diff --git a/ace/environments/ci/secrets/ibm-ca-jks-secret.yaml b/ace/environments/ci/secrets/ibm-ca-jks-secret.yaml new file mode 100644 index 0000000..a39d003 --- /dev/null +++ b/ace/environments/ci/secrets/ibm-ca-jks-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ca.jks +spec: + encryptedData: + configuration: AgBvSnG9/bYOpUfMETH32qW8cs6jxqtzL9LOTX32Ft9fNzIY7/8rbhhWYAiEOAdipR71tXu3NiSTybnUXzAubNnQsTYrSGAIgd02N8qqDGN9Dv4rwpGFwhtHUgiq6/E8cpAZaxQnjTVQtoLG+7y1E/CxBWe+ENArIaWh+AoRPfulZShE4LkxSBmv9s6Upri1PGmM21e4SMl/KYW+MoiiBzkuUPsHrcdDY7pvX1PqpfufQwktKwC2ULMV7GpsmYPkzuJtDTtoMUelck4FaTcsfUb0KcOwWRA2LKIMbqwInVDGU59VYX69eOR7R503lVJi2S6p1op1GINNSLJi3YcJ5HYMKdCktUGINdOCWYmXLfDu0+jFtt+c28nALH/zoAtMbh6mWfJFiT919q9nEhl+vxaXKYw0upsV+Kyf6P3kmCVIu3XpYxpoz2Bm9FFZQhvB5W9/S5XVhZNCwNRICb76ylAF1bswAO6XfMK3aWuIGlUzRpUenYZwZFld/7yz7OWmqn2aTn2SxdZ3XmTUCGUubfDXUkynXf6YBCFxPPx4S1eRkDgTFDf8NK3V/8TKxGgxBlUZvNlK1nh9HkCUzmvBSwFT4o0SsxikNXfYj2MQ1o1LakDm4Q7+xP9Qc6iD2zVwzx1aKdCIyFo+3RtvscZTWMiDYMt6DhKvVSXMIaHRB/HmaCn7S1uXm5vex/Zeqd3FFh9FSOx+Y0vmiougWZEUKFWXq+K1rkDRiqdYBwkppRdCQZCkvqMp5B0Un1JXXPqLiPp6UONIDvvCuxRgBcSk7fP201UmbVK7V/+nQGSWgPRpeHgycQT+Ap3bAfaXmAo85Y0uxDiCp4+ktoyix3kqMApU7LlBtJBg10tbhxDQFvAGAMJzQOjNP+zaREUqMKT3RFa1NnpQkPoQxwwXGIndsEtD7AQkMgVFfb/3jhTN4u08gPFUNS1xPhvQm9P5uORBrXvjPQDnVHwR4BNd5cclvaqO+H0EmSCxyqIOsXxnUzSYNw3i+ju3HIltq5rVCEuFzTQHzCw7YPFjVmZla3RJqFDvhd9P/CG9U9KRLEgbFCT8kUHRwfGaWM0UpN1WngFE67fhcLi27F96jw/Tng9/qkGUgQA+BKju70+RtEFjFIbEJLhspdL68drhkLj42pTlz5siLpjVYndUyZOBWSVfrt6zmsoGa3y71lhcBmHGPhMFVl01Zz5Eb27zZi7HSMV/XwtXZRYkIRAcSgrVCgPj5DljnFiboeH+h2U0BWNalOrJ7VSHh19yaG6F8Ep8vkbww7HHK5bYTB2nM2OpLDKf7wVvFwohsIvrc3n9ao3sLcHvKS2TUawtqulqGjvv9KG6RfZYfF+cr7IrLDd2V0umpPeItJiWF5VKAnlmda7CgxONsuVGYWKCr3YtHwSaw0gYf+NKYewWCgOPndzPj1HjUN4ryfLvgHF/2rQBudDo9MPclFFq1Ce1t1bbybH8BP0vSRvnOTxkC2AO3oXyd+H1tZaRS4JkLePSuvPPjzJXFnBaWrUsYwOS3A23c/7U5U9+1+DuLpV7j56TKyO/exu+BQzi5pgpfmVlD0OaUNwpP3De9kcmVXllri4TEgaOKzvePQCz/HXpDmYySgdIlLeSYDEXYUSJglAzdozhbIC7Mr6OxCBfhgkQRUKmHkmn0Cimr5SjK0hJlmkaNxIDND38YR6GVcF0RvLPP3kvxiZogAn9jYEvYuM/qIZ405+n1eJoip/F32guc4vgsKGK4RGBVIhuEuhPJnKP+inKVIPTLIxC7HOOO69NXGNbn2ROwpcII6X3xV36WX0So8gTKlG2JcSyg9B/Ags+EQmXuvzFuI5jKYyXMCHQc7Q5RWrV0WYEPAM8Rxg64oy0B51vC+oMsHrbCyjGQc5C89xSJixTPwpgeYb1ZrTkqwV8cc5Nzvx8gFbf0Ny7QYha2vU0ZvZEUXQdlnL5Z0fEDmVLntmbiFPbRZ/5c36aZSTkvUw/YjjVb3KyGOL+rV5bjrdUpHQ3JRqbFIz2PjYgLpp2mt3ZUUhTwqWlv3/4JiGmMkEJyvm8SLOnsVDNlJzrHwikGBfTFhhNMe52260UzgjjvR7UbYmODCiMsE1nP00gca8qiThlRgtAsuXzBjoWlqlAXV3rA/wNkqPMwQOxcVD53pInCJaTfj5Cqh7vE6Bm+k2NGv7LxmgBaZsKqPfHNYh88tSGZPNOb7GlTr3epPUII16CAHcInBH9cRPhi9UgrPTG7fm7DFcSdjWdeDJ8WW0j+9FE1vji2WB+SELqr3PBRzD4A5DsiSE0z4Qi7dC/tIdY1me4yBi0frlALwjoagR6pIf1Gw1gj2MhZ94rPsLIxGuzHch3y9cKgAosA6OJAB1bIAY6JBiNA4AlmflHjIqtg7rmM77s/d6MAGVWwgKW85QnCGUUu77dokCDr17scgg40xnqLK4GqCAthFSb0bhXf/XBIJHH0Fd5U0FcZKiK6+8VemAcOHFSTTNte3PwFI5Z2NK89lraiKnl+ztUkHqmsPySmgGF8yBFsydoPysN560Q1ENBfqKvfbYLmIiRPYHuCy6rfVmLzGO68bDXXMsVc/KBvuS/q7au/uGmz2Qp5klVFluporbaZVfaF1wWkeXhQB/4gzqkUrq+Ojhlp4Nr9jUVaJLbF27Xi+/q2mbidYSEiX3H4MHL67fgOAiRHwCcaz0bCjRL26nwBR3mXAvfM3v9EqNkawWN8teOdioLgzBs5M1HCwg8SlSC40cmKIoqP0G1Gss= + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-ca.jks + type: Opaque + diff --git a/ace/environments/ci/secrets/ibm-client-jks-secret.yaml b/ace/environments/ci/secrets/ibm-client-jks-secret.yaml new file mode 100644 index 0000000..07e126d --- /dev/null +++ b/ace/environments/ci/secrets/ibm-client-jks-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-client.jks +spec: + encryptedData: + keyStore: AgCB2nA8B4De3KvSg3N8eDwaDLrCjSwK4icyjAfVA0T246vN5PTu9QsfA5vDN1Qpce15Zi+v0qHMUM7pZzhxKRQfrxPl9VTsS932azH769v/Fguy3YSS6GGA3KGdfaPDr7nsn0SIEC8CC3MBf/Q8fniWade80fY1ziSUpKt1YPPBhK30UsnlBPwLwAKHSbmjC6hF5jbJIrU/+UwCenrwvD0v9WX60v2Gd75kZ61os13aCrHqIi4LuAm5yeCDZSq3vnqs2LeozD89gKp5LRbbZalNMCk16vpC/Ef09NGbDZpnfppnXaDM7brSWTqM6PXi2qYqUe9NcqkLtZUMS7es5ZUL5qYMRfy4zPYElTjodxZdrdJ5kd9FhKpHWgprg1YIEUewLDbIsYRAe4vQZHs6xcR39YfskuPuujHQtEnmGe7+TdAwylyJH3uKwSacus1oNWOfOWLnXxrJwnZegKCvKfO079I7Y2orZpC1/zBln4CGeifykG2UnNYPeLom+u5PE3S6i42kTmoIQbbWFiRG68tWY6g/4c6z9B4t+DdBpFnnNsIcyeKW/2PgqCl/zId4fhLAm6x5aRDW3w1eL0L3/7uRxKM/amfFHuNzY9N2rRtmrvOAc4oplUXziIllhuzD+AQm7FH6b1jLPKhaoKhNveUHwDBo4i0wpGQwZ0ButVIw9qqRVLwW9bJ4h3Ltv1RfMV6V0a5DpHHz/K0rCQMAWa4pxD6erv0ung7IPot+7tXpQMkxrr9Xcolptj5nXVhxW+NhrDxVJaprbv25cthTHDdiJE9aduTskx7BsflbrlQQ5sDBCeb0vwx1Rx+NuweDtWhfWfRDclQihwAbkneLRpcKO4gPnnHWmYzm1dgbQKL6gmsfah+MxG7qhnwDfZUS3gesfxiaadaxXTZ1UI/5MzJ7DVZH/dr6Ag68MhIHzFEUtorfu3pKBvwjxV9lxwQlRm3/yyR1NQRBWZQ44HxmmoQQffddw5TleN8D9ErKE13GfnJWvOmCpDXH31KlDSdekQCqFObvVp1k3w9B4gaPZz7JjMBunv8bOMQkutxJE6lbZtlqb1l1xVzVlSUr4NQnLMLf3LOyec/dLI1q86tAuUboXqlCp7iNbV19WkoM/+96p+jPSxiaW+3LOxY8KXTl7cMLQ+PEoz+Dbi2pKMqb8BQXC6A/kAbw7WGkaJjLG6duboHbx8Tjuqq8GvodrkIeZwPq1iNluL1LVKfxtHH5nVY833XRYoVFL8tWzrlBGZCXePQX8xb/Pjwsmk/dbBGlMCR6BS9xs7xkzihN0Ps4uqOds5iDClLspv+5MI5zp+lAzvs9VOOJUxqqQLOPJ8x9GPHvSQeF9Y2TOWDx/ystXS9qHvISVAQd/81VaDPwOwsBbgyh8U2ey7gFC9pb08TGOywsoKc8h+wwquj+wSEeZftbIHiHssUhl2kCg7V/2YziXhZ7NcHbqenF6H8Bl58C519BKuMim3fh6U6c7WRgIoBbcyE5O98mZRsSo2hpoB9vP6CUr6WyByLOukH6NBwMe/Ki/P5MH/Jyzd1Ug7JzRb5FXOVtxWUjGBRd64qbZN48r1AG2ud5s1AJ/4M9s6zYSI889gvrIViIoCLptOOhE+UpSWlel/hO/K1+DsQMT9jRFrZ0G53TuibGgRFxjhitzLZoBzF2fzV3ApbpX/TOGZ+uBytd8gnpWoLfHBSZEefaZk4G2OzGVyEPpn+T3oHT3qwYrgFLZddHJ4v553WRHGfirCBzXzTh9f0gk75UxsI2uYClCl4jzqN0KCSgZYTTayJNF7RBxs8K2VGgUvRqw09+snSDHqqmjEkyIDQWdJOOTSs6ey5z5Iw0wp+YenAyJXUDZtvNfL3qWXW4WxnpZxksWVdh3SoE2o0OHI1/H21SsRRiv23S0nQKuR65eNaBp9uTZhlOHQbo1P9AYk4kJHLddXFOlZAPLGPX0MngQv0dERrjs04EBrqyD7ovhuFx/ERTnnNgxlp4VhgvjSqmZ+63TwAq4MnvBIt1B2G6NdSBOtYksQU3Co+nmQhTzFLKjJxEaDm9GFm4m1VzGuCjI+OFbO+Au0LKZ06iVdG3GMVzBlrX0nvi9QJkRYkm7TmydpOaxjvQSOzaUZHVRC00CszyVjPFrGplKkN++xGH91egRbJvWGF/jtlbmpmneAWWjNHk1y5Dn+vLoJhuyE7e/OhhWjLHwpPfJiIrH2WZCwL1npQz7xaY+1UTuf4RfnGeVhTBozqBpnaeeHJN9H6kJbB66HggBZE/kvU/TPDQa4KGQY4xwuIiO42eMfN1kuS2hXN/Z/vPBB0Nuiu2EuAdw4lKzu4ipbYtmIIUXtn7w3NgJyZRzPE4GYYaLOwNupr6+HaYStMQXqwWtLNO1ubmQRs5cnAJ5Idfmifh30wD+Na14aYmv2YEYAxPSAr6s2s3U3Gg+XuWNJ+LCYFFg+DCy2k20k1nM/W24b2Yei7LGNClKYLD4iOlMvljd9LfuIQbOHWEVQ0RBfFXeuXhF4ACmxHjiwMOVTNSKgunasX1y0ygL2ReXUNkC5oai1KxNiLG6YjnN7iGTiQYs/hsOOz9VyFFmwuvKNCcZ7nfYyoXwUc5tvqTCIrnQk3a6K74REGm6pLq49TT+mgOkcD0AFT4mYvLQA7anJtbeIcBSUTlaaPCfNuW/mWMHROqX9UfZCsK7GPAQiDEdppn6HAowsUUiUp7+N2AomCx9xuDyOGIr6vropflii3ExUr9KBUa/S4Km5nTAbu6l1LAHYphf2i26DARmRMrv6KoI2UnTW+OyFBiCNW7i53bL0M+V8RPLLDKCCEmBdsVm1fpp14kxC3NIeJgcSsq6TxGG2OlJDbvRpszVzvDf/+nZ8klJ6bXxNKtWEG+BrmJva37pGFRCM/StZSyMvhC0KjNG5haIf7mqQjAMWlazzWIr2mhnB26QcqnDB21dvJNb2wv6ZBRyQf8+ZVSEWGVfCP8HrhOOL0FMlYcXaxVxxQ9Lf34IaZ/c2BR73DXhVo+ROBNaMizW/bsyKebbt1DNId16XBxjJcdiREwckGn98ClBjlCMfuQ46IuqJOv9ZXA8Wl2u+P8eVbkVI0VbQRJXAzbQzX9pIq9YJF3x7wNBk+UqPJopcV7KMeyiYLg4Pb5WjFrmws7L7GD1nnyqlZENUUmwRo2z9V2/TkuTo/W864KkxJ/BGYmNyaqX/BtaHVJmgKoaDtmPY2e6bMeW8CyGQrh32KX+2vm4orxZQazOZU42sSsGAL/INBo0j51Zsy1B4tJBPzOC6sJW1nbulrcN38qe635lhKbXY8MXkdN+B4LxzZuGkadcKANzqkD3AfoQj0zvDYpZYbRSUlpn1dyxe2UPjxUQVJ2x1VbnaMAMwY9i4D2GPnLcG1KYFj+YzD6FvSBFsxS2lht5TwKVBY9FJlSaR2eaoeYgHqIlXFARPe2e7uUGWgELj0POhLt41WN27SiE4uJhCKJSchEwKo4NjbrfEs0ww7nFP3T/5w52iqmLWlhs4w0yeaBPDc+Mh6bVEr5GWAIMAsuAQ6zyH53Bl10AtMqhM+OCmdGn4joyk0z2MDZAnUAcM82vdJUngwe6zJTRIJ+b8TpfBddQO6mnC3m3XFVfrlSRD6DrCbcMojngd7tkOX+RZtdxkmLn/1/ERtIkFYLXehRIXQ/umat36hjvdsNlE4aEd1K326usH5+Baw40Br+T30xtwI5hxoOv1430YO/qrdLWmzfWqV4DGI4v7js8F83CsKeodsZol51n3q+5ko/xV/5bbEVkFqe1xkbrf2FHaF9H+cQ0Qej/igUluxgArwyUSVqbrx0faUU+iUFO8lklO2E4xa9MbtxPkaiglYGwS4CGEbV/jyBeEU6r2fwOUak4B55g2YA69INdIVsjlSv79xsaUB4pC5yX2UPfkh1Ue54syZrCOtvc6fOU16dRKiE4BXBdBGC5HEDk5YRbxB10RV/Tx3bQ1WeDtnFGtgyx4MxokvwEOfLKJ7ejeIOQ1zX+liihdtm6w8MWYF3O3rWGBxRGNZh6+NKWBaOlfV/uyxSbNaL529p9652SvAk9VhZYI2MxiNFiGhN8A7UOIwVyNN99RBRo7SMcQBpCMhjdRg+Hr0avpIc2LV4tjX7o6GnrJNAAagxl49qkz1mqjLXKfgMgPvWDc5x641heBuCyPjzxdMc/Z84dJXMmAL3hT71 + keyStorePassword: AgANEWpF3E1AklmXj/L/+gwgWD1SxzU+NRiBmxpi3cJBtvwk++IJGv8KDVkHF9uvLCmGO/5h3736hOqHtE0gN4mOzV6GI2B02yefMkZ8CJhr61foqMCL2GNySVmDtMD2C1Iwkaclby3w+jYH3UrZ04igSzNoQ7VGMixlPG/1chguZbMQ4TwrjDTbmiTuwktOjhBJ8YKCm3emVs3QBHdmWYS0i+O/vDgUygBP17rKWPws7dpUb/GgE3gozKWiMaf00XYqvP2HBGUdtDHK7MWEDAE6IOZswf6N88be2VCKjiQyA91zmTWEVKSgj82qmjzfsVxtOmESrdNM3Cbt2eDAYwmLlKwGuSkxJPGxwx+3JwNS1UBbgNE8ONEi5px/HLi1pcjPob04PNefQiob5/JWfvfraqZKGyx5ceGWmbQBD4UNQLXMPOYvWMatG1dGEYqEgk4hMlBaZQ6xYv8ToI9eyy4cF3F9ZIotpvXUku4pgXtd+hvZXGBU4uDQHk+XG60u3Yj/W+Yd9xCUNza1TekEWqGb3/DNPn/VqxAsWWiFT2Dx/PFA/Yty+Aq45FwRmzzzQgiC5CghxDGm28s8Aoh4s/yu6PRxmY6P7XQQjOrQCIQfIWQLHKcvntw/C5z9e+OoegXyALCqkacn31qWmpvJtLmYNDPq4iOx2eIxvc33Uz/KvfUW+XX2XNMvhq60T1mWcnmw0BlEz9iJxA== + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-client.jks + type: Opaque + diff --git a/ace/environments/ci/secrets/ibm-client-key-certs-secret.yaml b/ace/environments/ci/secrets/ibm-client-key-certs-secret.yaml new file mode 100644 index 0000000..c4214df --- /dev/null +++ b/ace/environments/ci/secrets/ibm-client-key-certs-secret.yaml @@ -0,0 +1,20 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-client-key-certs +spec: + encryptedData: + ibm-ca.crt: AgA4s+2pfz2upyUjBRlZKLHNRsZUeqcTYHcKQhCQYYgjtxIocMBIJqMTNeK3T9Y4GeE69lnUUIK8W8SP9yR0aYSlJ5N0rWiKDwh3CZaBvVVRdL2lStcxXN62x0vg0eYT9btybIHQTEPPugqd9rYgn5AI3+hEZ/iiAPkE7PaLBPVJOr9itpP9ZoRaTXUE9M9e47EZ2oFksndX0dz1aAS0j5Bk3BCaPoenPqSJYl+nTy+3Wu93e1MDWqeYoR3TV1TM98hJ5I0KC61rJcYiA7G6w7f5XFEGw3TeQ7St3UkWFIEG9+EavRsVAHUJSyqqu4M4AjaTgMmdoreTr34OMFoU4ageraJzMm/vhtL81x0DHnX8EFCFCsQh0LnA2DPboUBbZWZA8d/b5xvjgoyPmIackG23CqcEF64DRD0taFE7CjUOi+Xub06VUFENrjUA9WJfKan9Zj8V/JQdHZPN1DumVCZPjBvcWXaeEL4A4EmANAahTs62Hc74p7NNqSdQ42GG7E38HCv0a9XecJeVkw9W6kZN3gB58ylXFbgrsmuqipmsFTqOAbYCOvmofVQZjORzfivhWd8xIdKxsctRDu/zJspHBHF8YwvCN21yEj+/LZIWDm/5RW1zpf56dViaZuxIPVh46gDA3sATh79wkwhkvezq5SJS4ZOMTRN4wlJliRECa3qU6TR66Sb7YIqclJ9mZ+uLxJVOAIpPoxGb/19KuEQZzvwVArAMaIax4/j31QSRQDbflvDjNid+WijILgFVjAst43e3y2oHMoFl6SjBSyhxMPaVMoEz3LQZfNFcytRL0clJHh2yHHOUClbmg0zWeF6Ab55jAPSWAgycEqvIvbskTWdWqh36XR75y2ZXImputi6VAktrYFRSJvkXYwO2HkB5eLj/o9qw1HrjByoD2LR/pisOw+i2lXJjvqeRuOZrSSWV8nBbLWGVUq0Oph7RMRf+wWnEzUyi0KqeJO36rs6VjNySQYI8ozM4T8sWBuRAiY9tLGiea3aK8VdvBfbDadpw+5u0yUDECJHeyNoyu3XV6Ll1px+CCH+LOynOd9RB8Wh+RWgP5eCgPPd+N5XQ/3ZG+WL24guwdGC9X4gDOPJXZoXx4EWDOuScWZg2vAm7o9BYkGhHojHRyvqDvtDBqH0QGrASLF5k7kus+OMF+44kO4FMvXtEURUTCYESyzn92kYzX4hQM7FsQU7C5jastGNTWhplvadXBHMv4Egfv06LYsQkPhOdKHsIaMI/laQmkjF+Gm3wLtNzFu8iBikyU1nV4/1uQBm1WN7nYa2vG5ON/NXji6GvWQ/omdwOtee2Q7m+pEzV+B7+TfYp73xyARgbzCQI9Qd9dyB6clddNJQkj0KUqYVQ7qdbxfE43CpzE7Bv1x5mg7416ItSb0/+FxOxKjMJLU4aVf5ERmKvUjvoBor9KVSoUGxNmJ2t/JNIkwAsLr5ag/MqpcsI1VcJHzKFb+wbvjOezBAyk/yu44e5DO6EpYagbt72F391k7M6OIgqniPc+RkvcLN3+i9o1izS4pMv6eVTQLj8FTUm2RFJHBXdZSVEsSZNhSZBoqw8yYHzZ2dE8sNhx6kBb0RKyYQc+4S76AYeQoVGv17BcfwqY/Xsr+uBbs4WA7YIUI4yag/hA9xbGxZ+S5D0a4eYbnXYtP4BlhKelwAmnnFMOH0zAu8IDsywprr6rkzu9Oob4DR3P9q9p3L/ltkbW0a3WDeymhqE/NuZMcQonjvuKlTHLugjczat3dmn3eoML8uBm74sYC3697XRL9bqRwY2iU85Wu0aQNVuc/1LevXLhWau0lNz/OzIBjUnQSFFaASfhJgyN7HP5nCfICQ0bPnclADuE2dhq/mYW1TOh3QzUsZb/LwoCI3cvBLwhjVZ5ugAKlxMfytNAY7ivSVHJ7Q2sSenBPu5ycnSE3d2dqeBGQQX712zmR2sgqYA+faA6SOu/1C3dO/YChpDe0ftI1DB16dQcUy7EdHEJIPEmwOaNAnGrUwZpXBB57C1jikIgNm/JYx51azlBAdmu51INqQMF0RwWTIUG8YvMdZJxUdd0fq/QjkfYR/MUTGPp7t3qgJCsIUsWM4cuCVAATemb/Gti6giXWy3TqdHlwuSv51bCr4c8YN9f4cpvv4vI/8RCDjLe73Z8LMh6bCb0HDHiLQg6QayYm1nS95uj0ytet647cToSf1wdHDl/XhmzNgCcs5XLvLSh/ryuwPgbPW6OmIUltWP9bMTsO5kq432HDQGarbZjv04h7R6uh+yeEJc7rFiFzT6DE9eZmgb4xf3dN+yRzOL8tXhca6uv7hU9LWjEBIRv5r45DAwXr45O5q6tQQFaAMvNTbLZp8oNPkSSvUMRgH5cOXT0s9vokpJ6KiSAjsPM6+nZXgoGV6aHCZSDtR+thKW8OFAzTlUYRN4EMGd7eKK6mER2Xuj2PV1DJoisv9UDEiUFjOCDhz79SCI/cWET2XJoFD5gsILK5IaKFNwovsgawmC3cmlypyaGoN1dp57GCv4RKDlQcvyEje6vEq87pfXnHWrP7aN9wayBhsS3GYB0a8BclvCt1KgryBU6YozkM89g6Yqt7Ga7utvmpaOiFG2Yxk7WuRsHpj7v/rlzjEhj4EMlqjaBqgEmhgBC78cpyfVHa564jX/Brqi30sQEGMQhHKpYRJC+wLqpGbJcBJ4bAWjB0KKPUDJ3NihdHzOm9M2MJyOQeDWr3xQJDXG3vfalXppKJAQU6cIBQX8i5Faxb+ACt+Kh+8ryNftswXRVFAbiNs0dfcZ5ox1YGwY2ROfxTLz8ZnSjwbc/6S5EFfmXFswA5fFgpX+OHpkUC6z5WAMaNc8WdAhpnWLXbIOUT0arjM7Ihkb+RuxEEZJEGV51Prv1uYsQc+LBTilFmjRistKk4SEnBew0JvEOp3rxkzFCVfpR/h1SsiReAegSmBZnKZG5mCAQsPAJwTNa+h3u0nH/CLz7gmrYDupftwguXd7fMSkmJm2YTwfJ7659ETMl63JlpR0hw9vdca9QqT+nLtO59q39WZ2IsQzy50X7QDtOGsPn1bFszv9TU5X+UnRoYf/Nh2WCDQGxzk8iYC0Zd4DsN9BGVGZbRV3v77o5PxUqGt+oi/We+7hRdWKUO3RskTC4kPBINxE8wSUWtmiN4S45z3/mxcSaIu3eqkbJZJf3NNrzKHh+CEomMWml/mkNmlmWlEqkVqpsG/CgApp737/XvxK5ly1mc2xvOIIMwmmX2qZIPEh0VyxOUb8GJBIaox83kETqC5SmN14btEYrzDS1OkRd1rAA1wBymne/4RvYJZFoL0dOvnQg6zA88PT4p8tpwkViaRARRIYf107g/TqfaFbesLOvlorQ1hTXfURjU8TXGWyPQedZ0uPhM4MksnofkxzBufh0ZJGBrZyMwGzpBSWZvPJ + ibm-client.crt: AgB/zB8G3vZ7eq3JoC7szFte1V4mCVLHwLPpC0Why3ufVMtDVzXI+XV+CC0vcJn2w5maAwpMRZ5orkbC0BAQtngxxRB5wPKus1dDeEYmXm/Zit6CW9MzE3k9jnqCrMOrps521D/W9qWzKQXkEuPdH3svl99lr0WPMgNU9eZK/tnd4gyF1W1XkBAuwG1XB0SlRjTFgYPza+U/OUwNqaRlWo9h+A1ai988gOxkWVzJbkTVS8D27dGoKBvg3Jj3p5DP71ssRZWiw2n0b4wiUA9MRr1NCmGFIhc6sjzEwdlIUWzh7GxrLHn87+dMIMILCqtQnw3Wq3XGO6/sZZNhipjR4QM4D/hbhXix6pPZQpbTSw92gG8f+4cnII7jnZqfTfaQZ73mN2V++FV5mjJkAnhr1jXCW1QcEV2lksWj9QTDyfsUoL0A/FTdx1j9bW/rieBxfjGNl47qrwecEckGElEVZwdwJQN6HKwXpUbJFLZDWxgCJQyIkeKWDPNwE5hApZqQjM2o9+Y+49n8hvu0FWU5MDColcuEQGu/NP6mTlL42iJaotUpPk1sfAWJLPyps2zHwlJSUX9xmF1IIPR17fidFmIfLxj9VQ2P4Z95NLPFbIndIaK2Q/HegYVbQa7yv45RaxI6JudDOELMphmkQPbUNmWNKSDU2jVPs8dNldtQjvIXP4zlHcWERd//k/Z9js4IMPjSNcPcCURGfiIxqg7S01jU2OR59SHcSvWsYhjWYdyqi3zdyHWJV5efDzd3TqDrfJYwBifQcNLgmQUU8ECBv8XwoLMN20i+Mb1NdQTWvSuiBRv0MxbfOEef7TZ/Z6eQXtQhgMbmdiK+ihlA2J3FcU350Yynmvmv+J6/A38Vz3k2t84XsfjNS1gW7LHtBnRlODEmuyE/7fWyQadc1FkairWHkBAwnFydHkJ/DOPAKVHLw4lsKsff9QA2Xf6BHD+TMyM7mtLwZ1WXYNyPsaDXloCr1MjuFXDnVH70e/DNOfH4krgreVjGDq6qrz+pWj0cJdvkxU7AN1MCUhoegYfuDSaxA6LaXPl2e3y4LpAGy8hEQ3/Sm38T/IRx11lOzegWzq9+HBAgGsqThFdAOaW//vsTNuP/O8VnsmLk7iRnMpLgGA4RIM6JOq1HRBGt9FoTAD3dQpGfY4rqxkRgpXLPfSwBA1/nHtTOhAnkWrhXbbptjIFrIz67+/WA4NpIkKUIJxOok9QUBE8lA2GiWknwZ4jqLtsdjQ9sPR43pYu/cMIq3y5Er3PvvLKxId9LaKavxdaOu8vxIHR1TLPCeGzv7HTwCLIhGfyhWuUyTmgEtMGSaZXodjN8gwIZg1s/KPz1qsbNpzn1nsL2+wV9Z2ZPRkPp6TnyWLgAV7N8ECIRkFSSDwxj9rxH6593G95r22YsDquIjcPehUaUejILacgUMKcXTJNTx2fxCzvKgVCH1QpvZDOMO7/LvxUj+jUmGTE+9RKG+H+mCeu9fcV9WER/Dj/CeSNA5DKHZSxbD7QVuuy5ZJpyWSFhLWMS/6LaLX3gM/OwoZw6KTEWa/s92D4wnbZc1M0DtASxEnE6JiJNY0nMeuS8IOHWOmL3Vm4YcrFxrwBl6O3A8ppE1sA7W16Uxu4a5rDSo9mgQoewoyM8wdg2LQuaTwfqUNqi8O02uQmDyFmFL/7mlAWJKsCkfOO9AgXTzM7SdT1DPrd1VMAZ24x+n/1MZbrtwYDnFzOsoqGsyOT45Kw9rkEF3QCLDnlBSl4Q/IJKrtbbwje2HH8mF2jkxp8VtHwcMasXGZ9vLhqXOl39USgwRLidrJLpfwOD+Zv4Kd15dTl9S0Fo4X5HsZsnKT872GnVYGyVdA98mJdMDHZTapBPAjrNHvrOTx+obmu3zJt48G82LNUAvvaviA8sRRT9saz7fVElG7yW9QKdF09H+ZvkIuT7HUdJNk1hCV+tFn49YW5Z6RNyP8GZs7zHmTp0JhpQ6K/zgtzogIvkOHGeelfIzeLzgiXc+6g1tgAzXaokRa6dtinknY0e8HigJNchUBCYjzWpwvvE0mKoqm4JCdHwyUG5Oxu6My8Aodagad2CaLhS0xoAhBtjFRUkBk6rmYv6BqXxCL8iHJzqm1myileaRV4LjL0Ira0nyMH10ReHacf5o/3UF0Z4dBbC4BWrcwIhFLybnGV1XC3vtwXl9oi4/KkAwseVqTt7Wc9OXlY0xqglA7uF+Ui4PbRNfhD6BfFHqIsbbI7D2mRhOPRSF972PV78wum6ppJcMXhZhBCeLzFGDNUiWpCLv1ueCX0SivS2kFl5Gl2sfSNXTlaHm6yn0py2mqVgP34GekjsdlJY0XLL3C9w28HngF4+U22L+/GigPhkcee7OB/2GrACRlzXEC0u3RxD1it36DWTjGESl0vXp6bzeb/fDuSPS4d0ex4fdLRkL+7yFdkc/xk5416H8jUw8cekrbSr9Du91oawIIAQZr8evDdE724ZPjmYgMC8V04SOKu5lk9mfo4yiZhovjNP2gVj7x5dZP3av84r6zgCOkZG2Dzn4E5stjDlImRmBELjwoIR3Ox+dtyoPerNCMJa6KMtvQRyTUBZWEh1AzShyIXi6nWwhw1c6E3k+VN/emNdKx0bRGAPzm6xvU9gXrmFCmF9KbGR8rXNxBGlj8T5wIgmtoQ70CrqEPkyLXXAvnEg4AgOFnKJLvO+LVaw/2EFcL6Ww6SDjZJEFH5S0KI8KDgFepnv16tldY6aLHg8oJUwNVV982HOd5GLTCERNCiS2grUVf50P/HJgL5caZtEeJSYS/DhxrBf6HCXAdW8kS+/P6gXaqZoAbGPkb1QrkR8MhEWftWofSuoaWaqHOzq5w7TPwsIafogKLivEbEnyIBYULDpwp4siHlweW4ZE6O9WNsVyMTonGRItjdRq/Z4z0X9qTFfTAjJ0ArfYOVk4PhedVlqYoM5fSwxERqaqu0Ygo1Ey4posiXibLwNsAOD//8GVz4aazmxnbG2IgKWdHI1ApioQ0qmpMQFLxuFlqIHp0sBapPqj+Bs38/JbwnDbVf+axSq6A== + ibm-client.key: AgAIWDtH87zP2E/QL6bqkQbGFi3oyVxMHBIkTmiWCP7fEwSIkjGw/nyYb+qTJf0iht3o5e6w+LJ+Vs5G7jNtUp6RO8pRStQbeoRoFnSutSVNtX94Un0FFN2MK2mhsJi3d+6Fg1l+cSQor87EtyP/q9yRidiaPK1ooXz6Pwqe6OxR8DfgmiX/vZH/oYvbY5eYrKeywFGkYIzJRNKoFqnShZHQPfeYu+dsgRcB0jGbZMg89a/ORxKHucuNa6xlVRNmg7t4bPaL4hQmfDtxPcZIYjKr6SjTbIcQ5H8hRY0YRSmlvnQCDuLjfEy01OHKKgbroTOovFYaNBhwIv9eqe5ssOrOSxD0MsluX4PjXkTygsZvjVHl4kVvW/X/rBZmoV2S/NZQGorGe4xPaZxylB5tqya7WmI7bIxrP86dPargPxvwInJCNowecWVl9xyKVNJD824eY/Aa2oxv3ObyAphDvAh6dijlnrRgdb2T3FTZj8+TSyik7/xRc1HD2pLdgEY3zIZugDjpjIDzR6kAp7Ooa84ZqL6lLhdmLAf0zvZ8sNDCnnnrND7t3bfheDZh4/+8URMXStEjXcZe/MY91a5mZCY5JJWhz+Y6W4pd8WpwBJWStpjDk+4zF+I8y/JT2p2FNsdiWXQ9AcfLmX1HIEYtZhd2U7UEM8h6+lxiZY6wg9+hv2smi9jjpTa1tOM2NwuUkDGjNd12hZoWP6VAITIL7aIz4VvpCDHhcM3K0YVYxeTfGhyv+PANLp4v7xUQ5u42Q23Q0/xtWduvtPftuKV5R0ZkKZs6r+zAflfOgHvJCe4VABUM8uubH4JMD9QoDVaJwnO+D/ze/X1QEzUNzfwSNIjPi35/7F04UeKADsPK0yWxIwS0klWC4FHpH0Z7+WuSnGYKv3CLrKqsSHYZRceHcJtNPP1S7+YHYhS4PzajBNqYD26ZV/JB2rTc0PET/kDVkMBrVOrsA+MArawrIwDb5XQIhBt2ZiArZ0++zz4tdGso3gYbwvAJMiV2jIEEjJSKhZ0Jle8FkCa2tsAxcUnlf/fkLHL5IBVnYvWdJ20p5PKFk3vG5vMTpRoLxNgkH6e1TMsIlZpLVAZtRBKqHiH8ecrouSSoOtjqQ4s1GMlgbzlNGa2w8tJBxuKUt0EoVawA30c/0DqkqHdwkIiUp5ULocl08wP7oVmukXdpxeMzz1u0AJlr3uftarEdtEVXajhYhzI6Wcr5DBkebvNGQjWLibluOlSPQte25lhnWSekxuiRR6zhQxnjggLIqliPbRlL8zLtWRVi0W2Z3y7v8CFeI7yj9Qg94f1ZIzNHVhBQWbHPtIq5P7mm6E4KN1gm+LceFNL/IxDRQunK6xMLjvETYSeOarBDh/ViGdzvxJY/pdGMjq43dAXbRXGWS6ljbR8rTX5BpK2FQa7bjJcWAaRA1neRLmrUk/ZUkt/PeEKqWJpSKATsGwSqERA00vkRnTgwjWe+SRaCXbvo/MDi26dN1cgdu+amuOyOwWuqdGkIMFnl/s3NHpNV6Afv/RXQHiFpYIOEVk7r6oq+rIqZoIrIKY/2u1II8oayMEgQ0hqL67joZ9uJ3awNz/aTjPt06lAh/+gm1CcZTrgSFAdhgzJqHQ/Z0IlQLSQO4jhaCYRC3eFiudFL3eCcKBbD7a40MlyhReuXvGx+wt7x03n7JK+Ie/fi3Ei47+itCFjL4vKghMkasMhoIJqY3VzsfLckwjXq2s0mtPSPS5Ds/N58OsrZvh1jVkcFC9CNp/UaHPfgPubZV+SbBam0M8JeFA7XowtQ4SLgR6wNGTAlUnrFIk+0VCU7+dM5JDA2OOFAZI0K6NLyERZzCNybLd1ju2MJ07y0WLYRu9fyfQ9EktX/wbpsdJC/fcQzhx60N4+ZKae6sP6iMoOB9qxxdXwVyWIYG0VU9ie3fosQ0H5kEi1rROeNsimEjlT4TF8NqF9q7Bon0dEgQE8vHXRqkz+d+HXug1IPK3kfLy8taZ4TxNhYlBuY4YG/2O8AY3V8dq77qTSKwZp8xGxqBJwYvCNH+av8EaFK5LBVoSF+JEgDJlF+wpf2wBXTNggUfKWAoWXUgWeJw+KEaBpQm7jhxWDoYR6dFBjuJ0l9fowfuf8cbgHrDnL1bny2Be/LWp2EDaac21lp1eClLn1J9CpuO75IW0HfVN2iEkTzetLFdI0B3+vKkLiRNQc63uZvaF6QuQNT2PLPPvXT4UuG4Ib4FJ9PfsJCQr622F3j2j7ZVFpagodqnEgwazFXlmj7tZ4SBfZxnax1EQ18p6U/LQjof8ESZ4VpInczB0bRvde3cOqzorizIl8L2oWOZJIltfyfyi3yTHRCJw18S6Ifijh4WcxSv1OxfTQPWSXlzqOuxrkpT1WiTXAuIcSq7fbyB+QxiH8mVbRgqaCcYHQWSNkPAcqy1GcWJHjwD3oRsiHPutP2StrDXpKqNAK7R0ABRjaDWjaRZ4Z2ut95wlEpMOTJV5Ak2tBCZSUWgrSyA2/Wm6/a1ClehlDqCkhvAMSWZG8o0TImrkHI62iWZa5qY0l9Pnb7s63rWeCfHgK3qtjupv+BH0Pt2oN7gNdY6l4+MvpS197KRNH7mP4yk7qzUpJIMZjCK5tJCW2Dpe9qKaCjA0V104sVtDrctOitt7ELKuHjhKAYo1o7B6g8anVhS136NN6w5YZgmFkUjHXiGj8Nt3d3n911osvk8R/iQZ5PTjNIPIltdD5hq/0E9tLeSwmSSraSyg6K+fpYvqvTYvNerr1X64KD/JSx+iQPfzGGH9k2l87VvTtb3WPRhgj2I6H9CtXwEHunUXcFIwXSdQOgBtTRXEptQ8apJ5LO0dEMf5KhMEoKyxhSShKFDgPfv38dIV3LFBjcbsHwOCz1hlmdggYpj8bwTOJCuH6sRENUgph6EeA8XFJ0XbkwBh1KB41g1pPvasMMZKBl2g== + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-client-key-certs + type: Opaque + diff --git a/ace/environments/ci/secrets/ibm-entitled-key-secret.sh b/ace/environments/ci/secrets/ibm-entitled-key-secret.sh new file mode 100755 index 0000000..8909259 --- /dev/null +++ b/ace/environments/ci/secrets/ibm-entitled-key-secret.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# Set variables +IBM_ENTITLEMENT_KEY= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret docker-registry ibm-entitlement-key \ +--docker-username=cp \ +--docker-server=cp.icr.io \ +--docker-password=${IBM_ENTITLEMENT_KEY} \ +--dry-run=true -o yaml > delete-ibm-entitled-key-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-entitled-key-secret.yaml > ibm-entitled-key-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-key-secret.yaml \ No newline at end of file diff --git a/ace/environments/ci/secrets/ibm-entitled-key-secret.yaml b/ace/environments/ci/secrets/ibm-entitled-key-secret.yaml new file mode 100644 index 0000000..1a0c49e --- /dev/null +++ b/ace/environments/ci/secrets/ibm-entitled-key-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitlement-key +spec: + encryptedData: + .dockerconfigjson: AgArH78ctv5gcq4Qr21IOiK/tUZYtyhfCOK7t0WV65jwiw2D9vZV/FjMsEE3l8kiMyaHMcCmi3+mpGI+aJRe9YLB294tjKG/lz3Q3tfsQZUMCuRUfiOTigg3i6jjqwzRcxn7Np8GaagLY/03QRQGWN7wXJDCNwV14zwkNZrl+65KYS6GNxuN4WFBiYoLITQ0JEvCytOfoNApVh1+GprurlRlZGw/cem+VEdVhpzRCAWKUqk+wvFqngBmqbzyIQPqlRUqHNS4fShD5I78wZuMy97x1/b52XSd2LZFxCKClGvLIqI8LouFEAivq2Iusg7v8fbXLlHLLqf/FrjRZTtWznUDEgXfZuGUNDRRE1HIvprIXqekxvrZ3bARobFz/uiBqH6k58w8iY93GR/0v5pu4uovqytmkmkV2SimpROqcWU7e4a1K+p8puERFes9fXYUlmizV+g89bnsVOFDnGrk8dwqJdl4a3mRbFu/bF1nD3ioPmHAw0ON35mXMx7nWxh/NvBw4ey0mag7i7X+ci/dFFkJNqp/E3Kg5yaXeDw10A3tC18IXOn+qMCikZbTpQvBO1F0NGxhXcsq8zAQSG4OquggeD6j3aPsJHezTgm8y7NMb6UFa2+t6clK2HRu/FwUXGIKvn3C5G5lGDQefQFZF3QdIu6mo4iLsE005Xug++4GtDhACJHiwBWuv05SbgdNJ/TUL/nO3ec0Q5+CsPqUhLQEDle/sCxaoSVf+Xcz7pXvL9F9VJueJqKzIKMBCzP4RThiDWBLAYaxpa3YzDeOtXPwg2FMSGq/blZ2rv4ja79Gfl6TFhOT1swMs7jPzkuxn1PPTyizkgAyz7CbnE0foApDzWhSJELHiJDN9VCcaKJ1yFYOMJi4utYEsLP+QE3tAOxyi/tksxcwjXc4DiY7xNWmc/JYk5fo4Y0VPbikZpeK20BSAZisA4TfM0c2xRyprPuvughGfDimcKl1Mqw8XaZMLwoi9UdumNAe1JLMMxoLM86wOcWslH3vx1PggYAtmTFAVgghspqgqoDIZKDVuBme5xDvlnT3fWyvA9oHyItgNoxf9NGRO1EYc2TPONYcQmhmZi6LSfy7Syz6ZJzkuCadmX6VviL/7Wc4w30oiYgBO7DHoaFrV43Y7wdsuhsa+halEvZesLoqAafwh2Ku1za+YOk5n+STZfRm7tkij/2K5uLB8iJ4zcpSNnNgNAy0ORSlAUlblJ98X2lFey24QRQ1IZiFRm4MSE55SJdr8vzrywBBAs4jYn+/886aIgTFtNdErCUwQf0Ue+QzYk5SuYG+CEC/q/H/OoDlObI1OXtL9GPX2tn0dm0JHntUcxgHbNyZ + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitlement-key + type: kubernetes.io/dockerconfigjson + diff --git a/ace/environments/ci/secrets/jks-secret.sh b/ace/environments/ci/secrets/jks-secret.sh new file mode 100755 index 0000000..5ddf415 --- /dev/null +++ b/ace/environments/ci/secrets/jks-secret.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# Set variables +CERT_PATH= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret generic ibm-ace-server.jks \ +--from-file=configuration=${CERT_PATH}/ibm-ace-server.jks \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-ace-server-jks-secret.yaml + +oc create secret generic ibm-ca.jks \ +--from-file=configuration=${CERT_PATH}/ibm-ca.jks \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-ca-jks-secret.yaml + + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-ace-server-jks-secret.yaml > ibm-ace-server-jks-secret.yaml +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-ca-jks-secret.yaml > ibm-ca-jks-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-ace-server-jks-secret.yaml +rm delete-ibm-ca-jks-secret.yaml \ No newline at end of file diff --git a/ace/environments/ci/secrets/smoke-test-secrets.sh b/ace/environments/ci/secrets/smoke-test-secrets.sh new file mode 100755 index 0000000..de17549 --- /dev/null +++ b/ace/environments/ci/secrets/smoke-test-secrets.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Set variables +KEYSTOREPASSWORD= +CERT_PATH= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret generic ibm-client.jks \ +--from-literal=keyStorePassword=${KEYSTOREPASSWORD} \ +--from-file=keyStore=${CERT_PATH}/ibm-client.jks \ +--type Opaque \ +--dry-run=true -o yaml > delete-ibm-client-jks-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-client-jks-secret.yaml > ibm-client-jks-secret.yaml + +# NOTE, do not check delete-*-secret.yaml into git! +rm delete-ibm-client-jks-secret.yaml \ No newline at end of file diff --git a/ace/environments/ci/serviceaccount/.keep b/ace/environments/ci/serviceaccount/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/serviceaccount/pipeline-serviceaccount.yaml b/ace/environments/ci/serviceaccount/pipeline-serviceaccount.yaml new file mode 100644 index 0000000..0a2097f --- /dev/null +++ b/ace/environments/ci/serviceaccount/pipeline-serviceaccount.yaml @@ -0,0 +1,8 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: pipeline +secrets: + - name: ibm-entitlement-key + - name: git-credentials + diff --git a/ace/environments/ci/tasks/.keep b/ace/environments/ci/tasks/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/tasks/0-setup.yaml b/ace/environments/ci/tasks/0-setup.yaml new file mode 100644 index 0000000..7e9efc0 --- /dev/null +++ b/ace/environments/ci/tasks/0-setup.yaml @@ -0,0 +1,280 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-setup + annotations: + description: Sets up the pipeline environment and generates/normalizes a number of param values + app.openshift.io/description: Sets up the pipeline environment and generates/normalizes a number of param values + app.openshift.io/vcs-ref: master + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + labels: + version: 0.0.0 +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: source-dir + default: /source + - name: image-url + description: The dev image (use image-release for released image) + default: "" + - name: image-server + description: The dev image registry server if params.image-url not provided + default: "" + - name: image-namespace + description: The dev image registry namespace if params.image-url not provided + default: "" + - name: image-repository + description: The dev image registry repository/imagename if params.image-url not provided + default: "" + - name: image-tag + description: The dev image registry tag if params.image-url not provided + default: "" + - name: image-release + description: The url of final released image + default: "" + - name: app-namespace + description: The openshift/kubernetes namespace to deploy dev app + default: "" + - name: app-name + description: The app name to be use in openshift/kuberentes deployment and helm chart + default: "" + - name: deploy-ingress-type + default: "route" + - name: health-protocol + default: "https" + - name: health-endpoint + description: Endpoint to check health after deployment, liberty uses / not /health + default: "/health" + - name: health-url + description: Override for health check url + default: "" + - name: health-curl + description: Override for health check curl flags + default: "-k" + - name: scan-image + description: Flag indicating that a Vulnerability Advisor scan should be performed + default: "false" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + - name: ace-project + description: Name of the ACE Toolkit project + default: "" + - name: lint-dockerfile + description: Flag indication that Dockerfile will be linted + default: "true" + results: + - name: git-url + - name: git-revision + - name: source-dir + - name: image-url + - name: image-server + - name: image-namespace + - name: image-repository + - name: image-tag + - name: image-release + - name: app-namespace + - name: app-name + - name: deploy-ingress-type + - name: health-protocol + - name: health-endpoint + - name: health-url + - name: health-curl + - name: tools-image + - name: js-image + - name: scan-image + - name: scan-trivy + - name: scan-ibm + - name: ace-project + - name: dockerfile-lint + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: REGISTRY_RELEASE_SERVER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_URL + optional: true + - name: REGISTRY_RELEASE_NAMESPACE + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_NAMESPACE + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + git clone $(params.git-url) $(params.source-dir) + fi + cd $(params.source-dir) + git checkout $(params.git-revision) + + # Results + # Defaults + echo -n "$(params.git-url)">$(results.git-url.path) + echo -n "$(git rev-parse --verify HEAD)">$(results.git-revision.path) + echo -n "$(params.source-dir)">$(results.source-dir.path) + echo -n "$(params.app-namespace)">$(results.app-namespace.path) + echo -n "$(params.app-name)">$(results.app-name.path) + echo -n "$(params.deploy-ingress-type)">$(results.deploy-ingress-type.path) + echo -n "$(params.health-protocol)">$(results.health-protocol.path) + echo -n "$(params.health-endpoint)">$(results.health-endpoint.path) + echo -n "$(params.health-url)">$(results.health-url.path) + echo -n "$(params.health-curl)">$(results.health-curl.path) + echo -n "$(params.tools-image)">$(results.tools-image.path) + echo -n "$(params.js-image)">$(results.js-image.path) + echo -n "$(params.ace-project)">$(results.ace-project.path) + + + REGISTRY_SERVER="$(params.image-server)" + REGISTRY_NAMESPACE="$(params.image-namespace)" + REGISTRY_REPOSITORY="$(params.image-repository)" + REGISTRY_TAG="$(params.image-tag)" + + if [[ -n "$(params.image-url)" ]]; then + REGISTRY_SERVER_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $1}') + if [[ -n "${REGISTRY_SERVER_VALUE}" ]]; then + REGISTRY_SERVER="${REGISTRY_SERVER_VALUE}" + fi + + REGISTRY_NAMESPACE_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $2}') + if [[ -n "${REGISTRY_NAMESPACE_VALUE}" ]]; then + if [[ "${REGISTRY_NAMESPACE_VALUE}" = '$NAMESPACE' ]]; then + REGISTRY_NAMESPACE=${NAMESPACE} + else + REGISTRY_NAMESPACE="${REGISTRY_NAMESPACE_VALUE}" + fi + fi + + REGISTRY_REPOSITORY_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}') + if [[ -n "${REGISTRY_REPOSITORY_VALUE}" ]]; then + REGISTRY_REPOSITORY="${REGISTRY_REPOSITORY_VALUE}" + fi + + REGISTRY_TAG_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}') + if [[ -n "${REGISTRY_TAG_VALUE}" ]]; then + REGISTRY_TAG="${REGISTRY_TAG_VALUE}" + fi + fi + + if [[ -z "${REGISTRY_SERVER}" ]]; then + # Assume is internal + REGISTRY_SERVER="image-registry.openshift-image-registry.svc:5000" + fi + if [[ -z "${REGISTRY_NAMESPACE}" ]]; then + # Assume current k8s namespace + REGISTRY_NAMESPACE="${NAMESPACE}" + fi + if [[ -z "${REGISTRY_REPOSITORY}" ]]; then + # Assume repo dir is image repository/image-name + REGISTRY_REPOSITORY="$(basename $(echo -n $(git config --get remote.origin.url)) .git | tr '[:upper:]' '[:lower:]' | sed 's/_/-/g')" + fi + if [[ -z "${REGISTRY_TAG}" ]]; then + # Assume short git commit revision + REGISTRY_TAG="$(git rev-parse --verify HEAD --short)" + fi + echo -n "${REGISTRY_SERVER}">$(results.image-server.path) + echo -n "${REGISTRY_NAMESPACE}">$(results.image-namespace.path) + echo -n "${REGISTRY_REPOSITORY}">$(results.image-repository.path) + echo -n "${REGISTRY_TAG}">$(results.image-tag.path) + echo -n "${REGISTRY_SERVER}/${REGISTRY_NAMESPACE}/${REGISTRY_REPOSITORY}:${REGISTRY_TAG}">$(results.image-url.path) + + if [[ -z "$(params.app-namespace)" ]]; then + # Assume current namespace + echo -n "${NAMESPACE}">$(results.app-namespace.path) + fi + + if [[ -z "$(params.app-name)" ]]; then + # Assume image repository/name + echo -n "${REGISTRY_REPOSITORY}">$(results.app-name.path) + fi + + + if [[ -n "$(params.image-release)" ]]; then + REGISTRY_RELEASE_SERVER_VALUE=$(echo "$(params.image-release)" | awk -F / '{print $1}') + if [[ -n "${REGISTRY_RELEASE_SERVER_VALUE}" ]]; then + REGISTRY_RELEASE_SERVER="${REGISTRY_RELEASE_SERVER_VALUE}" + fi + + REGISTRY_RELEASE_NAMESPACE_VALUE=$(echo "$(params.image-release)" | awk -F / '{print $2}') + if [[ -n "${REGISTRY_RELEASE_NAMESPACE_VALUE}" ]]; then + if [[ "${REGISTRY_RELEASE_NAMESPACE_VALUE}" = '$NAMESPACE' ]]; then + REGISTRY_RELEASE_NAMESPACE=${NAMESPACE} + else + REGISTRY_RELEASE_NAMESPACE="${REGISTRY_RELEASE_NAMESPACE_VALUE}" + fi + elif [[ "${REGISTRY_RELEASE_SERVER}" = "image-registry.openshift-image-registry.svc:5000" ]]; then + REGISTRY_RELEASE_NAMESPACE=${NAMESPACE} + fi + fi + if [[ -z "${REGISTRY_RELEASE_NAMESPACE}" ]]; then + # Assume current k8s namespace + REGISTRY_RELEASE_NAMESPACE="${NAMESPACE}" + fi + if [[ -z "${REGISTRY_RELEASE_SERVER}" ]]; then + # Assume internal registry + REGISTRY_RELEASE_SERVER="image-registry.openshift-image-registry.svc:5000" + fi + REGISTRY_RELEASE_URL="${REGISTRY_RELEASE_SERVER}/${REGISTRY_RELEASE_NAMESPACE}/${REGISTRY_REPOSITORY}" + echo -n "${REGISTRY_RELEASE_URL}">$(results.image-release.path) + + PERFORM_SCAN="$(params.scan-image)" + PERFORM_SCAN_IBM="false" + PERFORM_SCAN_TRIVY="false" + if [[ "${PERFORM_SCAN}" == "true" ]]; then + echo "User selected to perform container image scanning" + if echo "$REGISTRY_RELEASE_URL" | grep 'icr.io'; then + echo "Using IBM Container registry, enabling scanning using VA" + PERFORM_SCAN_IBM="true" + else + echo "Not using IBM Container registry, enabling scanning using trivy" + PERFORM_SCAN_TRIVY="true" + fi + fi + + echo -n "${PERFORM_SCAN}">$(results.scan-image.path) + echo -n "${PERFORM_SCAN_TRIVY}">$(results.scan-trivy.path) + echo -n "${PERFORM_SCAN_IBM}">$(results.scan-ibm.path) + + if [[ -z "$(params.ace-project)" ]]; then + # Retrieve name of ACE Toolkit project + ACE_PROJECT=$(ls workspace || true) + echo -n "${ACE_PROJECT}">$(results.ace-project.path) + fi + + PERFORM_LINT="$(params.lint-dockerfile)" + echo -n "${PERFORM_LINT}">$(results.dockerfile-lint.path) + + for f in /tekton/results/*; do echo "results.$(basename $f)=$(cat $f)"; done diff --git a/ace/environments/ci/tasks/10-gitops.yaml b/ace/environments/ci/tasks/10-gitops.yaml new file mode 100644 index 0000000..795ab12 --- /dev/null +++ b/ace/environments/ci/tasks/10-gitops.yaml @@ -0,0 +1,229 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gitops + annotations: + description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: app-name + default: "" + - name: version + default: "" + - name: environment + default: "" + - name: app-type + default: "" + - name: source-dir + default: /source + - name: subdir + default: "" + - name: parentdir + default: "" + - name: yaml + default: "requirements.yaml" + - name: helm-url + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: gitops + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: username + optional: true + - name: GIT_PASSWORD_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: gitops-repo + key: parentdir + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: gitops-repo + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: gitops-repo + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAME="$(params.app-name)" + SUBDIR="$(params.subdir)" + if [[ -z "${SUBDIR}" ]]; then + SUBDIR="${APP_NAME}" + fi + if [[ -n "$(params.parentdir)" ]]; then + PARENT_DIR="$(params.parentdir)/$(params.app-type)/$(params.environment)" + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR | tail -n 1)"/$(params.app-type)/$(params.environment)" + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR}/$(params.app-type)/$(params.environment)" + else + PARENT_DIR="." + fi + SUBDIR="${PARENT_DIR}/${SUBDIR}" + + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + YAML_FILE="$(params.yaml)" + VERSION="$(params.version)" + HELM_URL="$(params.helm-url)" + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + + set +x + if [[ -n "${GIT_USERNAME_CD}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME_CD}" + GIT_AUTH_PWD="${GIT_PASSWORD_CD}" + elif [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} gitops_cd + set -x + cd gitops_cd + + + if [[ -f "${SUBDIR}/${YAML_FILE}" ]]; then + echo "Requirements before update" + cat "${SUBDIR}/${YAML_FILE}" + + yq r "${SUBDIR}/${YAML_FILE}" -j | \ + jq --arg APP_NAME "${APP_NAME}" --arg VERSION "${VERSION}" --arg REPO "${HELM_URL}" '.dependencies |= map((select(.name == $APP_NAME) | .version = $VERSION | .repository = $REPO) // .)' | \ + yq r --prettyPrint - > "${SUBDIR}/${YAML_FILE}.new" + + rm "${SUBDIR}/${YAML_FILE}" + mv "${SUBDIR}/${YAML_FILE}.new" "${SUBDIR}/${YAML_FILE}" + + echo "Requirements after update" + cat "${SUBDIR}/${YAML_FILE}" + + elif [[ -n "${HELM_URL}" ]]; then + echo "Creating first time chart using ${SUBDIR}" + # create directory + mkdir -p "${SUBDIR}" + + # WARNING: Do not indent the cat commands below + + cat <"${SUBDIR}/Chart.yaml" + apiVersion: v2 + version: 0.1.0 + name: ${APP_NAME} + description: Chart to configure ArgoCD with the ${APP_NAME} project and its applications + EOF + + cat <"${SUBDIR}/${YAML_FILE}" + dependencies: + - name: ${APP_NAME} + version: ${VERSION} + repository: >- + ${HELM_URL} + EOF + + cat <"${SUBDIR}/values.yaml" + global: {} + ${APP_NAME}: + replicaCount: 1 + EOF + + + else + echo "GitOps repo configured but unable to update application config" + exit 1 + fi + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + git add "${SUBDIR}/" + git commit -m "Updates ${APP_NAME} to ${VERSION}" + git push -v diff --git a/ace/environments/ci/tasks/11-update-image.yaml b/ace/environments/ci/tasks/11-update-image.yaml new file mode 100644 index 0000000..0c33d8d --- /dev/null +++ b/ace/environments/ci/tasks/11-update-image.yaml @@ -0,0 +1,120 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-update-image + annotations: + description: Updates image info to the provided repo to trigger pipelines + app.openshift.io/description: Updates image info to the provided repo to trigger pipelines + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + description: The name of the git repository + - name: git-branch + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: source-dir + default: /source + - name: image-url + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: update-image + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo + key: org + optional: true + script: | + #!/usr/bin/env bash + set -ex + + BRANCH_CMD="" + if [[ -n "$(params.git-branch)" ]]; then + BRANCH_CMD="-b $(params.git-branch)" + fi + + GIT_REPO=$(basename $(params.git-url) .git) + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + + echo "Cloning the corresponding repository" + # clone repo + GIT_URL="${GIT_PROTOCOL}://${GIT_USERNAME}:${GIT_PASSWORD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} update_image + set -x + cd update_image + cd chart/base + + IMAGE_SERVER="$(echo "$(params.image-url)" | awk -F / '{print $1}')" + IMAGE_NAMESPACE="$(echo "$(params.image-url)" | awk -F / '{print $2}')" + IMAGE_REPOSITORY="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}')" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + + echo ${IMAGE_URL}:${IMAGE_VERSION} + + git checkout -b cntk-ci-pipeline-${IMAGE_REPOSITORY}-${IMAGE_VERSION} + + # update value for key applicationImage + sed -i "/repository:/c\ repository: ${IMAGE_URL}" ./values.yaml + sed -i "/tag:/c\ tag: ${IMAGE_VERSION}" ./values.yaml + + # verify the value for key applicationImage got updated + cat ./values.yaml | grep "tag" + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + # push changes to git + git add values.yaml + git commit -m "Cloudnative toolkit commit" --amend --no-edit --signoff + git remote rm origin + + git remote add origin ${GIT_URL} > /dev/null 2>&1 + git push origin cntk-ci-pipeline-${IMAGE_REPOSITORY}-${IMAGE_VERSION} + + GIT_PUSH_URL="${GIT_PROTOCOL}://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/pulls" + curl -u ${GIT_USERNAME}:${GIT_PASSWORD} -d '{"title":"PR to promote to $(params.git-branch) environment","base":"'$(params.git-branch)'", "head":"'${GIT_ORG}':cntk-ci-pipeline-'${IMAGE_REPOSITORY}'-'${IMAGE_VERSION}'"}' ${GIT_PUSH_URL} diff --git a/ace/environments/ci/tasks/12-argo-tests.yaml b/ace/environments/ci/tasks/12-argo-tests.yaml new file mode 100644 index 0000000..9e2d335 --- /dev/null +++ b/ace/environments/ci/tasks/12-argo-tests.yaml @@ -0,0 +1,101 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-argo-tests + annotations: + description: Tests the app deployed by argocd in corresponding environments + app.openshift.io/description: Tests the app deployed by argocd in corresponding environments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: source-dir + default: /source + - name: tools-image + default: quay.io/hemankita/argocd-cli:latest + - name: argoAppName + description: Name of the app on Argocd + type: string + - name: image-url + description: url of the image + results: + - name: image-url + description: The url of the image to be pushed + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: run-app-tests + image: $(params.tools-image) + env: + - name: ARGO_USER + valueFrom: + secretKeyRef: + name: argocd-access-credentials + key: username + optional: true + - name: ARGO_PASSWORD + valueFrom: + secretKeyRef: + name: argocd-access-credentials + key: password + optional: true + - name: ARGO_URL + valueFrom: + configMapKeyRef: + name: argocd-config + key: ARGOCD_URL + optional: true + script: | + #!/usr/bin/env bash + echo ${ARGO_URL} + argocd login ${ARGO_URL} --insecure --username ${ARGO_USER} --password ${ARGO_PASSWORD} + IMAGE_NAME=$(argocd app manifests $(params.argoAppName) | grep image: | sed 's/^.*: //') + + # Checking if the image tags are up-to-date + echo ${IMAGE_NAME} + echo $(params.image-url) + + IMAGE_SERVER_ARGO="$(echo "${IMAGE_NAME}" | awk -F / '{print $1}')" + IMAGE_REPOSITORY_ARGO="$(echo "${IMAGE_NAME}" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION_ARGO="$(echo "${IMAGE_NAME}" | awk -F / '{print $3}' | awk -F : '{print $2}')" + + IMAGE_SERVER_REPO="$(echo "$(params.image-url)" | awk -F / '{print $1}')" + IMAGE_REPOSITORY_REPO="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION_REPO="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}')" + + if [ "${IMAGE_SERVER_ARGO}" = "${IMAGE_SERVER_REPO}" ] && [ "${IMAGE_REPOSITORY_ARGO}" = "${IMAGE_REPOSITORY_REPO}" ] && [ "${IMAGE_VERSION_ARGO}" = "${IMAGE_VERSION_REPO}" ]; then + echo "Synced !!! ... Deployment is up to date" + else + argocd app sync $(params.argoAppName) + until [[ "${IMAGE_SERVER_ARGO}" = "${IMAGE_SERVER_REPO}" && "${IMAGE_REPOSITORY_ARGO}" = "${IMAGE_REPOSITORY_REPO}" && "${IMAGE_VERSION_ARGO}" = "${IMAGE_VERSION_REPO}" ]]; do + echo "Syncing !!! ... Deployment is getting updated" + sleep 10 + IMAGE_NAME=$(argocd app manifests $(params.argoAppName) | grep image: | sed 's/^.*: //') + IMAGE_SERVER_ARGO="$(echo "${IMAGE_NAME}" | awk -F / '{print $1}')" + IMAGE_REPOSITORY_ARGO="$(echo "${IMAGE_NAME}" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION_ARGO="$(echo "${IMAGE_NAME}" | awk -F / '{print $3}' | awk -F : '{print $2}')" + done + fi + echo -n "${IMAGE_NAME}" | tee $(results.image-url.path) + # Checking if the sync is finished + # echo "Checking if the sync is finished" + # APP_PHASE=$(argocd app wait $(params.argoAppName) | grep Phase | sed 's/^.*: //g ') + # echo ${APP_PHASE} + # APP_HEALTH=$(argocd app wait $(params.argoAppName) | grep 'Health Status' | sed 's/^.*: //g ') + # echo ${APP_HEALTH} + # until [ "${APP_PHASE}" = "Succeeded" ] && [ "${APP_HEALTH}" = "Healthy" ]; do + # echo "Waiting for the app to come up on the environment" + # sleep 10 + # done + # if [ "${APP_PHASE}" = "Succeeded" ] && [ "${APP_HEALTH}" = "Healthy" ]; then + # echo "$(params.argoAppName) is successfully updated ... and is now ready" + # fi + securityContext: + privileged: true diff --git a/ace/environments/ci/tasks/2-build-tag-push-ace-bar.yaml b/ace/environments/ci/tasks/2-build-tag-push-ace-bar.yaml new file mode 100644 index 0000000..fdf0592 --- /dev/null +++ b/ace/environments/ci/tasks/2-build-tag-push-ace-bar.yaml @@ -0,0 +1,139 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-build-tag-push-ace-bar + annotations: + description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: BUILDER_IMAGE + default: quay.io/buildah/stable:v1.21.4 + - name: DOCKERFILE + default: ./Dockerfile + - name: CONTEXT + default: . + - name: TLSVERIFY + default: "false" + - name: FORMAT + default: docker + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + - name: app-name + default: "" + - name: ace-project + default: "" + - name: BUILD_EXTRA_ARGS + default: "" + volumes: + - name: varlibcontainers + emptyDir: {} + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: git-credentials + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + key: username + name: git-credentials + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: compile + image: docker.io/rsundara/ace-build + envFrom: + - secretRef: + name: artifactory-access + command: + - /bin/sh + args: + - -c + - | + set -eu; + echo "Compile BAR"; + + # Used for debugging with mqsicreatebar + /usr/bin/Xvfb :100 & + export DISPLAY=:100 + + cd $(params.source-dir)/workspace + echo "Generating BAR" + mqsicreatebar -data . -b $(params.source-dir)/$(params.app-name)-$(params.image-tag).bar -a $(params.ace-project) + + echo "Upload BAR to Artifactory" + curl -u ${ARTIFACTORY_USER}:${ARTIFACTORY_ENCRYPT} -T $(params.source-dir)/$(params.app-name)-$(params.image-tag).bar "$(ARTIFACTORY_URL)/artifactory/generic-local/$(params.app-name)-$(params.image-tag).bar" + - name: build + image: $(params.BUILDER_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + key: REGISTRY_USER + name: registry-access + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: REGISTRY_PASSWORD + name: registry-access + optional: true + envFrom: + - secretRef: + name: ibm-entitled-registry-credentials + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + APP_IMAGE="$(params.image-server)/$(params.image-namespace)/$(params.image-repository):$(params.image-tag)" + buildah login -u ${IBM_ENTITLED_REGISTRY_USER} -p ${IBM_ENTITLED_REGISTRY_PASSWORD} cp.icr.io + buildah --layers --storage-driver=$(params.STORAGE_DRIVER) bud ${BUILD_EXTRA_ARGS} --format=$(params.FORMAT) --tls-verify=$(params.TLSVERIFY) -f $(params.DOCKERFILE) -t ${APP_IMAGE} $(params.CONTEXT) + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "$(params.image-server)" != "image-registry.openshift-image-registry.svc:5000" ]]; then + buildah login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" "$(params.image-server)" + echo "buildah login -u "${REGISTRY_USER}" -p "xxxxx" "$(params.image-server)"" + fi + set -x + buildah --storage-driver=$(params.STORAGE_DRIVER) push --tls-verify=$(params.TLSVERIFY) --digestfile ./image-digest ${APP_IMAGE} docker://${APP_IMAGE} diff --git a/ace/environments/ci/tasks/4-deploy.yaml b/ace/environments/ci/tasks/4-deploy.yaml new file mode 100644 index 0000000..a1c662e --- /dev/null +++ b/ace/environments/ci/tasks/4-deploy.yaml @@ -0,0 +1,210 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-deploy + annotations: + description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: service-port + - name: resource-type + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: deploy + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="$(params.image-repository)" + fi + IMAGE_SERVER="$(params.image-server)" + IMAGE_NAMESPACE="$(params.image-namespace)" + IMAGE_REPOSITORY="$(params.image-repository)" + IMAGE_VERSION="$(params.image-tag)" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + FILE_NUM=$(find . -name 'Chart*.yaml' |wc -l) + if [[ "${FILE_NUM}" -gt 1 ]]; then + echo "Error: Found >1 Chart*.yaml" + exit 1 + fi + + export CHART=$(find . -name 'Chart*.yaml') + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "1.0.0-rc${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - --style single "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + helm dep update "${CHART_PATH}" + + # Using 'upgrade --install" for rolling updates. Note that subsequent updates will occur in the same namespace the release is currently deployed in, ignoring the explicit--namespace argument". + helm template ${RELEASE_NAME} ${CHART_PATH} \ + --namespace ${APP_NAMESPACE} \ + --set ${PREFIX}ingress.tlsSecretName="${TLS_SECRET_NAME}" \ + --set ${PREFIX}ingress.subdomain="${INGRESS_SUBDOMAIN}" > ./release.yaml + + echo -e "Generated release yaml for: ${APP_NAMESPACE}/${APP_NAME}" + cat ./release.yaml + + echo -e "Deploying into: ${APP_NAMESPACE}/${APP_NAME}" + kubectl apply -n ${APP_NAMESPACE} -f ./release.yaml --validate=false > results.out + cat results.out + echo "Waiting for rollout of ${APP_NAMESPACE}/${APP_NAME}" + + + cat results.out | \ + grep -E "deployment|statefulset|integrationserver|queuemanager" | \ + sed "s/deployment.apps/deployment/g" | \ + sed "s/statefulset.apps/statefulset/g" | \ + sed "s/configured//g" | \ + sed "s/created//g" | \ + sed "s/unchanged//g" | while read target; do + echo "Waiting for rollout of ${target} in ${APP_NAMESPACE}" + if [[ ${target} == *"integrationserver"* ]]; then + kubectl wait --timeout=-1s --for=condition=Ready ${target} + elif [[ ${target} == *"queuemanager"* ]]; then + until [[ "$(kubectl get ${target} -o 'jsonpath={.status.phase}')" = "Running" ]]; + do + sleep 5 + echo "Waiting for Queuemanager to be ready." + done + else + kubectl rollout status -n ${APP_NAMESPACE} ${target} + SERVICE_PORT=$(kubectl get svc "${APP_NAME}" -n "${APP_NAMESPACE}" -o jsonpath="{.spec.ports[?(@.name == 'http')].port}") + echo -n "${SERVICE_PORT}" | tee $(results.service-port.path) + fi + echo -n "${target}" | cut -f1 -d / | tee $(results.resource-type.path) + done diff --git a/ace/environments/ci/tasks/4-smoke-tests.yaml b/ace/environments/ci/tasks/4-smoke-tests.yaml new file mode 100644 index 0000000..9568f9a --- /dev/null +++ b/ace/environments/ci/tasks/4-smoke-tests.yaml @@ -0,0 +1,301 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-smoke-tests + annotations: + description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: health-protocol + default: "https" + - name: health-endpoint + default: "/health" + - name: health-url + default: "" + - name: health-curl + default: "-k" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: resource-type + default: "" + results: + - name: service-port + - name: resource-type + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: deploy + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + securityContext: + privileged: true + script: | + #!/usr/bin/env bash + set -ex + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="$(params.image-repository)" + fi + IMAGE_SERVER="$(params.image-server)" + IMAGE_NAMESPACE="$(params.image-namespace)" + IMAGE_REPOSITORY="$(params.image-repository)" + IMAGE_VERSION="$(params.image-tag)" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + FILE_NUM=$(find . -name 'Chart*.yaml' |wc -l) + if [[ "${FILE_NUM}" -gt 1 ]]; then + echo "Error: Found >1 Chart*.yaml" + exit 1 + fi + + export CHART=$(find . -name 'Chart*.yaml') + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "1.0.0-rc${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - --style single "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + helm dep update "${CHART_PATH}" + + # Using 'upgrade --install" for rolling updates. Note that subsequent updates will occur in the same namespace the release is currently deployed in, ignoring the explicit--namespace argument". + helm template ${RELEASE_NAME} ${CHART_PATH} \ + --namespace ${APP_NAMESPACE} \ + --set ${PREFIX}ingress.tlsSecretName="${TLS_SECRET_NAME}" \ + --set ${PREFIX}ingress.subdomain="${INGRESS_SUBDOMAIN}" > ./release.yaml + + echo -e "Generated release yaml for: ${APP_NAMESPACE}/${APP_NAME}" + cat ./release.yaml + + echo -e "Deploying into: ${APP_NAMESPACE}/${APP_NAME}" + kubectl apply -n ${APP_NAMESPACE} -f ./release.yaml --validate=false > results.out + cat results.out + echo "Waiting for rollout of ${APP_NAMESPACE}/${APP_NAME}" + + + cat results.out | \ + grep -E "deployment|statefulset|integrationserver|queuemanager" | \ + sed "s/deployment.apps/deployment/g" | \ + sed "s/statefulset.apps/statefulset/g" | \ + sed "s/configured//g" | \ + sed "s/created//g" | \ + sed "s/unchanged//g" | while read target; do + echo "Waiting for rollout of ${target} in ${APP_NAMESPACE}" + if [[ ${target} == *"integrationserver"* ]]; then + kubectl wait --timeout=-1s --for=condition=Ready ${target} + elif [[ ${target} == *"queuemanager"* ]]; then + until [[ "$(kubectl get ${target} -o 'jsonpath={.status.phase}')" = "Running" ]]; + do + sleep 5 + echo "Waiting for Queuemanager to be ready." + done + else + kubectl rollout status -n ${APP_NAMESPACE} ${target} + SERVICE_PORT=$(kubectl get svc "${APP_NAME}" -n "${APP_NAMESPACE}" -o jsonpath="{.spec.ports[?(@.name == 'http')].port}") + echo -n "${SERVICE_PORT}" | tee $(results.service-port.path) + fi + echo -n "${target}" | cut -f1 -d / | tee $(results.resource-type.path) + done + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + URL="$(params.health-url)" + CURL_FLAGS="$(params.health-curl)" + + if [[ -z "${URL}" ]]; then + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + PROTOCOL="$(params.health-protocol)" + INGRESS_TYPE="$(params.deploy-ingress-type)" + HEALTH_ENDPOINT="$(params.health-endpoint)" + + echo "resource-type: $(params.resource-type)" + + if [[ "$(params.resource-type)" == *"integrationserver"* ]]; then + HOST=$(kubectl get route/${APP_NAME}-${PROTOCOL} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + elif [[ "${INGRESS_TYPE}" == "route" ]]; then + HOST=$(kubectl get route/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + else + HOST=$(kubectl get ingress/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.rules[0].host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="http" + fi + fi + + URL="${PROTOCOL}://${HOST}${HEALTH_ENDPOINT}" + + fi + + sleep_countdown=5 + # sleep for 10 seconds to allow enough time for the server to start + sleep 10 + echo "Health check start" + while [[ $(curl ${CURL_FLAGS} -sL -w "%{http_code}\\n" "${URL}" -o /dev/null --connect-timeout 3 --max-time 5 --retry 3 --retry-max-time 30) != "200" ]]; do + sleep 30 + echo "Health check failure. Remaining retries: $sleep_countdown" + sleep_countdown=$((sleep_countdown-1)) + if [[ $sleep_countdown -eq 0 ]]; then + echo "Could not reach health endpoint: ${URL}" + exit 1; + fi + done + echo "Successfully reached health endpoint: ${URL}" + echo "=====================================================================" + - name: cleanup + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAMESPACE="$(params.app-namespace)" + + kubectl delete -n ${APP_NAMESPACE} -f ./release.yaml diff --git a/ace/environments/ci/tasks/5-health-check.yaml b/ace/environments/ci/tasks/5-health-check.yaml new file mode 100644 index 0000000..2fd37b2 --- /dev/null +++ b/ace/environments/ci/tasks/5-health-check.yaml @@ -0,0 +1,86 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-health-check + annotations: + description: Performs a health check on the deployed application + app.openshift.io/description: Performs a health check on the deployed application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: health-protocol + default: "https" + - name: health-endpoint + default: "/health" + - name: health-url + default: "" + - name: health-curl + default: "-k" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: resource-type + default: "" + steps: + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + URL="$(params.health-url)" + CURL_FLAGS="$(params.health-curl)" + + if [[ -z "${URL}" ]]; then + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + PROTOCOL="$(params.health-protocol)" + INGRESS_TYPE="$(params.deploy-ingress-type)" + HEALTH_ENDPOINT="$(params.health-endpoint)" + + echo "resource-type: $(params.resource-type)" + + if [[ "$(params.resource-type)" == *"integrationserver"* ]]; then + HOST=$(kubectl get route/${APP_NAME}-${PROTOCOL} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + elif [[ "${INGRESS_TYPE}" == "route" ]]; then + HOST=$(kubectl get route/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + else + HOST=$(kubectl get ingress/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.rules[0].host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="http" + fi + fi + + URL="${PROTOCOL}://${HOST}${HEALTH_ENDPOINT}" + + fi + + sleep_countdown=5 + # sleep for 10 seconds to allow enough time for the server to start + sleep 10 + echo "Health check start" + while [[ $(curl ${CURL_FLAGS} -sL -w "%{http_code}\\n" "${URL}" -o /dev/null --connect-timeout 3 --max-time 5 --retry 3 --retry-max-time 30) != "200" ]]; do + sleep 30 + echo "Health check failure. Remaining retries: $sleep_countdown" + sleep_countdown=$((sleep_countdown-1)) + if [[ $sleep_countdown -eq 0 ]]; then + echo "Could not reach health endpoint: ${URL}" + exit 1; + fi + done + echo "Successfully reached health endpoint: ${URL}" + echo "=====================================================================" diff --git a/ace/environments/ci/tasks/7-tag-release.yaml b/ace/environments/ci/tasks/7-tag-release.yaml new file mode 100644 index 0000000..7535745 --- /dev/null +++ b/ace/environments/ci/tasks/7-tag-release.yaml @@ -0,0 +1,106 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-tag-release + annotations: + description: Tags the git repository with the next version release value + app.openshift.io/description: Tags the git repository with the next version release value + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: skip-push + default: "" + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + results: + - name: tag + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + # Need to create branch to make release-it work + git switch -c local + - name: git-tag + image: $(params.js-image) + workingDir: $(params.source-dir) + script: | + #!/usr/bin/env bash + set -ex + + echo "Current branch: $(git rev-parse --abbrev-ref HEAD)" + git fetch --tags + git config --global user.email "cloud-native-toolkit@example.com" + git config --global user.name "Cloud Native Toolkit Pipeline" + if [[ $(git describe --tag `git rev-parse HEAD`) =~ (^[0-9]+.[0-9]+.[0-9]+$) ]]; then + echo "Latest commit is already tagged" + NEW_TAG="$(git describe --abbrev=0 --tags)" + echo -n "${NEW_TAG}" | tee $(results.tag.path) + exit 0 + fi + mkdir -p ~/.npm + npm config set prefix ~/.npm + export PATH=$PATH:~/.npm/bin + npm i -g release-it + + release-it patch \ + --ci \ + --no-npm \ + --no-git.push \ + --no-git.requireCleanWorkingDir \ + --no-git.requireUpstream \ + -VV + + if [[ -z "$(params.skip-push)" ]]; then + set +x + git push --tags -v + set -x + fi + + NEW_TAG="$(git describe --abbrev=0 --tags)" + if [[ -z "${NEW_TAG}" ]]; then + echo "Error: NEW_TAG not defined" + exit 1 + fi + echo -n "${NEW_TAG}" | tee $(results.tag.path) \ No newline at end of file diff --git a/ace/environments/ci/tasks/8-image-release.yaml b/ace/environments/ci/tasks/8-image-release.yaml new file mode 100644 index 0000000..5c6ad20 --- /dev/null +++ b/ace/environments/ci/tasks/8-image-release.yaml @@ -0,0 +1,79 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-release + annotations: + description: Tags the git repository and releases the intermediate container image with the version tag + app.openshift.io/description: Tags the git repository and releases the intermediate container image with the version tag + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: image-from + default: "" + - name: image-to + default: "" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "true" + - name: IMAGE_TO_TLS_VERIFY + default: "true" + results: + - name: image-url + description: The url of the image to be pushed + volumes: + - name: varlibcontainers + emptyDir: {} + steps: + - name: image-tag + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + IMAGE_FROM="$(params.image-from)" + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="$(params.image-to)" + REGISTRY_SERVER_TO=$(echo "${IMAGE_TO}" | awk -F / '{print $1}') + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + IMAGE_TO_TLS_VERIFY=$(params.IMAGE_TO_TLS_VERIFY) + + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_FROM}" =~ ":" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + IMAGE_TO_CREDS="--dest-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [[ "${REGISTRY_SERVER_FROM}" =~ ":" ]]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + if [[ "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + IMAGE_TO_TLS_VERIFY="false" + fi + + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} --dest-creds=xxxx --dest-tls-verify=${IMAGE_TO_TLS_VERIFY} docker://${IMAGE_FROM} docker://${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} ${IMAGE_TO_CREDS} --dest-tls-verify=${IMAGE_TO_TLS_VERIFY} docker://${IMAGE_FROM} docker://${IMAGE_TO} + set -x + echo -n "${IMAGE_TO}" | tee $(results.image-url.path) \ No newline at end of file diff --git a/ace/environments/ci/tasks/9-helm-release.yaml b/ace/environments/ci/tasks/9-helm-release.yaml new file mode 100644 index 0000000..91e1077 --- /dev/null +++ b/ace/environments/ci/tasks/9-helm-release.yaml @@ -0,0 +1,289 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-helm-release + annotations: + description: Publishes the helm chart to the helm repository using the version provided in the image-url + app.openshift.io/description: Publishes the helm chart to the helm repository using the version provided in the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-url + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: helm-curl + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: helm-url + description: The url of the helm repository + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: package-helm + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + - name: ARTIFACTORY_URL + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_URL + optional: true + - name: ARTIFACTORY_USER + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_USER + optional: true + - name: ARTIFACTORY_ENCRYPT + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_ENCRYPT + optional: true + - name: ARTIFACTORY_REPOSITORY_KEY + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_REPOSITORY_KEY + optional: true + - name: HELM_URL + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_URL + optional: true + - name: HELM_USER + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_USER + optional: true + - name: HELM_PASSWORD + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_PASSWORD + optional: true + script: | + #!/usr/bin/env bash + set -ex + + CURL_FLAGS="$(params.helm-curl)" + + echo "1. Package Helm Chart" + + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + + IMAGE_SERVER="$(echo "$(params.image-url)" | awk -F / '{print $1}')" + IMAGE_NAMESPACE="$(echo "$(params.image-url)" | awk -F / '{print $2}')" + IMAGE_REPOSITORY="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}')" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="${IMAGE_REPOSITORY}" + fi + + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + export CHART=$(find . -name Chart*.yaml) + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + echo "" + echo "Chart ${CHART_PATH}" + cat ${CHART_PATH}/Chart.yaml + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + + echo "2. Publish Helm Chart" + + if [[ -z "${HELM_URL}" ]] && [[ -z "${HELM_USER}" ]]; then + if [[ -z "${ARTIFACTORY_URL}" ]]; then + echo "It looks like Artifactory has not been installed (ARTIFACTORY_URL from artifactory-acess secret is missing). Skipping step." + exit 0 + fi + + set +x + if [[ -z "${ARTIFACTORY_USER}" ]]; then + echo "Something's wrong... The Artifactory url is configured but the Artifactory credentials cannot be found. Check your artifactory-access secret." + exit 1 + fi + + if [[ -z "${ARTIFACTORY_ENCRYPT}" ]]; then + echo "It looks like your Artifactory installation is not complete. Please complete the steps found here - http://ibm.biz/complete-setup" + exit 1 + fi + + HELM_USER="${ARTIFACTORY_USER}" + set +x + HELM_PASSWORD="${ARTIFACTORY_ENCRYPT}" + set -x + + if [[ -z "${ARTIFACTORY_REPOSITORY_KEY}" ]]; then + ARTIFACTORY_REPOSITORY_KEY="generic-local" + fi + + if [[ -z "${HELM_URL}" ]]; then + HELM_URL="${ARTIFACTORY_URL}/artifactory/${ARTIFACTORY_REPOSITORY_KEY}" + fi + + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + export CHART_NAME="${APP_NAME}" + echo "CHART_NAME: $CHART_NAME" + + CHART_PATH="${CHART_ROOT}/${CHART_NAME}" + + helm dep update "${CHART_PATH}" + + # Package Helm Chart + helm package --version ${IMAGE_VERSION} ${CHART_PATH} + + # Get the index and re index it with current Helm Chart + set +x + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -O ${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -O "${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + set -x + + apiVersion=$(grep apiVersion ./index.yaml | sed -E "s/apiVersion: (.*)/\1/g") + if [[ $(cat index.yaml | jq '.errors[0].status') != "404" ]] && [[ -n "${apiVersion}" ]]; then + # Merge the chart index with the current index.yaml held in Artifactory + echo "Merging Chart into index.yaml for Chart Repository" + helm repo index . --url ${HELM_URL}/${IMAGE_NAMESPACE} --merge index.yaml + else + # Dont Merge this is first time one is being created + echo "Creating a new index.yaml for Chart Repository" + rm index.yaml + helm repo index . --url ${HELM_URL}/${IMAGE_NAMESPACE} + fi; + + # Persist the Helm Chart in Helm repo for us by ArgoCD + set +x + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -s -T ${CHART_NAME}-${IMAGE_VERSION}.tgz ${HELM_URL}/${IMAGE_NAMESPACE}/${CHART_NAME}-${IMAGE_VERSION}.tgz" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -s -T ${CHART_NAME}-${IMAGE_VERSION}.tgz "${HELM_URL}/${IMAGE_NAMESPACE}/${CHART_NAME}-${IMAGE_VERSION}.tgz" + + # Persist the Helm Index in the helm repo for us by ArgoCD + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -s -T index.yaml ${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -s -T index.yaml "${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + + echo -n "${HELM_URL}/${IMAGE_NAMESPACE}" | tee $(results.helm-url.path) + + diff --git a/ace/environments/ci/tasks/9-img-scan.yaml b/ace/environments/ci/tasks/9-img-scan.yaml new file mode 100644 index 0000000..c3fdb10 --- /dev/null +++ b/ace/environments/ci/tasks/9-img-scan.yaml @@ -0,0 +1,181 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-scan + annotations: + description: Runs an image scan with Trivy or IBM VA and fails the build if issues are found. + app.openshift.io/description: Runs an image scan with Trivy or IBM VA and fails the build if issues are found. + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: image-url + description: "The location of image to scan on IBM Container Registry //:" + - name: scan-trivy + description: Flag indicating that a scan should be performed with Trivy + default: "false" + - name: scan-ibm + description: Flag indicating that a scan should be performed with IBM VA + default: "false" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "false" + - name: TRIVY_IMAGE + default: quay.io/ibmgaragecloud/aquasec-trivy + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: oci-image + emptyDir: {} + steps: + - name: trivy-pull + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/oci + name: oci-image + securityContext: + privileged: true + script: | + set -ex + PERFORM_SCAN="$(params.scan-trivy)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + IMAGE_FROM=$(params.image-url) + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="oci:/var/oci/image" + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "${REGISTRY_SERVER_FROM}" != "image-registry.openshift-image-registry.svc:5000" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [ "${REGISTRY_SERVER_FROM}" =~ ":" ]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO} + - name: trivy-scan + image: $(params.TRIVY_IMAGE) + volumeMounts: + - mountPath: /var/oci + name: oci-image + script: | + set -ex + PERFORM_SCAN="$(params.scan-trivy)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + PATH_TO_IMAGE="/var/oci/image" + echo -e "Trivy Security Scan image in registry" + trivy image --exit-code 0 --input ${PATH_TO_IMAGE} + trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE} + my_exit_code=$? + echo "Scan exit code :--- $my_exit_code" + if [ ${my_exit_code} == 1 ]; then + echo "Trivy scanning completed. CRITICAL Vulnerabilities found." + exit 1 + else + echo "Trivy scanning completed. CRITICAL vulnerabilities not found." + fi + - name: ibm-scan + image: $(params.tools-image) + env: + - name: HOME + value: /home/devops + - name: IBM_CLOUD_APIKEY + valueFrom: + secretKeyRef: + key: APIKEY + name: ibmcloud-apikey + optional: true + - name: IBM_CLOUD_REGION + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: REGION + optional: true + script: | + #!/usr/bin/env bash + set -ex + PERFORM_SCAN="$(params.scan-ibm)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Vulnerability Advisor validation." + exit 0 + fi + + IMAGE_URL=$(params.image-url) + REGISTRY_SERVER=$(echo $(params.image-url) | awk -F / '{print $1}') + + + + if [[ ! "${REGISTRY_SERVER}" =~ icr.io ]]; then + echo "The image is not stored in the IBM Cloud Image Registry. Skipping Vulnerability Advisor validation" + exit 0 + fi + + + echo -e "VA Security Scan image in registry" + + echo "Registry URL: ${REGISTRY_SERVER}" + + set +x + ibmcloud login --apikey ${IBM_CLOUD_APIKEY} -r ${IBM_CLOUD_REGION} + ibmcloud target -r ${IBM_CLOUD_REGION} + set -x + ibmcloud cr namespace-list + + echo "Getting the VA status of ${IMAGE_URL}" + + set +e + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + while [ $retry -eq 0 ]; do + sleep 30 + echo "Trying again to see if scan is done" + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + done + set -e + ibmcloud cr va ${IMAGE_URL} --output json + echo "Saving results to va-result.json" + ibmcloud cr va ${IMAGE_URL} --output json > va-result.json + VA_STATUS=$(cat va-result.json | jq -r '.[].status') + + echo "VA scan status: ${VA_STATUS}" + + if [[ "${VA_STATUS}" == "OK" ]]; then + echo "VA - No Issues in the image" + exit 0 + elif [[ $(cat va-result.json | jq -r '.[].vulnerabilities | length') -gt 0 ]]; then + echo "VA Failure: $(cat va-result.json | jq -r '.[].vulnerabilities | length') vulnerabilities found in the image" + cat va-result.json | jq -r '.[].vulnerabilities' + exit 1 + elif [[ $(cat va-result.json | jq -r '.[].configuration_issues | length') -gt 0 ]]; then + echo "VA Warning - $(cat va-result.json | jq -r '.[].configuration_issues | length') configuration issues found in the image" + cat va-result.json | jq -r '.[].configuration_issues' + exit 0 + else + echo "VA Warning: non-OK status from Vulnerability Advisor ${VA_STATUS}" + cat va-result.json | jq -r '.[]' + fi \ No newline at end of file diff --git a/ace/environments/ci/tasks/ace-tasks.yaml b/ace/environments/ci/tasks/ace-tasks.yaml new file mode 100644 index 0000000..7b3abff --- /dev/null +++ b/ace/environments/ci/tasks/ace-tasks.yaml @@ -0,0 +1,449 @@ +apiVersion: v1 +items: +- apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: create-config + spec: + params: + - name: is-config-directory + type: string + - name: is-infra-directory + type: string + - name: is-configuration-keystore + type: string + - name: is-configuration-truststore + type: string + - name: is-configuration-setdbparms + type: string + - name: is-configuration-serverconf + type: string + - name: is-configuration-policyproject + type: string + - name: is-configuration-loopbackdatasource + type: string + results: + - description: "" + name: configurations + steps: + - env: + - name: IS_CONFIG_DIRECTORY + value: $(params.is-config-directory) + - name: IS_INFRA_DIRECTORY + value: $(params.is-infra-directory) + - name: IS_CONFIGURATION_KEYSTORE + value: $(params.is-configuration-keystore) + - name: IS_CONFIGURATION_TRUSTSTORE + value: $(params.is-configuration-truststore) + - name: IS_CONFIGURATION_SETDBPARMS + value: $(params.is-configuration-setdbparms) + - name: IS_CONFIGURATION_SERVERCONF + value: $(params.is-configuration-serverconf) + - name: IS_CONFIGURATION_POLICYPROJECT + value: $(params.is-configuration-policyproject) + - name: IS_CONFIGURATION_LOOPBACKDATASOURCE + value: $(params.is-configuration-loopbackdatasource) + - name: WORKSPACE_PATH + value: $(workspaces.workspace.path) + image: quay.io/hollisc/yq-zip + name: setup-configuration + resources: {} + script: | + #!/bin/bash + + set -e + + config_template_path=${WORKSPACE_PATH}/${IS_INFRA_DIRECTORY}/configurations + rendered_config_directory=${WORKSPACE_PATH}/configurations + config_definition_path=${WORKSPACE_PATH}/${IS_CONFIG_DIRECTORY} + + create_configurations() { + local type=$1 + local config=$2 + + local sanitised_file_name=$(echo $config | sed 's/\./_/g;s/-/_/g;s/^[[:upper:]]/\L&/;s/[[:upper:]]/\L_&/g') + local sanitised_config_name=$(echo $config | sed 's/^[[:upper:]]/\L&/;s/_/-/g;s/[[:upper:]]/\L-&/g') + + case $type in + setdbparms | keystore | truststore) + cp $config_template_path/configuration-with-secret.yaml $rendered_config_directory/$sanitised_file_name.yaml + + e=$sanitised_config_name yq e -i '.spec.secretName = env(e)' $rendered_config_directory/$sanitised_file_name.yaml + ;; + serverconf) + cp $config_template_path/configuration-with-data.yaml $rendered_config_directory/$sanitised_file_name.yaml + + contents=$(base64 -w 0 $config_definition_path/$config) + + e=$contents yq e -i '.spec.contents = env(e)' $rendered_config_directory/$sanitised_file_name.yaml + ;; + policyproject) + cp $config_template_path/configuration-with-data.yaml $rendered_config_directory/$sanitised_file_name.yaml + + pushd $config_definition_path > /dev/null + contents=$(zip -r - $config | base64 -w 0) + popd > /dev/null + + e=$contents yq e -i '.spec.contents = env(e)' $rendered_config_directory/$sanitised_file_name.yaml + ;; + loopbackdatasource) + cp $config_template_path/configuration-with-data.yaml $rendered_config_directory/$sanitised_file_name.yaml + + pushd $config_definition_path > /dev/null + contents=$(zip - $config | base64 -w 0) + popd > /dev/null + + e=$contents yq e -i '.spec.contents = env(e)' $rendered_config_directory/$sanitised_file_name.yaml + ;; + esac + + e=$sanitised_config_name yq e -i '.metadata.name = env(e)' $rendered_config_directory/$sanitised_file_name.yaml + e=$type yq e -i '.spec.type = strenv(e)' $rendered_config_directory/$sanitised_file_name.yaml + + echo $sanitised_file_name.yaml + } + + process_configrations() { + local config_type=$1 + + for config in ${!config_type}; do + local config_pattern='^IS_CONFIGURATION_(.+)' + if [[ $config_type =~ $config_pattern ]]; then + local type=$(echo "${BASH_REMATCH[1]}" | sed -e 's/\(.*\)/\L\1/') + else + echo "unknown config type parameter: $config_type" + exit 1 + fi + + create_configurations $type $config + + done + } + + rm -rf $rendered_config_directory + mkdir -p $rendered_config_directory + + configurations="" + + for config_type in IS_CONFIGURATION_SERVERCONF IS_CONFIGURATION_SETDBPARMS \ + IS_CONFIGURATION_KEYSTORE IS_CONFIGURATION_TRUSTSTORE \ + IS_CONFIGURATION_POLICYPROJECT IS_CONFIGURATION_LOOPBACKDATASOURCE; do + + configurations="${configurations} $(process_configrations $config_type)" + + done + + echo -n ${configurations## } > $(results.configurations.path) + workingDir: $(workspaces.workspace.path) + workspaces: + - name: workspace +- apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: create-is + spec: + params: + - name: is-infra-directory + type: string + - name: IMAGE + type: string + - name: release-name + type: string + - name: configurations + type: string + steps: + - image: quay.io/hollisc/yq-zip + name: setup-custom-resource + resources: {} + script: | + is_manifest_template=$(workspaces.input.path)/$(params.is-infra-directory)/IntegrationServer.yaml + + mkdir -p $(workspaces.input.path)/integration_server + is_manifest_rendered=$(workspaces.input.path)/integration_server/IntegrationServer.yaml + + cp $is_manifest_template $is_manifest_rendered + + e=$(params.release-name) yq e -i '.metadata.name = env(e)' $is_manifest_rendered + e=$(params.IMAGE) yq e -i '.spec.pod.containers.runtime.image = env(e)' $is_manifest_rendered + + yq --version + + for configuration in $(params.configurations) ; do + config=$configuration yq e -i '.spec.configurations = (.spec.configurations // []) + env(config)' $is_manifest_rendered + done + workingDir: $(workspaces.input.path) + workspaces: + - name: input +- apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: generate-bar + spec: + params: + - name: is-source-directory + type: string + - name: is-application-names + type: string + - name: bar-location + type: string + - name: bar-filename + type: string + steps: + - image: quay.io/hollisc/mqsicreatebar + name: generate-bar + resources: {} + script: | + mkdir -p $(params.bar-location) + mqsicreatebar.sh \ + -data $(workspaces.workspace.path)/$(params.is-source-directory) \ + -a $(params.is-application-names) \ + -b $(params.bar-location)/$(params.bar-filename) -skipWSErrorCheck + workspaces: + - name: workspace +- apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: git-clone + spec: + description: |- + These Tasks are Git tasks to work with repositories used by other tasks in your Pipeline. + The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. You can clone into a subdirectory by setting this Task's subdirectory param. + params: + - description: git url to clone + name: url + type: string + - default: "" + description: git revision to checkout (branch, tag, sha, ref…) + name: revision + type: string + - default: "" + description: (optional) git refspec to fetch before checking out revision + name: refspec + type: string + - default: "true" + description: defines if the resource should initialize and fetch the submodules + name: submodules + type: string + - default: "1" + description: performs a shallow clone where only the most recent commit(s) will + be fetched + name: depth + type: string + - default: "true" + description: defines if http.sslVerify should be set to true or false in the + global git config + name: sslVerify + type: string + - default: "" + description: subdirectory inside the "output" workspace to clone the git repo + into + name: subdirectory + type: string + - default: "true" + description: clean out the contents of the repo's destination directory (if + it already exists) before trying to clone the repo there + name: deleteExisting + type: string + - default: "" + description: git HTTP proxy server for non-SSL requests + name: httpProxy + type: string + - default: "" + description: git HTTPS proxy server for SSL requests + name: httpsProxy + type: string + - default: "" + description: git no proxy - opt out of proxying HTTP/HTTPS requests + name: noProxy + type: string + - default: "true" + description: log the commands used during execution + name: verbose + type: string + - default: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.18.0 + description: the image used where the git-init binary is + name: gitInitImage + type: string + - default: "" + description: the private key to use + name: sshPrivateKey + type: string + results: + - description: The precise commit SHA that was fetched by this Task + name: commit + - description: The precise URL that was fetched by this Task + name: url + steps: + - image: $(params.gitInitImage) + name: clone + resources: {} + script: | + #!/bin/sh + set -eu -o pipefail + + if [[ "$(params.verbose)" == "true" ]] ; then + set -x + fi + + if [[ "$(params.sshPrivateKey)" != "" ]] ; then + eval `ssh-agent` + ssh-add ~/.ssh/$(params.sshPrivateKey) + fi + + CHECKOUT_DIR="$(workspaces.output.path)/$(params.subdirectory)" + + cleandir() { + # Delete any existing contents of the repo directory if it exists. + # + # We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/" + # or the root of a mounted volume. + if [[ -d "$CHECKOUT_DIR" ]] ; then + # Delete non-hidden files and directories + rm -rf "$CHECKOUT_DIR"/* + # Delete files and directories starting with . but excluding .. + rm -rf "$CHECKOUT_DIR"/.[!.]* + # Delete files and directories starting with .. plus any other character + rm -rf "$CHECKOUT_DIR"/..?* + fi + } + + if [[ "$(params.deleteExisting)" == "true" ]] ; then + cleandir + fi + + test -z "$(params.httpProxy)" || export HTTP_PROXY=$(params.httpProxy) + test -z "$(params.httpsProxy)" || export HTTPS_PROXY=$(params.httpsProxy) + test -z "$(params.noProxy)" || export NO_PROXY=$(params.noProxy) + + /ko-app/git-init \ + -url "$(params.url)" \ + -revision "$(params.revision)" \ + -refspec "$(params.refspec)" \ + -path "$CHECKOUT_DIR" \ + -sslVerify="$(params.sslVerify)" \ + -submodules="$(params.submodules)" \ + -depth "$(params.depth)" + cd "$CHECKOUT_DIR" + RESULT_SHA="$(git rev-parse HEAD)" + EXIT_CODE="$?" + if [ "$EXIT_CODE" != 0 ] ; then + exit $EXIT_CODE + fi + # ensure we don't add a trailing newline to the result + echo -n "$RESULT_SHA" > $(results.commit.path) + echo -n "$(params.url)" > $(results.url.path) + workspaces: + - description: The git repo will be cloned onto the volume backing this workspace + name: output +- apiVersion: tekton.dev/v1beta1 + kind: Task + metadata: + name: resolve-props + spec: + params: + - name: is-source-directory + type: string + results: + - description: "" + name: is-application-names + - description: "" + name: release-name + - description: "" + name: is-configuration-keystore + - description: "" + name: is-configuration-truststore + - description: "" + name: is-configuration-setdbparms + - description: "" + name: is-configuration-serverconf + - description: "" + name: is-configuration-policyproject + - description: "" + name: is-configuration-loopbackdatasource + - description: "" + name: mq-queue-name + - description: "" + name: mq-end-point-policy-file + - description: "" + name: registry-host + - description: "" + name: previous-is-genenration + - description: "" + name: previous-deployment-revision + - description: "" + name: endpoint-path + - name: is-configurations + steps: + - image: quay.io/hollisc/yq-zip + name: parse-source-properties + resources: {} + script: | + #!/bin/bash + + set -ex + + properties_yaml_path=$(workspaces.input.path)/$(params.is-source-directory)/pipeline_properties.yaml + + if [[ ! -e $properties_yaml_path ]]; then + echo "no pipeline property file found" + exit 0 + fi + + resolve_props() { + exp=$1 + result_path=$2 + + echo -n `yq e "$exp // [] | join (\" \")" $properties_yaml_path` > $result_path + } + + resolve_prop() { + exp=$1 + result_path=$2 + + echo -n `yq e "$exp // \"\" " $properties_yaml_path` > $result_path + } + + resolve_props '.integrationServer.applicationNames' $(results.is-application-names.path) + resolve_prop '.integrationServer.releaseName' $(results.release-name.path) + + resolve_props '.integrationServer.configurations.keystore' $(results.is-configuration-keystore.path) + resolve_props '.integrationServer.configurations.truststore' $(results.is-configuration-truststore.path) + resolve_props '.integrationServer.configurations.setdbparms' $(results.is-configuration-setdbparms.path) + resolve_props '.integrationServer.configurations.serverconf' $(results.is-configuration-serverconf.path) + resolve_props '.integrationServer.configurations.policyproject' $(results.is-configuration-policyproject.path) + resolve_props '.integrationServer.configurations.loopbackdatasource' $(results.is-configuration-loopbackdatasource.path) + + resolve_props '.integrationServer.configurations.*' $(results.is-configurations.path) + + resolve_prop '.mq.queueName' $(results.mq-queue-name.path) + resolve_prop '.mq.endPointPolicyFile' $(results.mq-end-point-policy-file.path) + - image: quay.io/openshift/origin-cli:latest + name: resolve-ocp-properties + resources: {} + script: |2 + + release_name=$(cat $(results.release-name.path)) + echo $release_name + + set +e + previous_is_genenration=$(oc get integrationserver \ + $release_name -o jsonpath='{.metadata.generation}' 2>/dev/null) + set +e + + echo -n $previous_is_genenration > $(results.previous-is-genenration.path) + + if [[ ! -z $previous_is_genenration ]]; then + oc get deployment \ + -l app.kubernetes.io/instance=$release_name \ + -o jsonpath='{$.items[0].metadata.annotations.deployment\.kubernetes\.io/revision}' 2>/dev/null > $(results.previous-deployment-revision.path) + else + touch $(results.previous-deployment-revision.path) + fi + + echo -n $(oc registry info) > $(results.registry-host.path) + workspaces: + - name: input +kind: List +metadata: + resourceVersion: "" + selfLink: "" diff --git a/ace/environments/ci/tasks/custom-buildah.yaml b/ace/environments/ci/tasks/custom-buildah.yaml new file mode 100644 index 0000000..20be559 --- /dev/null +++ b/ace/environments/ci/tasks/custom-buildah.yaml @@ -0,0 +1,101 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + annotations: + tekton.dev/pipelines.minVersion: '0.19' + tekton.dev/tags: image-build + name: buildah + labels: + app.kubernetes.io/version: '0.1' + operator.tekton.dev/provider-type: redhat +spec: + description: >- + Buildah task builds source into a container image and then pushes it to a + container registry. + + Buildah Task builds source into a container image using Project Atomic's + Buildah build tool.It uses Buildah's support for building from Dockerfiles, + using its buildah bud command.This command executes the directives in the + Dockerfile to assemble a container image, then pushes that image to a + container registry. + params: + - description: Reference of the image buildah will produce. + name: IMAGE + type: string + - default: quay.io/buildah/stable:v1.21.4 + description: The location of the buildah builder image. + name: BUILDER_IMAGE + type: string + - default: vfs + description: Set buildah storage driver + name: STORAGE_DRIVER + type: string + - default: ./Dockerfile + description: Path to the Dockerfile to build. + name: DOCKERFILE + type: string + - default: . + description: Path to the directory to use as context. + name: CONTEXT + type: string + - default: 'true' + description: >- + Verify the TLS on the registry endpoint (for push/pull to a non-TLS + registry) + name: TLSVERIFY + type: string + - default: oci + description: 'The format of the built container, oci or docker' + name: FORMAT + type: string + - default: '' + description: Extra parameters passed for the build command when building images. + name: BUILD_EXTRA_ARGS + type: string + - default: '' + description: Extra parameters passed for the push command when pushing images. + name: PUSH_EXTRA_ARGS + type: string + results: + - description: Digest of the image just built. + name: IMAGE_DIGEST + steps: + - image: $(params.BUILDER_IMAGE) + name: build + resources: {} + script: | + buildah --storage-driver=$(params.STORAGE_DRIVER) bud \ + $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \ + --tls-verify=$(params.TLSVERIFY) --no-cache \ + -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT) + securityContext: + privileged: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: $(workspaces.source.path) + - image: $(params.BUILDER_IMAGE) + name: push + resources: {} + script: | + buildah --storage-driver=$(params.STORAGE_DRIVER) push \ + $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \ + --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \ + docker://$(params.IMAGE) + securityContext: + privileged: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: $(workspaces.source.path) + - image: $(params.BUILDER_IMAGE) + name: digest-to-results + resources: {} + script: >- + cat $(workspaces.source.path)/image-digest | tee + /tekton/results/IMAGE_DIGEST + volumes: + - emptyDir: {} + name: varlibcontainers + workspaces: + - name: source diff --git a/ace/environments/ci/tasks/functional-test-task.yaml b/ace/environments/ci/tasks/functional-test-task.yaml new file mode 100644 index 0000000..be2b630 --- /dev/null +++ b/ace/environments/ci/tasks/functional-test-task.yaml @@ -0,0 +1,181 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + annotations: + name: functional-test +spec: + params: + - name: release-name + type: string + - name: is-source-directory + type: string + - name: key-certs-secret-name + type: string + - name: client-key + type: string + - name: client-cert + type: string + - name: ca-cert + type: string + - name: endpoint-path + type: string + - name: source-env + steps: + - name: wait-till-deployment + image: quay.io/openshift/origin-cli:latest + env: + - name: RELEASE_NAME + value: $(params.release-name) + script: | + set -e + + SLEEP_TIME_SEC=10 + RETRIES=20 + + wait_until() { + condition=$1 + message=$2 + + retries=$RETRIES + until $condition || [[ "$retries" -eq 0 ]]; do + retries=$((retries - 1)) + + sleep $SLEEP_TIME_SEC + done + + if [[ "$retries" -eq 0 ]]; then + echo $message + exit 1 + fi + } + + resolve_deployment() { + deployment=$(oc -n $(params.source-env) get deploy -l app.kubernetes.io/instance=$RELEASE_NAME -o jsonpath='{$.items[0].metadata.name}' 2>/dev/null) + } + + replicas_are_updated() { + local replicas=$(oc -n $(params.source-env) get deploy -l app.kubernetes.io/instance=$RELEASE_NAME -o jsonpath='{$.items[0].status.replicas}') + test $replicas -eq 1 + } + + desired_replicas_same_as_actual_replicas() { + local desired_replicas=$1 + + test $desired_replicas -eq $(oc -n $(params.source-env) get pods --no-headers -l app.kubernetes.io/instance=$RELEASE_NAME | wc -l) + } + + oc -n $(params.source-env) get deploy + + wait_until resolve_deployment "Could not find deployment" + oc -n $(params.source-env) rollout status deployment $deployment + + desired_replicas=$(oc -n $(params.source-env) get deploy -l app.kubernetes.io/instance=$RELEASE_NAME -o jsonpath='{$.items[0].spec.replicas}') + wait_until "desired_replicas_same_as_actual_replicas $desired_replicas" "Numner of pods does not match desired replicas" + - name: resolve-route + env: + - name: BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + key: username + name: basic-auth-rest + - name: BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: basic-auth-rest + image: quay.io/openshift/origin-cli:latest + script: | + #!/bin/bash + + set -e + + SLEEP_TIME_SEC=10 + RETRIES=20 + + wait_until() { + condition=$1 + message=$2 + + retries=$RETRIES + until $condition || [[ "$retries" -eq 0 ]]; do + retries=$((retries - 1)) + + sleep $SLEEP_TIME_SEC + done + + if [[ "$retries" -eq 0 ]]; then + echo $message + exit 1 + fi + } + + url_is_ready() { + url=$1 + curl -s -k \ + -u $BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD \ + --request OPTIONS \ + --cert /client-certs/$(params.client-cert) \ + --key /client-certs/$(params.client-key) \ + https://$url + } + + route=$(oc -n $(params.source-env) get routes -l app.kubernetes.io/instance=$(params.release-name) -o jsonpath='{.items[?(@.spec.port.targetPort=="https")].spec.host}') + echo -n $route > /shared/route.txt + + wait_until "url_is_ready $route/$(params.endpoint-path)" "Route is not set up" + volumeMounts: + - mountPath: /shared + name: shared-volume + - mountPath: /client-certs + name: certs + readOnly: true + - name: run-test + env: + - name: BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + key: username + name: basic-auth-rest + - name: BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: basic-auth-rest + image: quay.io/hollisc/newman + imagePullPolicy: Always + script: | + #!/bin/bash + + set -ex + + route=$(cat /shared/route.txt) + + #route=create-customer-details-rest-https-dev.ace-prod-ref-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-east.containers.appdomain.cloud + + echo $route + + test_file=$(workspaces.workspace.path)/$(params.is-source-directory)/test/newman/test.json + if [[ -e $test_file ]]; then + newman run -k \ + --ssl-client-key /client-certs/$(params.client-key) \ + --ssl-client-cert /client-certs/$(params.client-cert) \ + --env-var username=$BASIC_AUTH_USERNAME \ + --env-var password=$BASIC_AUTH_PASSWORD \ + --env-var host=$route \ + $test_file + + fi + volumeMounts: + - mountPath: /shared + name: shared-volume + - mountPath: /client-certs + name: certs + readOnly: true + volumes: + - emptyDir: {} + name: shared-volume + - name: certs + secret: + secretName: $(params.key-certs-secret-name) + workspaces: + - name: workspace diff --git a/ace/environments/ci/tasks/gitops-ace.yaml b/ace/environments/ci/tasks/gitops-ace.yaml new file mode 100644 index 0000000..9256420 --- /dev/null +++ b/ace/environments/ci/tasks/gitops-ace.yaml @@ -0,0 +1,183 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: git-ops-ace +spec: + params: + - name: url + description: git url to clone + type: string + - name: revision + description: git revision to checkout (branch, tag, sha, ref…) + type: string + default: "" + - name: sslVerify + description: defines if http.sslVerify should be set to true or false in the global git config + type: string + default: "true" + - name: submodules + description: defines if the resource should initialize and fetch the submodules + type: string + default: "true" + - name: depth + description: performs a shallow clone where only the most recent commit(s) will be fetched + type: string + default: "1" + - name: gitInitImage + description: the image used where the git-init binary is + type: string + default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.18.0" + - name: sshPrivateKey + description: the private key to use + type: string + default: "" + - name: filelist + description: list of files to copy to gitOps repo + type: string + - name: parent-directory-relative-to-workspace + description: parent directory of the files to copy, relative to shared workspace + type: string + - name: destination-directory + description: parent directory where the files are to be copied, relative to the workspace + - name: kustomization-path + description: path to kustomization.yaml, relative to the git workspace + steps: + - name: git-clone + image: $(params.gitInitImage) + volumeMounts: + - name: local-workspace + mountPath: /local-workspace + script: | + #!/bin/sh + set -eu -o pipefail + + if [[ "$(params.sshPrivateKey)" != "" ]] ; then + eval `ssh-agent` + ssh-add ~/.ssh/$(params.sshPrivateKey) + fi + + CHECKOUT_DIR="/local-workspace/git-workspace" + + mkdir -p ${CHECKOUT_DIR} + + /ko-app/git-init \ + -url "$(params.url)" \ + -revision "$(params.revision)" \ + -path "$CHECKOUT_DIR" \ + -sslVerify="$(params.sslVerify)" \ + -submodules="$(params.submodules)" \ + -depth "$(params.depth)" + + cd "$CHECKOUT_DIR" + git rev-parse HEAD + EXIT_CODE="$?" + if [ "$EXIT_CODE" != 0 ] ; then + exit $EXIT_CODE + fi + - name: copy-files + volumeMounts: + - name: local-workspace + mountPath: /local-workspace + image: ubuntu + script: | + DESTINATION_DIRECTORY=/local-workspace/git-workspace/$(params.destination-directory) + SOURCE_DIRECTORY=$(workspaces.shared-workspace.path)/$(params.parent-directory-relative-to-workspace) + + ls -R ${DESTINATION_DIRECTORY} + + KUSTOMIZATION_PARENT_DIRECTORY=$(dirname /local-workspace/git-workspace/$(params.kustomization-path)) + ITEM_LIST_PATH=/local-workspace/kustomization_items.txt + + for file in $(params.filelist); do + cp -f ${SOURCE_DIRECTORY}/$file ${DESTINATION_DIRECTORY}/$file + realpath ${DESTINATION_DIRECTORY}/$file --relative-to ${KUSTOMIZATION_PARENT_DIRECTORY} >> ${ITEM_LIST_PATH} + done + + ls -R ${DESTINATION_DIRECTORY} + - name: update-kustomization + volumeMounts: + - name: local-workspace + mountPath: /local-workspace + image: quay.io/hollisc/yq-zip + args: + - /local-workspace/kustomization_items.txt + - /local-workspace/git-workspace/$(params.kustomization-path) + script: |- + #!/bin/bash + + function update_kustomization_from_file() { + item_list_file_path=$1 + kustomization_file_path=$2 + + items=$(cat $item_list_file_path) + + for item in ${items[*]}; do + update_kustomization $item $kustomization_file_path + done + } + + function update_kustomization() { + item=$1 + kustomization_file_path=$2 + + contains=$(config=$item yq e '.resources[] | select(. == env(config))' $kustomization_file_path) + + if [[ -z $contains ]]; then + config=$item yq e -i '.resources = (.resources // []) + env(config)' \ + $kustomization_file_path + + prettyfy $kustomization_file_path + fi + } + + function prettyfy() { + file=$1 + + yq e --prettyPrint $file >/tmp/temp.yaml + mv /tmp/temp.yaml $file + } + + if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + item_list_file_path=$1 + kustomization_file_path=$2 + + update_kustomization_from_file $item_list_file_path $kustomization_file_path + fi + - name: git-push + image: $(params.gitInitImage) + volumeMounts: + - name: local-workspace + mountPath: /local-workspace + script: | + cat /local-workspace/git-workspace/$(params.kustomization-path) + + if [[ "$(params.sshPrivateKey)" != "" ]] ; then + eval `ssh-agent` + ssh-add ~/.ssh/$(params.sshPrivateKey) + fi + + CHECKOUT_DIR="/local-workspace/git-workspace" + + cd ${CHECKOUT_DIR} + + git checkout -b master + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + git config user.email "test@example.com" + git config user.name "test user" + + git add /local-workspace/git-workspace/$(params.destination-directory) + git add /local-workspace/git-workspace/$(params.kustomization-path) + + git commit -m "Commit some files" + + git push origin master + volumes: + - name: local-workspace + emptyDir: {} + workspaces: + - name: shared-workspace diff --git a/ace/environments/ci/tasks/ibm-gitops-for-ace-task.yaml b/ace/environments/ci/tasks/ibm-gitops-for-ace-task.yaml new file mode 100644 index 0000000..1597112 --- /dev/null +++ b/ace/environments/ci/tasks/ibm-gitops-for-ace-task.yaml @@ -0,0 +1,214 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gitops-for-ace + annotations: + description: Promotes an ACE Integration Server Container Image by writing or opening a PR against gitops repo + app.openshift.io/description: Promotes an ACE Integration Server Container Image by writing or opening a PR against gitops repo + app.openshift.io/vcs-uri: https://cloud-native-toolkit-demos/multi-tenancy-gitops-apps + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: source-env + default: "" + - name: source-yaml + default: "integrationServer/IntegrationServerPatch.yaml" + - name: destination-env + default: "" + - name: destination-yaml + default: "integrationServer/IntegrationServerPatch.yaml" + - name: destination-image + default: "" + - name: git-pr + default: "false" + - name: source-dir + default: /source + - name: subdir + default: "ace/environments/overlays" + - name: parentdir + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: gitops + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: username + optional: true + - name: GIT_PASSWORD_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: parentdir + optional: true + - name: GIT_PARENT_DIR_SERVICES + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: parentdir-services + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: gitops-repo-ace + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + SUBDIR="$(params.subdir)" + if [[ -n "$(params.parentdir)" ]]; then + PARENT_DIR="$(params.parentdir)" + elif [[ -n "${GIT_PARENT_DIR_SERVICES}" ]] && [[ "${GIT_PARENT_DIR_SERVICES}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR_SERVICES | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR_SERVICES}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR_SERVICES}" + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR}" + else + PARENT_DIR="." + fi + SUBDIR="${PARENT_DIR}/${SUBDIR}" + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + DEST_YAML_FILE="${SUBDIR}/$(params.destination-env)/$(params.destination-yaml)" + if [[ -n "$(params.destination-image)" ]]; then + DEST_IMAGE_URL="$(params.destination-image)" + else + SOURCE_YAML_FILE="${SUBDIR}/$(params.source-env)/$(params.source-yaml)" + fi + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + set +x + if [[ -n "${GIT_USERNAME_CD}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME_CD}" + GIT_AUTH_PWD="${GIT_PASSWORD_CD}" + elif [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} gitops_cd + set -x + cd gitops_cd + git config user.email "bot@cloudnativetoolkit.dev" + git config user.name "Cloud Native Toolkit Pipeline" + + + if [[ -n "${DEST_IMAGE_URL}" ]]; then + echo "Destination file image will be set to ${DEST_IMAGE_URL}" + elif [[ -f "${DEST_YAML_FILE}" ]]; then + echo "Destination file ${DEST_YAML_FILE} found, file will be updated with contents from ${SOURCE_YAML_FILE}" + cat "${DEST_YAML_FILE}" + DEST_IMAGE_URL="$(yq r ${SOURCE_YAML_FILE} spec.pod.containers.runtime.image)" + else + echo "Destination file ${DEST_YAML_FILE} not found" + exit 1 + fi + yq w -i ${DEST_YAML_FILE} spec.pod.containers.runtime.image ${DEST_IMAGE_URL} + echo "Destination file updated with contents with image ${DEST_IMAGE_URL}" + cat "${DEST_YAML_FILE}" + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + git diff + git add "${SUBDIR}/" + git commit -m "Cloudnative toolkit commit" --signoff + + if [[ "$(params.git-pr)" == "true" ]]; then + git_version="$(git rev-parse --short HEAD)" + git checkout -b cntk-ci-pipeline-${git_version} + git push origin cntk-ci-pipeline-${git_version} + + GIT_PUSH_URL="${GIT_PROTOCOL}://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/pulls" + curl -u ${GIT_USERNAME}:${GIT_PASSWORD} -d '{"title":"PR to promote to $(params.destination-env) environment","base":"'${GIT_BRANCH}'", "head":"'${GIT_ORG}':cntk-ci-pipeline-'${git_version}'"}' ${GIT_PUSH_URL} + else + echo "Pushing directly to repository" + git push -v + fi diff --git a/ace/environments/ci/tasks/ibm-jmeter-performance-test.yaml b/ace/environments/ci/tasks/ibm-jmeter-performance-test.yaml new file mode 100644 index 0000000..01d8f03 --- /dev/null +++ b/ace/environments/ci/tasks/ibm-jmeter-performance-test.yaml @@ -0,0 +1,83 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-jmeter-performance-test + annotations: + description: Executes a JMeter Test from a GIT repo (preview) + app.openshift.io/description: Executes a JMeter Test from a GIT repo (preview) + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: is-source-directory + type: string + - default: ibm-client.jks + name: key-certs-secret-name + type: string + - name: test-plan + default: jmeter_test_plan/createCustomer_ace_testplan.jmx + - name: jmeter-users + default: "5" + steps: + - name: jmeter-it + env: + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + key: keyStorePassword + name: ibm-client.jks + optional: true + image: quay.io/hollisc/jmeter-11 + script: | + #!/usr/bin/env bash + + set -xv + + # note: the export does not like the - sign + echo "export jmeter_users=$(echo $(params.jmeter-users))" > /tmp/jmeter.env + + source /tmp/jmeter.env + + ${JMETER_BIN}/jmeter.sh \ + -Jserver.rmi.ssl.disable=true \ + -Djavax.net.ssl.keyStoreType=jks \ + -Djavax.net.ssl.keyStore=/client-certs/ibm-client.jks \ + -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWORD} \ + -n -t $(workspaces.workspace.path)/$(params.is-source-directory)/$(params.test-plan) \ + -Jjmeter_users=$jmeter_users \ + -l /tmp/report.jtl + + cat /tmp/report.jtl + + echo "checking for the existance of errors .." + + LINES=$(grep false /tmp/report.jtl | wc -l) + TOTAL_LINES=$(cat /tmp/report.jtl | wc -l) + + if [ $LINES -eq 0 ] ; then + echo "no errors in jmeter test -> ready to promote the code" + exit 0 + else + echo "oops, errors were found." + exit 1 + fi + + volumeMounts: + - mountPath: /shared + name: shared-volume + - mountPath: /client-certs + name: certs + readOnly: true + volumes: + - emptyDir: {} + name: shared-volume + - name: certs + secret: + items: + - key: keyStore + path: ibm-client.jks + secretName: $(params.key-certs-secret-name) + workspaces: + - name: workspace diff --git a/ace/environments/ci/triggerbindings/.keep b/ace/environments/ci/triggerbindings/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/triggerbindings/ace-bar-trigger-binding.yaml b/ace/environments/ci/triggerbindings/ace-bar-trigger-binding.yaml new file mode 100644 index 0000000..f505eb3 --- /dev/null +++ b/ace/environments/ci/triggerbindings/ace-bar-trigger-binding.yaml @@ -0,0 +1,10 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerBinding +metadata: + name: ace-bar +spec: + params: + - name: source-git-url + value: $(body.repository.url) + - name: source-repo-name + value: $(body.repository.name) \ No newline at end of file diff --git a/ace/environments/ci/triggertemplates/.keep b/ace/environments/ci/triggertemplates/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/ci/triggertemplates/ace-bar-trigger-template.yaml b/ace/environments/ci/triggertemplates/ace-bar-trigger-template.yaml new file mode 100644 index 0000000..505c9d3 --- /dev/null +++ b/ace/environments/ci/triggertemplates/ace-bar-trigger-template.yaml @@ -0,0 +1,22 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerTemplate +metadata: + name: ace-bar +spec: + params: + - name: source-git-url + - name: source-repo-name + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + name: ace-bar-webhook-$(uid) + spec: + params: + pipelineRef: + name: ace-build-bar-promote-dev + serviceAccountName: pipeline + workspaces: + - name: shared-workspace + persistentVolumeClaim: + claimName: ace-bar-pvc diff --git a/ace/environments/overlays/dev/.keep b/ace/environments/overlays/dev/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/overlays/dev/dashboard/ace-dashboard.yaml b/ace/environments/overlays/dev/dashboard/ace-dashboard.yaml new file mode 100644 index 0000000..5df64af --- /dev/null +++ b/ace/environments/overlays/dev/dashboard/ace-dashboard.yaml @@ -0,0 +1,14 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: Dashboard +metadata: + name: ace-dashboard +spec: + license: + accept: true + license: L-KSBM-C37J2R + use: CloudPakForIntegrationNonProduction + useCommonServices: true + version: 12.0.1.0-r3 + storage: + type: ephemeral + replicas: 1 diff --git a/ace/environments/overlays/dev/hooks/.keep b/ace/environments/overlays/dev/hooks/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/overlays/dev/hooks/post-sync.yaml b/ace/environments/overlays/dev/hooks/post-sync.yaml new file mode 100644 index 0000000..ef64837 --- /dev/null +++ b/ace/environments/overlays/dev/hooks/post-sync.yaml @@ -0,0 +1,36 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: trigger-functional-test + namespace: ci + annotations: + argocd.argoproj.io/hook: PostSync +spec: + template: + spec: + serviceAccountName: pipeline + containers: + - name: functional-test + image: quay.io/rhcanada/tkn-cli + command: + - tkn + args: + - -n + - ci + - pipeline + - start + - ace-promote-dev-stage + - --param + - is-source-repo-url=https://github.com/cloud-native-toolkit-demos/ace-customer-details.git + - --param + - is-source-repo-private-key="" + - --param + - source-env=dev + - --param + - destination-env=staging + - --workspace + - name=shared-workspace,claimName=ace-test-pvc + - --serviceaccount + - pipeline + restartPolicy: Never + backoffLimit: 0 diff --git a/ace/environments/overlays/dev/ibm-entitlement-key/ibm-entitled-key-secret.sh b/ace/environments/overlays/dev/ibm-entitlement-key/ibm-entitled-key-secret.sh new file mode 100755 index 0000000..8909259 --- /dev/null +++ b/ace/environments/overlays/dev/ibm-entitlement-key/ibm-entitled-key-secret.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# Set variables +IBM_ENTITLEMENT_KEY= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret docker-registry ibm-entitlement-key \ +--docker-username=cp \ +--docker-server=cp.icr.io \ +--docker-password=${IBM_ENTITLEMENT_KEY} \ +--dry-run=true -o yaml > delete-ibm-entitled-key-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-entitled-key-secret.yaml > ibm-entitled-key-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-key-secret.yaml \ No newline at end of file diff --git a/ace/environments/overlays/dev/ibm-entitlement-key/ibm-entitled-key-secret.yaml b/ace/environments/overlays/dev/ibm-entitlement-key/ibm-entitled-key-secret.yaml new file mode 100644 index 0000000..1a0c49e --- /dev/null +++ b/ace/environments/overlays/dev/ibm-entitlement-key/ibm-entitled-key-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitlement-key +spec: + encryptedData: + .dockerconfigjson: AgArH78ctv5gcq4Qr21IOiK/tUZYtyhfCOK7t0WV65jwiw2D9vZV/FjMsEE3l8kiMyaHMcCmi3+mpGI+aJRe9YLB294tjKG/lz3Q3tfsQZUMCuRUfiOTigg3i6jjqwzRcxn7Np8GaagLY/03QRQGWN7wXJDCNwV14zwkNZrl+65KYS6GNxuN4WFBiYoLITQ0JEvCytOfoNApVh1+GprurlRlZGw/cem+VEdVhpzRCAWKUqk+wvFqngBmqbzyIQPqlRUqHNS4fShD5I78wZuMy97x1/b52XSd2LZFxCKClGvLIqI8LouFEAivq2Iusg7v8fbXLlHLLqf/FrjRZTtWznUDEgXfZuGUNDRRE1HIvprIXqekxvrZ3bARobFz/uiBqH6k58w8iY93GR/0v5pu4uovqytmkmkV2SimpROqcWU7e4a1K+p8puERFes9fXYUlmizV+g89bnsVOFDnGrk8dwqJdl4a3mRbFu/bF1nD3ioPmHAw0ON35mXMx7nWxh/NvBw4ey0mag7i7X+ci/dFFkJNqp/E3Kg5yaXeDw10A3tC18IXOn+qMCikZbTpQvBO1F0NGxhXcsq8zAQSG4OquggeD6j3aPsJHezTgm8y7NMb6UFa2+t6clK2HRu/FwUXGIKvn3C5G5lGDQefQFZF3QdIu6mo4iLsE005Xug++4GtDhACJHiwBWuv05SbgdNJ/TUL/nO3ec0Q5+CsPqUhLQEDle/sCxaoSVf+Xcz7pXvL9F9VJueJqKzIKMBCzP4RThiDWBLAYaxpa3YzDeOtXPwg2FMSGq/blZ2rv4ja79Gfl6TFhOT1swMs7jPzkuxn1PPTyizkgAyz7CbnE0foApDzWhSJELHiJDN9VCcaKJ1yFYOMJi4utYEsLP+QE3tAOxyi/tksxcwjXc4DiY7xNWmc/JYk5fo4Y0VPbikZpeK20BSAZisA4TfM0c2xRyprPuvughGfDimcKl1Mqw8XaZMLwoi9UdumNAe1JLMMxoLM86wOcWslH3vx1PggYAtmTFAVgghspqgqoDIZKDVuBme5xDvlnT3fWyvA9oHyItgNoxf9NGRO1EYc2TPONYcQmhmZi6LSfy7Syz6ZJzkuCadmX6VviL/7Wc4w30oiYgBO7DHoaFrV43Y7wdsuhsa+halEvZesLoqAafwh2Ku1za+YOk5n+STZfRm7tkij/2K5uLB8iJ4zcpSNnNgNAy0ORSlAUlblJ98X2lFey24QRQ1IZiFRm4MSE55SJdr8vzrywBBAs4jYn+/886aIgTFtNdErCUwQf0Ue+QzYk5SuYG+CEC/q/H/OoDlObI1OXtL9GPX2tn0dm0JHntUcxgHbNyZ + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitlement-key + type: kubernetes.io/dockerconfigjson + diff --git a/ace/environments/overlays/dev/integrationServer/.keep b/ace/environments/overlays/dev/integrationServer/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/overlays/dev/integrationServer/IntegrationServerPatch.yaml b/ace/environments/overlays/dev/integrationServer/IntegrationServerPatch.yaml new file mode 100644 index 0000000..55104e5 --- /dev/null +++ b/ace/environments/overlays/dev/integrationServer/IntegrationServerPatch.yaml @@ -0,0 +1,10 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: IntegrationServer +metadata: + name: create-customer-details-rest +spec: + replicas: 1 + pod: + containers: + runtime: + image: image-registry.openshift-image-registry.svc:5000/ci/create-customer-details-rest:d84754967ba21b0046e3bd955864990150b9daa3 diff --git a/ace/environments/overlays/dev/kustomization.yaml b/ace/environments/overlays/dev/kustomization.yaml new file mode 100644 index 0000000..2ad5608 --- /dev/null +++ b/ace/environments/overlays/dev/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base + - hooks/post-sync.yaml + - dashboard/ace-dashboard.yaml + - ibm-entitlement-key/ibm-entitled-key-secret.yaml +patchesStrategicMerge: + - integrationServer/IntegrationServerPatch.yaml diff --git a/ace/environments/overlays/prod/.keep b/ace/environments/overlays/prod/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/overlays/prod/integrationServer/IntegrationServerPatch.yaml b/ace/environments/overlays/prod/integrationServer/IntegrationServerPatch.yaml new file mode 100644 index 0000000..49dec3e --- /dev/null +++ b/ace/environments/overlays/prod/integrationServer/IntegrationServerPatch.yaml @@ -0,0 +1,14 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: IntegrationServer +metadata: + name: create-customer-details-rest +spec: + license: + # License info https://www.ibm.com/docs/en/app-connect/containers_cd?topic=resources-licensing-reference-app-connect-operator + license: L-KSBM-C37J2R + use: CloudPakForIntegrationProduction + replicas: 2 + pod: + containers: + runtime: + image: image-registry.openshift-image-registry.svc:5000/ci/create-customer-details-rest:d84754967ba21b0046e3bd955864990150b9daa3 diff --git a/ace/environments/overlays/prod/kustomization.yaml b/ace/environments/overlays/prod/kustomization.yaml new file mode 100644 index 0000000..c0d9d22 --- /dev/null +++ b/ace/environments/overlays/prod/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - ../../base +patchesStrategicMerge: + - integrationServer/IntegrationServerPatch.yaml diff --git a/ace/environments/overlays/staging/.keep b/ace/environments/overlays/staging/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/overlays/staging/hooks/.keep b/ace/environments/overlays/staging/hooks/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ace/environments/overlays/staging/hooks/post-sync.yaml b/ace/environments/overlays/staging/hooks/post-sync.yaml new file mode 100644 index 0000000..f7c7377 --- /dev/null +++ b/ace/environments/overlays/staging/hooks/post-sync.yaml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: trigger-performance-test + namespace: ci + annotations: + argocd.argoproj.io/hook: PostSync +spec: + template: + spec: + serviceAccountName: pipeline + containers: + - name: performance-test + image: quay.io/rhcanada/tkn-cli + command: + - tkn + args: + - -n + - ci + - pipeline + - start + - ace-promote-stage-prod + - --param + - is-source-repo-url=https://github.com/cloud-native-toolkit-demos/ace-customer-details.git + - --param + - is-source-repo-private-key="" + - --param + - source-env=staging + - --param + - destination-env=prod + - --param + - jmeter-users=250 + - --workspace + - name=shared-workspace,claimName=ace-test-pvc + - --serviceaccount + - pipeline + restartPolicy: Never + backoffLimit: 0 diff --git a/ace/environments/overlays/staging/integrationServer/IntegrationServerPatch.yaml b/ace/environments/overlays/staging/integrationServer/IntegrationServerPatch.yaml new file mode 100644 index 0000000..2ec5ef1 --- /dev/null +++ b/ace/environments/overlays/staging/integrationServer/IntegrationServerPatch.yaml @@ -0,0 +1,10 @@ +apiVersion: appconnect.ibm.com/v1beta1 +kind: IntegrationServer +metadata: + name: create-customer-details-rest +spec: + replicas: 2 + pod: + containers: + runtime: + image: image-registry.openshift-image-registry.svc:5000/ci/create-customer-details-rest:d84754967ba21b0046e3bd955864990150b9daa3 diff --git a/ace/environments/overlays/staging/kustomization.yaml b/ace/environments/overlays/staging/kustomization.yaml new file mode 100644 index 0000000..65a6e93 --- /dev/null +++ b/ace/environments/overlays/staging/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - ../../base + - hooks/post-sync.yaml +patchesStrategicMerge: + - integrationServer/IntegrationServerPatch.yaml \ No newline at end of file diff --git a/apic/.keep b/apic/.keep new file mode 100644 index 0000000..e69de29 diff --git a/apic/config/argocd/ci/apic-pipelines-prod-app.yaml b/apic/config/argocd/ci/apic-pipelines-prod-app.yaml new file mode 100644 index 0000000..0eba1d4 --- /dev/null +++ b/apic/config/argocd/ci/apic-pipelines-prod-app.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apic-pipelines-prod + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: ci + server: https://kubernetes.default.svc + project: applications + source: + path: apic/environments/ci + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: {} diff --git a/apic/environments/ci/kustomization.yaml b/apic/environments/ci/kustomization.yaml new file mode 100644 index 0000000..4b2a9b7 --- /dev/null +++ b/apic/environments/ci/kustomization.yaml @@ -0,0 +1,13 @@ +resources: +# IBM API Connect Production Pipelines +- pipelines/apic-config-pipeline.yaml +- pipelines/apic-publish-pipeline.yaml + +# IBM API Connect Production Tasks +- tasks/apic-config-task.yaml +- tasks/apic-publish-task.yaml + +# IBM API Connect Pipeline Role and Rolebinding +# to be able to list services and routes in tools namespace +- roles/role.yaml +- roles/rolebinding.yaml \ No newline at end of file diff --git a/apic/environments/ci/pipelines/apic-config-pipeline.yaml b/apic/environments/ci/pipelines/apic-config-pipeline.yaml new file mode 100644 index 0000000..0cf68a9 --- /dev/null +++ b/apic/environments/ci/pipelines/apic-config-pipeline.yaml @@ -0,0 +1,39 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: apic-post-install-config +spec: + params: + - name: git-apic-pipeline-git-url + type: string + default: 'https://github.ibm.com/techaeta/apic-config.git' + description: GitHub url where the pipeline scripts are stored. These are the scripts the pipeline will execute + - name: git-apic-pipeline-git-branch + type: string + default: master + description: Github branch for the pipeline scripts + - name: apic-project + type: string + default: tools + description: OpenShift project where your IBM API Connect Cluster v10 has been deployed into + - name: debug + type: string + default: "True" + description: Debug flag + tasks: + - name: apic-post-install-config + params: + # GitHub url where the pipeline scripts are stored. These are the scripts the pipeline will execute. + - name: git-apic-pipeline-git-url + value: "$(params.git-apic-pipeline-git-url)" + # Github branch for the pipeline scripts. + - name: git-apic-pipeline-git-branch + value: "$(params.git-apic-pipeline-git-branch)" + # OpenShift project where your IBM API Connect Cluster v10 has been deployed into. + - name: apic-project + value: "$(params.apic-project)" + # Debug flag + - name: debug + value: "$(params.debug)" + taskRef: + name: apic-post-install-config \ No newline at end of file diff --git a/apic/environments/ci/pipelines/apic-publish-pipeline.yaml b/apic/environments/ci/pipelines/apic-publish-pipeline.yaml new file mode 100644 index 0000000..2b3da74 --- /dev/null +++ b/apic/environments/ci/pipelines/apic-publish-pipeline.yaml @@ -0,0 +1,67 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: apic-publish-products-apis-pipeline +spec: + params: + - name: git-apic-pipeline-git-url + type: string + default: 'https://github.ibm.com/techaeta/apic-publish-pipeline.git' + description: GitHub url where the pipeline scripts are stored. These are the python scripts the pipeline will execute + - name: git-apic-pipeline-git-branch + type: string + default: master + description: Github branch for the pipeline scripts + - name: git-apic-yaml-url + type: string + default: 'https://github.ibm.com/techaeta/apic-products-apis-yaml/' + description: GitHub url where the products and APIs definitions are stored + - name: git-apic-yaml-branch + type: string + default: master + description: GitHub branch for the products and APIs + - name: git-products-path + type: string + default: 'Demo/Products' + description: Path to where the products definitions are stored within your GitHub repository + - name: git-apis-path + type: string + default: 'Demo/APIs' + description: Path to where the APIs definitions are stored within your GitHub repository + - name: apic-project + type: string + default: prod + description: OpenShift project where your IBM API Connect Cluster v10 has been deployed into + - name: debug + type: string + default: "True" + description: Debug flag + tasks: + - name: apic-publish-products-apis + params: + # GitHub url where the pipeline scripts are stored. These are the scripts the pipeline will execute. + - name: git-apic-pipeline-git-url + value: "$(params.git-apic-pipeline-git-url)" + # Github branch for the pipeline scripts. + - name: git-apic-pipeline-git-branch + value: "$(params.git-apic-pipeline-git-branch)" + # GitHub url where the products and APIs definitions are stored. + - name: git-apic-yaml-url + value: "$(params.git-apic-yaml-url)" + # GitHub branch for the products and APIs. + - name: git-apic-yaml-branch + value: "$(params.git-apic-yaml-branch)" + # Path to where the products definitions are stored within your GitHub repository. + - name: git-products-path + value: "$(params.git-products-path)" + # Path to where the APIs definitions are stored within your GitHub repository. + - name: git-apis-path + value: "$(params.git-apis-path)" + # OpenShift project where your IBM API Connect Cluster v10 has been deployed into. + - name: apic-project + value: "$(params.apic-project)" + # Debug flag + - name: debug + value: "$(params.debug)" + taskRef: + name: apic-publish-products-apis \ No newline at end of file diff --git a/apic/environments/ci/roles/role.yaml b/apic/environments/ci/roles/role.yaml new file mode 100644 index 0000000..74ef460 --- /dev/null +++ b/apic/environments/ci/roles/role.yaml @@ -0,0 +1,16 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-apic-config-pipeline + namespace: tools +rules: + - verbs: + - get + - list + - watch + apiGroups: + - 'route.openshift.io' + - '' + resources: + - routes + - secrets \ No newline at end of file diff --git a/apic/environments/ci/roles/rolebinding.yaml b/apic/environments/ci/roles/rolebinding.yaml new file mode 100644 index 0000000..2d73f15 --- /dev/null +++ b/apic/environments/ci/roles/rolebinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-apic-config-pipeline + namespace: tools +subjects: + - kind: ServiceAccount + name: pipeline + namespace: ci +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: custom-apic-config-pipeline \ No newline at end of file diff --git a/apic/environments/ci/tasks/apic-config-task.yaml b/apic/environments/ci/tasks/apic-config-task.yaml new file mode 100644 index 0000000..1e26e0c --- /dev/null +++ b/apic/environments/ci/tasks/apic-config-task.yaml @@ -0,0 +1,98 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: apic-post-install-config + annotations: + description: API Connect Cluster v10 post install configuration + app.openshift.io/description: API Connect Cluster v10 post install configuration + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.1 +spec: + description: >- + This task will configure your recent API Connect Cluster v10 instance installation. + params: + - name: git-apic-pipeline-git-url + type: string + description: GitHub url where the pipeline scripts are stored. These are the scripts the pipeline will execute. + - name: git-apic-pipeline-git-branch + type: string + default: master + description: Github branch for the pipeline scripts. + - name: source-dir + type: string + default: /source + description: Path where an empty directory will be mounted to which will serve as the source location for all the task steps. + - name: python-image + type: string + default: python:3.9.5 + description: Python Docker image needed for executing this task. + - name: oc-cli-image + type: string + default: quay.io/openshift/origin-cli:latest + description: OpenShift CLI Docker image needed for executing oc commands. + - name: apic-project + type: string + description: OpenShift project where your IBM API Connect Cluster v10 has been deployed into. + - name: debug + type: string + default: "True" + description: Debug flag + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + envFrom: + - secretRef: + name: apic-pipeline-git + - secretRef: + name: apic-config-email-server + - secretRef: + name: apic-pipeline-provider-org + env: + - name: CONFIG_FILES_DIR + value: $(params.source-dir)/config + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + script: | + set +x + echo "********************" + echo "** Step git-clone **" + echo "********************" + echo + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PRIV_TOKEN}" ]]; then + git clone "$(echo $(params.git-apic-pipeline-git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PRIV_TOKEN}@$(echo $(params.git-apic-pipeline-git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + git clone $(params.git-apic-pipeline-git-url) $(params.source-dir) + fi + cd $(params.source-dir) + git checkout $(params.git-apic-pipeline-git-branch) + - name: initialize-config + image: $(params.oc-cli-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "****************************" + echo "** Step initialize-config **" + echo "****************************" + if [[ "$(params.debug)" == "True" ]]; then echo "DEBUG is enabled"; export DEBUG=True; fi + cd scripts + sh config.sh $(params.apic-project) + - name: config-apic + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "**********************" + echo "** Step config-apic **" + echo "**********************" + export PYTHONWARNINGS="ignore:Unverified HTTPS request" + python3 -mpip install requests > /dev/null + if [ "$(params.debug)" = "True" ]; then echo "DEBUG is enabled"; export DEBUG=True; fi + cd scripts + python3 config_apicv10.py \ No newline at end of file diff --git a/apic/environments/ci/tasks/apic-publish-task.yaml b/apic/environments/ci/tasks/apic-publish-task.yaml new file mode 100644 index 0000000..231a409 --- /dev/null +++ b/apic/environments/ci/tasks/apic-publish-task.yaml @@ -0,0 +1,206 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: apic-publish-products-apis + annotations: + description: Publish APIC products and apis + app.openshift.io/description: Publish APIC products and apis + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.1 +spec: + description: >- + This task is a test of a Tekton task for the APIC pipelines. + params: + - name: git-apic-pipeline-git-url + type: string + description: GitHub url where the pipeline scripts are stored. These are the python scripts the pipeline will execute. + - name: git-apic-pipeline-git-branch + type: string + default: master + description: Github branch for the pipeline scripts. + - name: git-apic-yaml-url + type: string + description: GitHub url where the products and APIs definitions are stored. + - name: git-apic-yaml-branch + type: string + default: master + description: GitHub branch for the products and APIs. + - name: git-products-path + type: string + description: Path to where the products definitions are stored within your GitHub repository. + - name: git-apis-path + type: string + description: Path to where the APIs definitions are stored within your GitHub repository. + - name: source-dir + type: string + default: /source + description: Path where an empty directory will be mounted to which will serve as the source location for all the task steps. + - name: tools-image + type: string + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + description: Docker image with the tools needed for executing this task. + - name: python-image + type: string + default: python:3.9.5 + description: Python Docker image needed for executing this task. + - name: oc-cli-image + type: string + default: quay.io/openshift/origin-cli:latest + description: OpenShift CLI Docker image needed for executing oc commands. + - name: apic-project + type: string + default: prod + description: OpenShift project where your IBM API Connect Cluster v10 has been deployed into. + - name: debug + type: string + default: "True" + description: Debug flag + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + envFrom: + - secretRef: + name: apic-pipeline-git + - secretRef: + name: apic-pipeline-provider-org + env: + - name: CONFIG_FILES_DIR + value: $(params.source-dir)/config + - name: GIT_PRODUCTS_APIS_URL + value: $(params.git-apic-yaml-url) + - name: GIT_PRODUCTS_APIS_BRANCH + value: $(params.git-apic-yaml-branch) + - name: GIT_PRODUCTS_PATH + value: $(params.git-products-path) + - name: GIT_APIS_PATH + value: $(params.git-apis-path) + steps: + - name: pipeline-config + image: quay.io/ibmgaragecloud/alpine-git + script: | + set +x + echo "**************************" + echo "** Step pipeline-config **" + echo "**************************" + echo + echo "API Connect Products And APIs pipeline" + echo "--------------------------------------" + echo + echo "API Connect Publish Products and APIs Pipeline GitHub repository: $(params.git-apic-pipeline-git-url)" + echo "API Connect Publish Products and APIs Pipeline GitHub repository branch: $(params.git-apic-pipeline-git-branch)" + echo "API Connect Products and APIs GitHub repository: $GIT_PRODUCTS_APIS_URL" + echo "API Connect Products and APIs GitHub repository branch: $GIT_PRODUCTS_APIS_BRANCH" + echo "API Connect Products and APIs GitHub repository Products path: $GIT_PRODUCTS_PATH" + echo "API Connect Products and APIs GitHub repository APIs path: $GIT_APIS_PATH" + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + script: | + set +x + echo "********************" + echo "** Step git-clone **" + echo "********************" + echo + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PRIV_TOKEN}" ]]; then + git clone "$(echo $(params.git-apic-pipeline-git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PRIV_TOKEN}@$(echo $(params.git-apic-pipeline-git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + git clone $(params.git-apic-pipeline-git-url) $(params.source-dir) + fi + cd $(params.source-dir) + git checkout $(params.git-apic-pipeline-git-branch) + - name: initialize-config + image: $(params.oc-cli-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "****************************" + echo "** Step initialize-config **" + echo "****************************" + if [[ "$(params.debug)" == "True" ]]; then echo "DEBUG is enabled"; export DEBUG=True; fi + cd scripts + sh config.sh $(params.apic-project) + - name: initialize-build + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "***************************" + echo "** Step initialize-build **" + echo "***************************" + cd scripts + python3 initialize_apic_deploy.py + - name: download-products + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "****************************" + echo "** Step download-products **" + echo "****************************" + cd scripts + python3 download_product_files_from_git.py + - name: download-apis + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "************************" + echo "** Step download-apis **" + echo "************************" + # Pre-req for parsing YAML files + python3 -mpip install PyYAML > /dev/null + cd scripts + python3 download_api_files_from_git.py + - name: replace-placeholders + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "*******************************" + echo "** Step replace-placeholders **" + echo "*******************************" + # Pre-req for parsing YAML files + python3 -mpip install PyYAML > /dev/null + cd scripts + python3 replace_api_yaml_env_param.py + - name: publish-products + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "***************************" + echo "** Step publish-products **" + echo "***************************" + # Pre-req for parsing YAML files and create HTTP requests + export PYTHONWARNINGS="ignore:Unverified HTTPS request" + python3 -mpip install PyYAML requests > /dev/null + cd scripts + python3 apic_platform_publish_to_catalog.py + - name: test-apis + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "********************" + echo "** Step test-apis **" + echo "********************" + # Pre-req for parsing YAML files and create HTTP requests + export PYTHONWARNINGS="ignore:Unverified HTTPS request" + python3 -mpip install PyYAML requests > /dev/null + cd scripts + python3 test_apic_apis.py + - name: print-audit + image: $(params.python-image) + workingDir: $(params.source-dir) + script: | + set +x + echo "**********************" + echo "** Step print-audit **" + echo "**********************" + cd scripts + python3 print_audit.py \ No newline at end of file diff --git a/cntk/config/cicd/base/01-namespaces/README.md b/cntk/config/cicd/base/01-namespaces/README.md new file mode 100644 index 0000000..b277fc7 --- /dev/null +++ b/cntk/config/cicd/base/01-namespaces/README.md @@ -0,0 +1,2 @@ +The `namespace` resource is a global resource on the kubernetes/cluster and this should be configure and created by the `infra` layer please take a look at the following git repository https://github.com/cloud-native-toolkit/multi-tenancy-gitops-infra to define a new `namespace` and look at this repository https://github.com/cloud-native-toolkit/multi-tenancy-gitops/tree/kustomize to use ArgoCD to deploy the `namespace` + diff --git a/cntk/config/cicd/base/02-rolebindings/README.md b/cntk/config/cicd/base/02-rolebindings/README.md new file mode 100644 index 0000000..3f38558 --- /dev/null +++ b/cntk/config/cicd/base/02-rolebindings/README.md @@ -0,0 +1,4 @@ +This directory holds namespace scope `Roles` and `RolesBindings` resources for any service account on the `cicd` namespace + +The main service account on the `ci` or `cicd` namespace is `pipeline` this service account is created by default on every namespace when the OpenShift Pipelines (Tekton) Operator is deploy on the cluster. + diff --git a/cntk/config/cicd/base/03-secrets/README.md b/cntk/config/cicd/base/03-secrets/README.md new file mode 100644 index 0000000..67aca75 --- /dev/null +++ b/cntk/config/cicd/base/03-secrets/README.md @@ -0,0 +1,2 @@ +This directory holds secrets in an encrypted way, please never store plain text or base64 encoded credentials on git. +We use open source project Sealed secrets https://github.com/bitnami-labs/sealed-secrets from bitnami, this secrets are stored in git in base64 but the data is encrypted at rest on git diff --git a/cntk/config/cicd/base/06-bindings/.keep b/cntk/config/cicd/base/06-bindings/.keep new file mode 100644 index 0000000..e69de29 diff --git a/cntk/config/cicd/base/07-templates/.keep b/cntk/config/cicd/base/07-templates/.keep new file mode 100644 index 0000000..e69de29 diff --git a/cntk/config/cicd/base/08-eventlisteners/.keep b/cntk/config/cicd/base/08-eventlisteners/.keep new file mode 100644 index 0000000..e69de29 diff --git a/cntk/config/cicd/base/09-routes/.keep b/cntk/config/cicd/base/09-routes/.keep new file mode 100644 index 0000000..e69de29 diff --git a/cntk/config/cicd/base/10-commit-status-tracker/.keep b/cntk/config/cicd/base/10-commit-status-tracker/.keep new file mode 100644 index 0000000..e69de29 diff --git a/cntk/config/cicd/overlays/kustomization.yaml b/cntk/config/cicd/overlays/kustomization.yaml new file mode 100644 index 0000000..766ea63 --- /dev/null +++ b/cntk/config/cicd/overlays/kustomization.yaml @@ -0,0 +1,2 @@ +bases: +- ../base \ No newline at end of file diff --git a/cp4a/config/cloudpak/cp4acluster.yaml b/cp4a/config/cloudpak/cp4acluster.yaml new file mode 100644 index 0000000..05219b0 --- /dev/null +++ b/cp4a/config/cloudpak/cp4acluster.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudpak-cp4a-cluster + annotations: + argocd.argoproj.io/sync-wave: "250" + labels: + gitops.tier.group: cntk + gitops.tier.layer: applications + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: cloudpak + server: https://kubernetes.default.svc + project: applications + syncPolicy: + automated: + prune: true + selfHeal: true + source: + path: cp4a/environments/cloudpak/cp4acluster/20.2 + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + diff --git a/cp4a/config/cloudpak/resources.yaml b/cp4a/config/cloudpak/resources.yaml new file mode 100644 index 0000000..ecc50c9 --- /dev/null +++ b/cp4a/config/cloudpak/resources.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudpak-cp4a-resources + annotations: + argocd.argoproj.io/sync-wave: "250" + labels: + gitops.tier.group: cntk + gitops.tier.layer: applications + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: cloudpak + server: https://kubernetes.default.svc + project: applications + syncPolicy: + automated: + prune: true + selfHeal: true + source: + path: cp4a/environments/cloudpak + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + diff --git a/cp4a/environments/cloudpak/cp4acluster/20.2/.helmignore b/cp4a/environments/cloudpak/cp4acluster/20.2/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/cp4a/environments/cloudpak/cp4acluster/20.2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/cp4a/environments/cloudpak/cp4acluster/20.2/Chart.yaml b/cp4a/environments/cloudpak/cp4acluster/20.2/Chart.yaml new file mode 100644 index 0000000..0438763 --- /dev/null +++ b/cp4a/environments/cloudpak/cp4acluster/20.2/Chart.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v2 +name: cp4acluster +description: Resources for for Cloud Pak for Business Automation + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "1.0.0" diff --git a/cp4a/environments/cloudpak/cp4acluster/20.2/templates/icp4a-cluster.yaml b/cp4a/environments/cloudpak/cp4acluster/20.2/templates/icp4a-cluster.yaml new file mode 100644 index 0000000..4b1fdfa --- /dev/null +++ b/cp4a/environments/cloudpak/cp4acluster/20.2/templates/icp4a-cluster.yaml @@ -0,0 +1,311 @@ +--- +apiVersion: icp4a.ibm.com/v1 +kind: ICP4ACluster +metadata: + name: icp4adeploy + labels: + app.kubernetes.io/instance: ibm-dba + app.kubernetes.io/managed-by: ibm-dba + app.kubernetes.io/name: ibm-dba +spec: + olm_ent_workflow: false + olm_ent_option_bai: false + olm_demo_application: false + olm_deployment_type: demo + olm_ent_decisions_ads: false + olm_ent_option_adp: + cmis: false + css: false + document_processing_runtime: false + es: false + olm_ibm_license: true + initialize_configuration: + ic_ldap_creation: + ic_ldap_admins_groups_name: + - '' + ic_obj_store_creation: + object_stores: + - oc_cpe_obj_store_conn: + dc_os_datasource_name: FNOS1DS + dc_os_xa_datasource_name: FNOS1DSXA + oc_cpe_obj_store_display_name: OS1 + oc_cpe_obj_store_symb_name: OS1 + - oc_cpe_obj_store_admin_user_groups: + - '' + - '' + oc_cpe_obj_store_conn: + dc_os_datasource_name: DEVOS1DS + dc_os_xa_datasource_name: DEVOS1DSXA + oc_cpe_obj_store_display_name: DEVOS1 + oc_cpe_obj_store_symb_name: DEVOS1 + - oc_cpe_obj_store_conn: + dc_os_datasource_name: BAWDOCS + dc_os_xa_datasource_name: BAWDOCSXA + oc_cpe_obj_store_display_name: BAWDOCS + oc_cpe_obj_store_symb_name: BAWDOCS + - oc_cpe_obj_store_conn: + dc_os_datasource_name: BAWDOS + dc_os_xa_datasource_name: BAWDOSXA + oc_cpe_obj_store_display_name: BAWDOS + oc_cpe_obj_store_symb_name: BAWDOS + - oc_cpe_obj_store_conn: + dc_os_datasource_name: BAWTOS + dc_os_xa_datasource_name: BAWTOSXA + oc_cpe_obj_store_display_name: BAWTOS + oc_cpe_obj_store_enable_workflow: true + oc_cpe_obj_store_symb_name: BAWTOS + oc_cpe_obj_store_workflow_admin_group: '' + oc_cpe_obj_store_workflow_config_group: '' + oc_cpe_obj_store_workflow_data_tbl_space: '' + oc_cpe_obj_store_workflow_pe_conn_point_name: '' + - oc_cpe_obj_store_conn: + dc_os_datasource_name: AWSINS1DOCS + dc_os_xa_datasource_name: AWSINS1DOCSXA + oc_cpe_obj_store_display_name: AWSINS1DOCS + oc_cpe_obj_store_symb_name: AWSINS1DOCS + - oc_cpe_obj_store_conn: + dc_os_datasource_name: AEOS + dc_os_xa_datasource_name: AEOSXA + oc_cpe_obj_store_display_name: AEOS + oc_cpe_obj_store_symb_name: AEOS + olm_ent_option_application: + app_designer: false + olm_ent_option_ads: + ads_designer: true + ads_runtime: true + olm_demo_decisions: true + olm_demo_document_processing: false + olm_demo_workflow: true + olm_demo_content: false + olm_demo_option_bai: true + olm_ent_application: false + olm_ent_option_decisions: + decisionCenter: false + decisionRunner: false + decisionServerRuntime: false + ums: false + olm_demo_option_adp: + cmis: false + css: false + olm_ent_option_content: + cmis: false + css: false + es: false + iccsap: false + ier: false + tm: false + ums: false + olm_ent_decisions: false + olm_ent_document_processing: false + olm_ent_content: false + appVersion: 21.0.2 + olm_demo_decisions_ads: false + datasource_configuration: + dc_ca_datasource: + tenant_databases: [] + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_max_retries_for_client_reroute: 3 + database_port: '' + dc_database_ssl_enabled: true + dc_hadr_standby_port: '' + database_ip: '' + database_name: '' + dc_hadr_standby_ip: '' + database_servername: '' + dc_hadr_validation_timeout: 15 + dc_hadr_standby_servername: '' + dc_database_type: db2 + dc_ums_datasource: + dc_ums_oauth_ssl: true + dc_ums_teamserver_host: '' + dc_ums_teamserver_name: '' + dc_ums_oauth_type: db2 + dc_ums_teamserver_alternate_hosts: '' + dc_ums_teamserver_ssl_secret_name: '' + dc_ums_oauth_schema: OAuthDBSchema + dc_ums_oauth_port: '' + dc_ums_teamserver_ssl: true + dc_ums_teamserver_alternate_ports: '' + dc_ums_teamserver_driverfiles: '' + dc_ums_oauth_host: '' + dc_ums_teamserver_type: db2 + dc_ums_oauth_name: '' + dc_ums_oauth_ssl_secret_name: '' + dc_ums_teamserver_port: '' + database_precheck: true + dc_odm_datasource: + database_servername: '' + dc_common_database_instance_secret: '' + dc_common_database_name: '' + dc_common_database_port: '' + dc_common_ssl_enabled: true + dc_database_type: db2 + dc_ssl_secret_name: '' + dc_ssl_enabled: true + dc_icn_datasource: + database_ssl_secret_name: '' + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_max_retries_for_client_reroute: 3 + database_port: '' + dc_common_icn_datasource_name: ECMClientDS + dc_hadr_standby_port: '' + database_name: '' + database_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_icn_jdbc_url: '' + dc_hadr_standby_servername: '' + dc_database_type: db2 + olm_dc_os_adp_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: DEVOS1DS + dc_common_os_xa_datasource_name: DEVOS1DSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: devos1 + olm_dc_os_workflow_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: BAWDOCS + dc_common_os_xa_datasource_name: BAWDOCSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: '' + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: BAWDOS + dc_common_os_xa_datasource_name: BAWDOSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: '' + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: BAWTOS + dc_common_os_xa_datasource_name: BAWTOSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: '' + dc_gcd_datasource: + database_ssl_secret_name: '' + dc_oracle_gcd_jdbc_url: '' + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_max_retries_for_client_reroute: 3 + database_port: '' + dc_hadr_standby_port: '' + database_name: '' + database_servername: '' + dc_hadr_validation_timeout: 15 + dc_hadr_standby_servername: '' + dc_common_gcd_xa_datasource_name: FNGCDDSXA + dc_common_gcd_datasource_name: FNGCDDS + dc_database_type: db2 + olm_dc_os_ae_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: AEOS + dc_common_os_xa_datasource_name: AEOSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: aeos + olm_dc_os_content_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: FNOS1DS + dc_common_os_xa_datasource_name: FNOS1DSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: os + shared_configuration: + image_pull_secrets: + - ibm-entitlement-key + trusted_certificate_list: [] + sc_deployment_baw_license: non-production + sc_content_verification: false + storage_configuration: + sc_dynamic_storage_classname: {{.Values.storageclass.gold}} + sc_fast_file_storage_classname: {{.Values.storageclass.gold}} + sc_medium_file_storage_classname: {{.Values.storageclass.silver}} + sc_slow_file_storage_classname: {{.Values.storageclass.bronze}} + sc_deployment_hostname_suffix: {{.Values.spec.shared_configuration.sc_deployment_hostname_suffix}} + root_ca_secret: icp4a-root-ca + sc_content_initialization: false + sc_deployment_license: non-production + sc_ingress_enable: false + sc_image_repository: cp.icr.io + sc_ingress_tls_secret_name: '' + sc_deployment_platform: {{.Values.spec.shared_configuration.sc_deployment_platform}} + sc_deployment_fncm_license: non-production + olm_demo_option_content: + cmis: false + css: false + iccsap: false + ier: false + tm: false + ums: false + olm_ent_option_ae_data_persistence: false + ldap_configuration: + tds: + lc_group_filter: >- + (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls))) + lc_user_filter: (&(cn=%v)(objectclass=person)) + ad: + lc_ad_gc_host: '' + lc_ad_gc_port: '' + lc_group_filter: (&(samAccountName=%v)(objectclass=group)) + lc_user_filter: (&(samAccountName=%v)(objectClass=user)) + lc_ldap_user_display_name_attr: sAMAccountName + lc_ldap_group_base_dn: '' + lc_ldap_base_dn: '' + lc_bind_secret: ldap-bind-secret + lc_ldap_user_name_attribute: 'user:sAMAccountName' + lc_ldap_group_member_id_map: 'memberOf:member' + lc_ldap_port: '636' + lc_ldap_server: '' + lc_ldap_group_membership_search_filter: (&(cn=%v)(objectcategory=group)) + lc_selected_ldap_type: '' + lc_ldap_ssl_secret_name: '' + lc_ldap_group_name_attribute: '*:cn' + lc_ldap_group_display_name_attr: cn + lc_ldap_ssl_enabled: true diff --git a/cp4a/environments/cloudpak/cp4acluster/20.2/values.yaml b/cp4a/environments/cloudpak/cp4acluster/20.2/values.yaml new file mode 100644 index 0000000..a2a8359 --- /dev/null +++ b/cp4a/environments/cloudpak/cp4acluster/20.2/values.yaml @@ -0,0 +1,11 @@ +--- +serviceaccount: + argocd_application_controller: argocd-cluster-argocd-application-controller +spec: + shared_configuration: + sc_deployment_hostname_suffix: to-be-set + sc_deployment_platform: ROKS +storageclass: + gold: managed-nfs-storage + silver: managed-nfs-storage + bronze: managed-nfs-storage diff --git a/cp4a/environments/cloudpak/kustomization.yaml b/cp4a/environments/cloudpak/kustomization.yaml new file mode 100644 index 0000000..c4d91f7 --- /dev/null +++ b/cp4a/environments/cloudpak/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- secrets/ibm-entitled-key-secret.yaml diff --git a/cp4a/environments/cloudpak/secrets/ibm-entitled-key-secret.sh b/cp4a/environments/cloudpak/secrets/ibm-entitled-key-secret.sh new file mode 100755 index 0000000..8e0ed3f --- /dev/null +++ b/cp4a/environments/cloudpak/secrets/ibm-entitled-key-secret.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Set variables +IBM_ENTITLEMENT_KEY= +NAMESPACE=cloudpak +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret docker-registry ibm-entitlement-key \ +--docker-username=cp \ +--docker-server=cp.icr.io \ +--docker-password=${IBM_ENTITLEMENT_KEY} \ +--namespace=${NAMESPACE} \ +--dry-run=true -o yaml > delete-ibm-entitled-key-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ${NAMESPACE} --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-entitled-key-secret.yaml > ibm-entitled-key-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-key-secret.yaml \ No newline at end of file diff --git a/cp4a/environments/cloudpak/secrets/ibm-entitled-key-secret.yaml b/cp4a/environments/cloudpak/secrets/ibm-entitled-key-secret.yaml new file mode 100644 index 0000000..cc2c17b --- /dev/null +++ b/cp4a/environments/cloudpak/secrets/ibm-entitled-key-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ibm-entitlement-key + namespace: cloudpak +spec: + encryptedData: + .dockerconfigjson: AgAHDOeosYsMjXs869t/RopgrtQ+5bLZtzXSRjrJMnq9F5nkTFfxnteKjMiReULx8+WtrfSAB070Yi4N9EkejC7fmBjNrVdcgGPuX5sHlbeGjFI4eGuG8kB7PZrdcOTx/fxWT090VRnuTTChFO8AVJOrSMGXSmjeif7rFMtYr4IZMtFjUkjJfRVRVo17w/zyKcZpS2/D080T+4CkrRlJPsAJ6DODngVftgzYmSNGVLdma6xc+m6GXXB5SHJStzyXkshrzphJARCp5clr4fABe0nDR4ImVQIFQALMFPekGOo8DlcXp1YkKMuJZnWpXuwxJhO9khFIwMkPX3oIFXEbgwRkGcw8P+r7DtEyTx3F6Ap9Z0c9TQO3eCA8k5x/mCst/5pEs66dgN+0kaqXWX3ORWzawGCyMNGxfr0Df8ULsr2iBQEtIDswRh9sxUpf5aR8kvdPL3xEBysEHCpCpTAUyoGt0dVycvSmcl9UZdIHKOzbAZrxxi1tJs/ECi0gOcSew8mpD/9dr8SBgOtqLQMy35cP+/fI0Yez0D6eykVPzB4dH2rwbSAp+JZ8EzTXvSyq/FaSgN9DwEyM6BHtn7zCwtXbdOTJwWpEVbPM/itjBmD68MBSRGHYbyhkwHgWF+TmlJA0kVT1gon1ecYcJTouGWMo21hTpeC2NB5jObF3MHqYn7meoJ+AWggU5ou1p+G0NNda79Euiqzm2cFRrk1Qc8MAO73JUpGbi1s9Hj7WK0Pu4cU0Lh6TVTuHKKqwSIFGrAGsUadQTnOicCYTuaTRJUU/fi/FGmkcFX74XuwYPJa06ntciINZoT/1Yaf2o2ZOrJrUGmxN8hvn/hwAgjzrvkYrGKtV9+7Ut1Pfg/Df9yVhSLcpcQn+wv5FAgIPi9jCLltdIsF6wVE19ML1SvhY5nVtK69BYYyay8ai395eJMgGea80scMRFUffAg/IIpujs9wx3lAG8Gu/JWvql4beyJaXShawndOGo5OFCfIWfijkizuiaHTIIiZEfWCwKpvWRZA2cY9cjhoChbMSw87Df/LVX5AijgB+pnAhyuRGtxrCMRnAFQmbxFEP9t3hATV36ni3c16k+3okCNdDU/Y7NaJHUvBC3mPB46iB/VDvZJFuh4+IiRHhco7mqGJ9elyG0yJwH6Fx8HgEGYaxgTQ3L8KUZ+N0o55DKiQvlqG/vjuQicNAggFcDqEQTbTt3qDqlPgGHPguEN27KR3dp5B7TkJhT1CGO32s5o87MvldDgobzOEmfFVZ2YrWVWe20duOf61o6NmhHjgdFHJRbF8GI6Qp5fgpv5n3r+ltizOvJI6nl0WPnOWJWmcFsa8jvidJD3sv + template: + metadata: + creationTimestamp: null + name: ibm-entitlement-key + namespace: cloudpak + type: kubernetes.io/dockerconfigjson + diff --git a/mq/.keep b/mq/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/config/argocd/ci/ci-app-rest.yaml b/mq/config/argocd/ci/ci-app-rest.yaml new file mode 100644 index 0000000..5abec3f --- /dev/null +++ b/mq/config/argocd/ci/ci-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-mq-rest-ci-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: ci + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/ci + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/ci/ci-scc.yaml b/mq/config/argocd/ci/ci-scc.yaml new file mode 100644 index 0000000..9c3cda1 --- /dev/null +++ b/mq/config/argocd/ci/ci-scc.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ci-scc + annotations: + argocd.argoproj.io/sync-wave: "250" + labels: + gitops.tier.group: cntk + gitops.tier.layer: applications + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: ci + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/ci/scc + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/dev/dev-app-rest.yaml b/mq/config/argocd/dev/dev-app-rest.yaml new file mode 100644 index 0000000..a8e10e6 --- /dev/null +++ b/mq/config/argocd/dev/dev-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-mq-rest-dev-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: dev + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/dev + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/dev/dev-mq-infra-instance.yaml b/mq/config/argocd/dev/dev-mq-infra-instance.yaml new file mode 100644 index 0000000..485be22 --- /dev/null +++ b/mq/config/argocd/dev/dev-mq-infra-instance.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dev-mq-infra-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: dev + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/dev/mq-infra + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + helm: + valueFiles: + - values.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Replace=true \ No newline at end of file diff --git a/mq/config/argocd/dev/dev-mq-spring-app-instance.yaml b/mq/config/argocd/dev/dev-mq-spring-app-instance.yaml new file mode 100644 index 0000000..77313cb --- /dev/null +++ b/mq/config/argocd/dev/dev-mq-spring-app-instance.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dev-mq-spring-app-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: dev + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/dev/mq-spring-app + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + helm: + valueFiles: + - values.yaml + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/prod/prod-app-rest.yaml b/mq/config/argocd/prod/prod-app-rest.yaml new file mode 100644 index 0000000..f15f543 --- /dev/null +++ b/mq/config/argocd/prod/prod-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-mq-rest-prod-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prod + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/prod + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/prod/prod-mq-infra-instance.yaml b/mq/config/argocd/prod/prod-mq-infra-instance.yaml new file mode 100644 index 0000000..f23d803 --- /dev/null +++ b/mq/config/argocd/prod/prod-mq-infra-instance.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prod-mq-infra-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prod + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/prod/mq-infra + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + helm: + valueFiles: + - values.yaml + syncPolicy: {} diff --git a/mq/config/argocd/prod/prod-mq-spring-app-instance.yaml b/mq/config/argocd/prod/prod-mq-spring-app-instance.yaml new file mode 100644 index 0000000..89bfbc5 --- /dev/null +++ b/mq/config/argocd/prod/prod-mq-spring-app-instance.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prod-mq-spring-app-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prod + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/prod/mq-spring-app + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + helm: + valueFiles: + - values.yaml + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/staging/staging-app-rest.yaml b/mq/config/argocd/staging/staging-app-rest.yaml new file mode 100644 index 0000000..9cae2f6 --- /dev/null +++ b/mq/config/argocd/staging/staging-app-rest.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps-mq-rest-staging-1 + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: staging + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/staging + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/staging/staging-mq-infra-instance.yaml b/mq/config/argocd/staging/staging-mq-infra-instance.yaml new file mode 100644 index 0000000..f270ea9 --- /dev/null +++ b/mq/config/argocd/staging/staging-mq-infra-instance.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: staging-mq-infra-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: staging + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/staging/mq-infra + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + helm: + valueFiles: + - values.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Replace=true diff --git a/mq/config/argocd/staging/staging-mq-spring-app-instance.yaml b/mq/config/argocd/staging/staging-mq-spring-app-instance.yaml new file mode 100644 index 0000000..a7060f3 --- /dev/null +++ b/mq/config/argocd/staging/staging-mq-spring-app-instance.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: staging-mq-spring-app-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: staging + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/staging/mq-spring-app + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + helm: + valueFiles: + - values.yaml + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/config/argocd/tools/tools-cert-manager-artifacts.yaml b/mq/config/argocd/tools/tools-cert-manager-artifacts.yaml new file mode 100644 index 0000000..727af49 --- /dev/null +++ b/mq/config/argocd/tools/tools-cert-manager-artifacts.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tools-cert-manager-artifacts + annotations: + argocd.argoproj.io/sync-wave: "250" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: tools + server: https://kubernetes.default.svc + project: applications + source: + path: mq/environments/tools/ + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/mq/environments/ci/certificates/.keep b/mq/environments/ci/certificates/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/ci/certificates/ci-mq-client-certificate.sh b/mq/environments/ci/certificates/ci-mq-client-certificate.sh new file mode 100755 index 0000000..bb7b44d --- /dev/null +++ b/mq/environments/ci/certificates/ci-mq-client-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < ci-mq-client-certificate.yaml \ No newline at end of file diff --git a/mq/environments/ci/certificates/ci-mq-client-certificate.yaml_template b/mq/environments/ci/certificates/ci-mq-client-certificate.yaml_template new file mode 100644 index 0000000..4e31e43 --- /dev/null +++ b/mq/environments/ci/certificates/ci-mq-client-certificate.yaml_template @@ -0,0 +1,28 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ci-mq-client-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + keystores: + jks: + create: true + passwordSecretRef: + key: KEY_STORE_PASSWORD + name: mq-client-jks-password + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-client-jks + subject: + organizations: + - ibm diff --git a/mq/environments/ci/certificates/ci-mq-server-certificate.sh b/mq/environments/ci/certificates/ci-mq-server-certificate.sh new file mode 100755 index 0000000..5c52a31 --- /dev/null +++ b/mq/environments/ci/certificates/ci-mq-server-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < ci-mq-server-certificate.yaml \ No newline at end of file diff --git a/mq/environments/ci/certificates/ci-mq-server-certificate.yaml_template b/mq/environments/ci/certificates/ci-mq-server-certificate.yaml_template new file mode 100644 index 0000000..844b6ef --- /dev/null +++ b/mq/environments/ci/certificates/ci-mq-server-certificate.yaml_template @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ci-mq-server-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-server-cert + subject: + organizations: + - ibm diff --git a/mq/environments/ci/configmaps/gitops-repo-configmap.sh b/mq/environments/ci/configmaps/gitops-repo-configmap.sh new file mode 100755 index 0000000..580b65c --- /dev/null +++ b/mq/environments/ci/configmaps/gitops-repo-configmap.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# Set variables +if [[ -z ${GIT_ORG} ]]; then + echo "Please provide environment variable GIT_ORG" + exit 1 +fi + +GIT_BRANCH=${GIT_BRANCH:-master} + +# Create Kubernetes Secret yaml +( echo "cat < gitops-repo-configmap.yaml \ No newline at end of file diff --git a/mq/environments/ci/configmaps/gitops-repo-configmap.yaml_template b/mq/environments/ci/configmaps/gitops-repo-configmap.yaml_template new file mode 100644 index 0000000..fac2a27 --- /dev/null +++ b/mq/environments/ci/configmaps/gitops-repo-configmap.yaml_template @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: multi-tenancy-gitops + group: pipeline + type: git + name: gitops-repo +data: + branch: ${GIT_BRANCH} + host: github.com + org: ${GIT_ORG} + owner: ${GIT_ORG} + parentdir: . + protocol: https + repo: multi-tenancy-gitops-apps + url: https://github.com/${GIT_ORG}/multi-tenancy-gitops-apps.git diff --git a/mq/environments/ci/eventlisteners/cntk-event-listener.sh b/mq/environments/ci/eventlisteners/cntk-event-listener.sh new file mode 100644 index 0000000..d15f3b5 --- /dev/null +++ b/mq/environments/ci/eventlisteners/cntk-event-listener.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Set variables +if [[ -z ${GIT_ORG} ]]; then + echo "Please provide environment variable GIT_ORG" + exit 1 +fi + +GIT_BRANCH_QM1=${GIT_BRANCH_QM1:-master} +GIT_BRANCH_SPRING=${GIT_BRANCH_SPRING:-master} + +# Create Kubernetes Secret yaml +( echo "cat < cntk-event-listener.yaml diff --git a/mq/environments/ci/eventlisteners/cntk-event-listener.yaml_template b/mq/environments/ci/eventlisteners/cntk-event-listener.yaml_template new file mode 100644 index 0000000..527dd30 --- /dev/null +++ b/mq/environments/ci/eventlisteners/cntk-event-listener.yaml_template @@ -0,0 +1,27 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: EventListener +metadata: + labels: + app: cnkt-event-listener + name: cnkt-event-listener +spec: + serviceAccountName: pipeline + triggers: + - bindings: + - kind: TriggerBinding + ref: cnkt-trigger-binding + interceptors: + - cel: + filter: header.match('X-GitHub-Event', 'push') && body.ref == 'refs/heads/${GIT_BRANCH_QM1}' && body.repository.full_name == '${GIT_ORG}/mq-infra' + name: mq-infra-dev + template: + ref: mq-infra-dev + # - bindings: + # - kind: TriggerBinding + # ref: cnkt-trigger-binding + # interceptors: + # - cel: + # filter: header.match('X-GitHub-Event', 'push') && body.ref == 'refs/heads/${GIT_BRANCH_SPRING}' && body.repository.full_name == '${GIT_ORG}/mq-spring-app' + # name: mq-spring-app-dev + # template: + # name: mq-spring-app-dev diff --git a/mq/environments/ci/kustomization.yaml b/mq/environments/ci/kustomization.yaml new file mode 100644 index 0000000..038a1ce --- /dev/null +++ b/mq/environments/ci/kustomization.yaml @@ -0,0 +1,36 @@ +resources: +#- certificates/ci-mq-client-certificate.yaml +#- certificates/ci-mq-server-certificate.yaml +- configmaps/gitops-repo-configmap.yaml +#- eventlisteners/cntk-event-listener.yaml +#- triggerbindings/cntk-binding.yaml +#- triggertemplates/mq-infra-dev.yaml +#- triggertemplates/mq-spring-app-dev.yaml +- pipelines/ibm-test-pipeline-for-dev.yaml +- pipelines/ibm-test-pipeline-for-stage.yaml +#- pipelines/java-maven-dev-pipeline.yaml +- pipelines/mq-pipeline-dev.yaml +- pipelines/mq-spring-app-dev-pipeline.yaml +- roles/custom-pipeline-sa-clusterrole.yaml +- roles/custom-pipeline-sa-role.yaml +- roles/custom-ci-pipeline-sa-rolebinding.yaml +- roles/custom-dev-pipeline-sa-rolebinding.yaml +- roles/custom-staging-pipeline-sa-rolebinding.yaml +- roles/custom-prod-pipeline-sa-rolebinding.yaml +#- routes/cntk-route.yaml +- secrets/artifactory-access-secret.yaml +- secrets/git-credentials-secret.yaml +- secrets/ibm-entitled-registry-credentials-secret.yaml +#- secrets/mq-client-jks-password-secret.yaml +- tasks/10-gitops.yaml +- tasks/12-functional-tests.yaml +- tasks/13-jmeter-performance-test.yaml +- tasks/4-smoke-tests-mq.yaml +- tasks/4-smoke-tests.yaml +- tasks/ibm-build-tag-push-v2-6-13.yaml +- tasks/ibm-helm-release-v2-6-13.yaml +- tasks/ibm-img-release-v2-6-13.yaml +- tasks/ibm-img-scan-v2-6-13.yaml +- tasks/ibm-java-maven-test-v2-6-13.yaml +- tasks/ibm-setup-v2-6-13.yaml +- tasks/ibm-tag-release-v2-6-13.yaml diff --git a/mq/environments/ci/pipelines/ibm-test-pipeline-for-dev.yaml b/mq/environments/ci/pipelines/ibm-test-pipeline-for-dev.yaml new file mode 100644 index 0000000..7333204 --- /dev/null +++ b/mq/environments/ci/pipelines/ibm-test-pipeline-for-dev.yaml @@ -0,0 +1,55 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-mq-promote-dev-stage + annotations: + app.openshift.io/runtime: test +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: git branch for the test app + default: master + - name: src-environment + description: environment + default: dev + - name: dest-environment + description: environment + default: staging + - name: app-path + description: Path in gitops repo + default: mq/environments + - name: git-pr + description: Enable the pipeline to do a PR for the gitops repo + default: "true" + - name: test-file + description: Path of the postman collection + default: "postman/mq-spring-app.postman_collection.json" + tasks: + - name: dev-instance-tests + taskRef: + name: ibm-functional-test + params: + - name: git-url + value: "$(params.git-url)" + - name: src-environment + value: "$(params.src-environment)" + - name: test-file + value: "$(params.test-file)" + - name: gitops + taskRef: + name: ibm-gitops + runAfter: + - dev-instance-tests + params: + - name: app-name + value: "$(tasks.dev-instance-tests.results.app-name)" + - name: src-environment + value: "$(params.src-environment)" + - name: dest-environment + value: "$(params.dest-environment)" + - name: app-path + value: "$(params.app-path)" + - name: git-pr + value: "$(params.git-pr)" diff --git a/mq/environments/ci/pipelines/ibm-test-pipeline-for-stage.yaml b/mq/environments/ci/pipelines/ibm-test-pipeline-for-stage.yaml new file mode 100644 index 0000000..8aee314 --- /dev/null +++ b/mq/environments/ci/pipelines/ibm-test-pipeline-for-stage.yaml @@ -0,0 +1,55 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-mq-promote-stage-prod + annotations: + app.openshift.io/runtime: test +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: git branch for the test app + default: master + - name: src-environment + description: environment + default: staging + - name: dest-environment + description: environment + default: prod + - name: app-path + description: Path in gitops repo + default: mq/environments + - name: git-pr + description: Enable the pipeline to do a PR for the gitops repo + default: "true" + - name: test-plan + description: Path of the postman collection + default: "jmeter/mq-spring-app.jmx" + tasks: + - name: stage-instance-tests + taskRef: + name: ibm-jmeter-performance-test + params: + - name: git-url + value: "$(params.git-url)" + - name: src-environment + value: "$(params.src-environment)" + - name: test-plan + value: "$(params.test-plan)" + - name: gitops + taskRef: + name: ibm-gitops + runAfter: + - stage-instance-tests + params: + - name: app-name + value: "$(tasks.stage-instance-tests.results.app-name)" + - name: src-environment + value: "$(params.src-environment)" + - name: dest-environment + value: "$(params.dest-environment)" + - name: app-path + value: "$(params.app-path)" + - name: git-pr + value: "$(params.git-pr)" diff --git a/mq/environments/ci/pipelines/java-maven-dev-pipeline.yaml b/mq/environments/ci/pipelines/java-maven-dev-pipeline.yaml new file mode 100644 index 0000000..ee52fdf --- /dev/null +++ b/mq/environments/ci/pipelines/java-maven-dev-pipeline.yaml @@ -0,0 +1,188 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: mq-quarkus-app-dev + annotations: + app.openshift.io/runtime: openjdk + app.openshift.io/builder: maven +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "false" + - name: environment + description: environment + default: dev + - name: app-path + description: Path in gitops repo + default: mq/environments + - name: security + description: enable app security + default: "false" + - name: git-pr + description: Enable the pipeline to do a PR for the gitops repo + default: "false" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: test + taskRef: + name: ibm-java-maven-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: smoke-tests + taskRef: + name: ibm-smoke-tests + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: security + value: "$(params.security)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - smoke-tests + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: app-path + value: "$(params.app-path)" + - name: dest-environment + value: "$(params.environment)" + - name: git-pr + value: "$(params.git-pr)" diff --git a/mq/environments/ci/pipelines/mq-pipeline-dev.yaml b/mq/environments/ci/pipelines/mq-pipeline-dev.yaml new file mode 100644 index 0000000..9cbaf0a --- /dev/null +++ b/mq/environments/ci/pipelines/mq-pipeline-dev.yaml @@ -0,0 +1,170 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: mq-infra-dev + annotations: + app.openshift.io/runtime: mq +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "false" + - name: environment + description: environment + default: dev + - name: app-path + description: Path in gitops repo + default: mq/environments + - name: security + description: Enable security for queueManager + default: "false" + - name: ha + description: Enable ha for queueManager + default: "false" + - name: git-pr + description: Enable the pipeline to do a PR for the gitops repo + default: "false" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: smoke-tests-mq + taskRef: + name: ibm-smoke-tests-mq + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name : security + value: "$(params.security)" + - name: ha + value: "$(params.ha)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - smoke-tests-mq + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: app-path + value: "$(params.app-path)" + - name: dest-environment + value: "$(params.environment)" + - name: git-pr + value: "$(params.git-pr)" diff --git a/mq/environments/ci/pipelines/mq-spring-app-dev-pipeline.yaml b/mq/environments/ci/pipelines/mq-spring-app-dev-pipeline.yaml new file mode 100644 index 0000000..3364d86 --- /dev/null +++ b/mq/environments/ci/pipelines/mq-spring-app-dev-pipeline.yaml @@ -0,0 +1,188 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: mq-spring-app-dev + annotations: + app.openshift.io/runtime: openjdk + app.openshift.io/builder: maven +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "false" + - name: environment + description: environment + default: dev + - name: app-path + description: Path in gitops repo + default: mq/environments + - name: security + description: enable app security + default: "false" + - name: git-pr + description: Enable the pipeline to do a PR for the gitops repo + default: "false" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: test + taskRef: + name: ibm-java-maven-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: smoke-tests + taskRef: + name: ibm-smoke-tests + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: security + value: "$(params.security)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - smoke-tests + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: app-path + value: "$(params.app-path)" + - name: dest-environment + value: "$(params.environment)" + - name: git-pr + value: "$(params.git-pr)" diff --git a/mq/environments/ci/roles/.keep b/mq/environments/ci/roles/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/ci/roles/custom-ci-pipeline-sa-rolebinding.yaml b/mq/environments/ci/roles/custom-ci-pipeline-sa-rolebinding.yaml new file mode 100644 index 0000000..0495f0f --- /dev/null +++ b/mq/environments/ci/roles/custom-ci-pipeline-sa-rolebinding.yaml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipeline-sa + namespace: ci +subjects: + - kind: ServiceAccount + name: pipeline + namespace: ci +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-pipeline-sa diff --git a/mq/environments/ci/roles/custom-dev-pipeline-sa-rolebinding.yaml b/mq/environments/ci/roles/custom-dev-pipeline-sa-rolebinding.yaml new file mode 100644 index 0000000..9cd0537 --- /dev/null +++ b/mq/environments/ci/roles/custom-dev-pipeline-sa-rolebinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipeline-sa + namespace: dev +subjects: + - kind: ServiceAccount + name: pipeline + namespace: dev +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-pipeline-sa diff --git a/mq/environments/ci/roles/custom-pipeline-sa-clusterrole.yaml b/mq/environments/ci/roles/custom-pipeline-sa-clusterrole.yaml new file mode 100644 index 0000000..f9c83d2 --- /dev/null +++ b/mq/environments/ci/roles/custom-pipeline-sa-clusterrole.yaml @@ -0,0 +1,44 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipeline-sa +rules: + - verbs: + - '*' + apiGroups: + - 'bitnami.com' + resources: + - sealedsecrets + - verbs: + - '*' + apiGroups: + - tekton.dev + resources: + - pipelines + - pipelineruns + - tasks + - taskruns + - pipelineresources + - verbs: + - '*' + apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + - verbs: + - '*' + apiGroups: + - '' + resources: + - pods + - services + - verbs: + - '*' + apiGroups: + - 'route.openshift.io' + resources: + - routes + diff --git a/mq/environments/ci/roles/custom-pipeline-sa-role.yaml b/mq/environments/ci/roles/custom-pipeline-sa-role.yaml new file mode 100644 index 0000000..76c8931 --- /dev/null +++ b/mq/environments/ci/roles/custom-pipeline-sa-role.yaml @@ -0,0 +1,44 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipeline-sa +rules: + - verbs: + - '*' + apiGroups: + - 'bitnami.com' + resources: + - sealedsecrets + - verbs: + - '*' + apiGroups: + - tekton.dev + resources: + - pipelines + - pipelineruns + - tasks + - taskruns + - pipelineresources + - verbs: + - '*' + apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + - verbs: + - '*' + apiGroups: + - '' + resources: + - pods + - services + - verbs: + - '*' + apiGroups: + - 'route.openshift.io' + resources: + - routes + diff --git a/mq/environments/ci/roles/custom-prod-pipeline-sa-rolebinding.yaml b/mq/environments/ci/roles/custom-prod-pipeline-sa-rolebinding.yaml new file mode 100644 index 0000000..dd084b6 --- /dev/null +++ b/mq/environments/ci/roles/custom-prod-pipeline-sa-rolebinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipeline-sa + namespace: prod +subjects: + - kind: ServiceAccount + name: pipeline + namespace: prod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-pipeline-sa diff --git a/mq/environments/ci/roles/custom-staging-pipeline-sa-rolebinding.yaml b/mq/environments/ci/roles/custom-staging-pipeline-sa-rolebinding.yaml new file mode 100644 index 0000000..cdecb34 --- /dev/null +++ b/mq/environments/ci/roles/custom-staging-pipeline-sa-rolebinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: custom-pipeline-sa + namespace: staging +subjects: + - kind: ServiceAccount + name: pipeline + namespace: staging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-pipeline-sa diff --git a/mq/environments/ci/routes/cntk-route.yaml b/mq/environments/ci/routes/cntk-route.yaml new file mode 100644 index 0000000..a7036bb --- /dev/null +++ b/mq/environments/ci/routes/cntk-route.yaml @@ -0,0 +1,20 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: el-cnkt-event-listener + namespace: ci + labels: + app: cnkt-event-listener + app.kubernetes.io/managed-by: EventListener + app.kubernetes.io/part-of: Triggers + eventlistener: cnkt-event-listener + annotations: + openshift.io/host.generated: 'true' +spec: + to: + kind: Service + name: el-cnkt-event-listener + weight: 100 + port: + targetPort: http-listener + wildcardPolicy: None diff --git a/mq/environments/ci/scc/Chart.yaml b/mq/environments/ci/scc/Chart.yaml new file mode 100644 index 0000000..424e716 --- /dev/null +++ b/mq/environments/ci/scc/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: tekton-pipeline-scc +version: 0.1.0 +appVersion: 1.16.0 +description: Tekton pipeline service account configuration +dependencies: + - name: service-account + version: 0.5.0 + repository: https://cloud-native-toolkit.github.io/toolkit-charts/ + diff --git a/mq/environments/ci/scc/values.yaml b/mq/environments/ci/scc/values.yaml new file mode 100644 index 0000000..9fe2972 --- /dev/null +++ b/mq/environments/ci/scc/values.yaml @@ -0,0 +1,7 @@ + +global: {} + +service-account: + name: pipeline + create: false + sccs: ["privileged"] diff --git a/mq/environments/ci/secrets/artifactory-access-secret.sh b/mq/environments/ci/secrets/artifactory-access-secret.sh new file mode 100755 index 0000000..d0afbb9 --- /dev/null +++ b/mq/environments/ci/secrets/artifactory-access-secret.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# Set variables +#ARTIFACTORY_USER=${ARTIFACTORY_USER:-admin} +#ARTIFACTORY_CURRENT_PASSWORD=${ARTIFACTORY_CURRENT_PASSWORD:-password} + +#if [[ -z ${ARTIFACTORY_NEW_PASSWORD} ]]; then +# echo "Please provide environment variable ARTIFACTORY_NEW_PASSWORD" +# exit 1 +#fi + +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +oc get secret artifactory-access -n tools -o yaml | sed 's/namespace: .*/namespace: ci/' | oc apply -f - --dry-run=client -o yaml > delete-artifactory-access-secret.yaml + +# Change existing password +#oc exec pod/artifactory-artifactory-0 -n tools -it -- curl -XPATCH -uadmin:${ARTIFACTORY_CURRENT_PASSWORD} http://localhost:8040/access/api/v1/users/admin -H 'Content-Type: Application/json' -d '{ "password" : "'"${ARTIFACTORY_NEW_PASSWORD}"'" }' > /dev/null + +# Extract encrypted password +#ARTIFACTORY_ENCRYPT=$(oc exec pod/artifactory-artifactory-0 -n tools -it -- curl -X GET -uadmin:"${ARTIFACTORY_NEW_PASSWORD}" http://localhost:8081/artifactory/api/security/encryptedPassword) + +# Create Kubernetes Secret yaml +#oc create secret generic artifactory-access \ +#--from-literal=ARTIFACTORY_USER=${ARTIFACTORY_USER} \ +#--from-literal=ARTIFACTORY_URL='http://artifactory-artifactory.tools:8082' \ +#--from-literal=ARTIFACTORY_PASSWORD=${ARTIFACTORY_NEW_PASSWORD} \ +#--from-literal=ARTIFACTORY_ENCRYPT=${ARTIFACTORY_ENCRYPT} \ +#--dry-run=client -o yaml > delete-artifactory-access-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ci --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-artifactory-access-secret.yaml > artifactory-access-secret.yaml + +# NOTE, do not check delete-artifactory-access-secret.yaml into git! +rm delete-artifactory-access-secret.yaml diff --git a/mq/environments/ci/secrets/artifactory-access-secret.yaml b/mq/environments/ci/secrets/artifactory-access-secret.yaml new file mode 100644 index 0000000..a0fab51 --- /dev/null +++ b/mq/environments/ci/secrets/artifactory-access-secret.yaml @@ -0,0 +1,23 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: artifactory-access + namespace: ci +spec: + encryptedData: + ARTIFACTORY_ENCRYPT: REPLACE + ARTIFACTORY_PASSWORD: REPLACE + ARTIFACTORY_URL: REPLACE + ARTIFACTORY_USER: REPLACE + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: artifactory-access + namespace: ci + type: Opaque + diff --git a/mq/environments/ci/secrets/git-credentials-secret.sh b/mq/environments/ci/secrets/git-credentials-secret.sh new file mode 100755 index 0000000..d8099b2 --- /dev/null +++ b/mq/environments/ci/secrets/git-credentials-secret.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# Set variables +if [[ -z ${GIT_USER} ]]; then + echo "Please provide environment variable GIT_USER" + exit 1 +fi + +if [[ -z ${GIT_TOKEN} ]]; then + echo "Please provide environment variable GIT_TOKEN" + exit 1 +fi + +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +cat < delete-git-credentials-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: git-credentials + annotations: + tekton.dev/git-0: https://github.com +type: kubernetes.io/basic-auth +stringData: + username: ${GIT_USER} + password: ${GIT_TOKEN} +EOF + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ci --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-git-credentials-secret.yaml > git-credentials-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-git-credentials-secret.yaml diff --git a/mq/environments/ci/secrets/git-credentials-secret.yaml b/mq/environments/ci/secrets/git-credentials-secret.yaml new file mode 100644 index 0000000..5f34a26 --- /dev/null +++ b/mq/environments/ci/secrets/git-credentials-secret.yaml @@ -0,0 +1,20 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: git-credentials +spec: + encryptedData: + password: REPLACE + username: REPLACE + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + tekton.dev/git-0: https://github.com + creationTimestamp: null + name: git-credentials + type: kubernetes.io/basic-auth + diff --git a/mq/environments/ci/secrets/ibm-entitled-registry-credentials-secret.sh b/mq/environments/ci/secrets/ibm-entitled-registry-credentials-secret.sh new file mode 100755 index 0000000..885028b --- /dev/null +++ b/mq/environments/ci/secrets/ibm-entitled-registry-credentials-secret.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +# Set variables +if [[ -z ${IBM_ENTITLEMENT_KEY} ]]; then + echo "Please provide environment variable IBM_ENTITLEMENT_KEY" + exit 1 +fi + +IBM_ENTITLEMENT_KEY=${IBM_ENTITLEMENT_KEY} + +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +oc create secret generic ibm-entitled-registry-credentials \ +--from-literal=IBM_ENTITLED_REGISTRY_USER=cp \ +--from-literal=IBM_ENTITLED_REGISTRY_PASSWORD=${IBM_ENTITLEMENT_KEY} \ +--dry-run=true -o yaml > delete-ibm-entitled-registry-credentials-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ci --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-ibm-entitled-registry-credentials-secret.yaml > ibm-entitled-registry-credentials-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-registry-credentials-secret.yaml \ No newline at end of file diff --git a/mq/environments/ci/secrets/ibm-entitled-registry-credentials-secret.yaml b/mq/environments/ci/secrets/ibm-entitled-registry-credentials-secret.yaml new file mode 100644 index 0000000..d3a1a48 --- /dev/null +++ b/mq/environments/ci/secrets/ibm-entitled-registry-credentials-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitled-registry-credentials +spec: + encryptedData: + IBM_ENTITLED_REGISTRY_PASSWORD: AgAb0VXQdfvmq8T22P/3HnjyLS1QH0gZ3sDaSjxyRWiqKzUYZrakRNsgAiSErYfVrtJb/8J7XzK/3cZDj3AVsbK8LoOct/XlTFiDwxG3jLcOmLKOmFtgqGZYqxsvMeiGTwfmCfU/Kt56gLWSgROy1bvOAS6NBSOuNJ5vCdmtJVPiXs7/LFaT0aLVIztpdD8Ze/iHBJbzuk3tViPcLu6n4KLz25GanhytjL8sVtqaq/u+EDylIFJqS/AhqS42HaQTnfMXv4TaIP0/J6BZuV2Tro91dYs7Tpof5UCV3BisRsCUe4HOhlbWxPEpg1iKryo+p73IfrLB/ScL20mPUQqhrLZd6Equj5mvG8kv/8yl4gXuuzKmo10DdCVwxWPEC37CQuNvkG4K5v6NNs9WP3qIGJ91fcKJqdnM5nONmtENYcwt2yEfG+SH3F05/JIoScfP3MpHYysDPMeNLZuDTRqTuKCNjfztNUbzg2lt4OPxnLAkemoF5liL5j5aDJF7lFY/XxDDG+/RNixHBHDeRH/dUn1bVvbguwmnOHRNYVhxBVZGhPoBRaGJbHjnww1zlKwK6NOsUIIz8pJCzwWPgFFPSZj/LyIPJwyhTWHaQ/sUJNdgv6KW9e3b8sbf4k3y+yzdl67B230HTlCvsA/i+K0jsp8LVzdCqxlWq4ehsBRa+/ZZf5gSU/H2JhiTr0Q/PdEwotmtrGlH60AQz0cbdOYM+QOyxt5cMUZXwEG23ikWmilN4jrH0NkmdzRBScF60GNlTErNc9g9tUGUrgfupdqENtnp6FZbMHnjmfboP2N75PjJQkUXsSMOaXG0AfaKFdAp9uldEwpDsXq2Cdsl9hsltP0CfEtRlcA9WmA+PMZd3JFhuA2C9u5rl4L9p/ljo+/a28xle2OXavPDw24rV4T7gWsD3GGxWK79aa7QkiODaG/wvw== + IBM_ENTITLED_REGISTRY_USER: AgBxnO42Lc4G7jz7eHWJHlZM/SjrouXATdfDmtILnvu6vcIppsF2x9mEtahpQqAIp0JnfeM7xp0Y8IoHcdjEnV3HCo3CmVYB+TvtFLl7D1ZG31nuMFsbSfzD03r5HY6vP+2e3xWSXn2x0jqUF3+xVMJkxkWywaXdPHQESm/Vu/cBSS4eJnXYHXlQ3GgySyJWBVR/7E671NOvd2r6eLyYLUXPUSec9Gw9RNEPiVOOcgbnNiq63MlPThBrBG4KF+5g3f2vaBGFLxOEPiYZVJAsXnYp08AC1rRELC4E54PXQX5leZJ6rNxluISA/wrcKjnAHNXVJO0QR84Hs7ICBmC4ZcpjOVHy18C5fDsC+n4/sufJ786sLD1N6pUee2f2O+mKjtbezxc/QozC7ODj1km3e6s9gPTiS/c0wBCyKIb0FdiqMMPb6p9lUCGyDXslc1SZnTfz3CbHuoVNfItD9J10enrOhwLma7jcQxNM9PAuQkiiuuRe9LBOVSitS8aEQZgwGwX+yW+K8L750Tiu+X4rVmTl3a7oReJ98P4Qvg2J7gY9NpKjsGnG97FUV7VAzVytBoFxA+2Y8gnxU1Ta9Zw3724AK/Qmc4wvJiyDrgW2j74Z2zGOWNGFh1koAZG8JoVrcx0AHWz25NX9lmZQTwp89f+0DQzZ13+J9fCxz4FZYHqkESOHay/3b7sG0q74wqIMd7VVMg== + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitled-registry-credentials + diff --git a/mq/environments/ci/secrets/mq-client-jks-password-secret.sh b/mq/environments/ci/secrets/mq-client-jks-password-secret.sh new file mode 100755 index 0000000..83a637d --- /dev/null +++ b/mq/environments/ci/secrets/mq-client-jks-password-secret.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Set variables +KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD:-mqclientci} +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +oc create secret generic mq-client-jks-password \ +--from-literal=KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD} \ +--dry-run=client -o yaml > delete-mq-client-jks-password-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ci --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-mq-client-jks-password-secret.yaml > mq-client-jks-password-secret.yaml + +# NOTE, do not check delete-mq-client-jks-password-secret.yaml into git! +rm delete-mq-client-jks-password-secret.yaml diff --git a/mq/environments/ci/secrets/mq-client-jks-password-secret.yaml b/mq/environments/ci/secrets/mq-client-jks-password-secret.yaml new file mode 100644 index 0000000..28702dc --- /dev/null +++ b/mq/environments/ci/secrets/mq-client-jks-password-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password +spec: + encryptedData: + KEY_STORE_PASSWORD: REPLACE + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password \ No newline at end of file diff --git a/mq/environments/ci/tasks/10-gitops.yaml b/mq/environments/ci/tasks/10-gitops.yaml new file mode 100644 index 0000000..6fe7195 --- /dev/null +++ b/mq/environments/ci/tasks/10-gitops.yaml @@ -0,0 +1,291 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gitops + annotations: + description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: app-name + default: "" + - name: version + default: "" + - name: src-environment + default: "" + - name: dest-environment + default: "" + - name: app-path + default: "" + - name: source-dir + default: /source + - name: subdir + default: "" + - name: parentdir + default: "" + - name: yaml + default: "requirements.yaml" + - name: helm-url + default: "" + - name: git-pr + default: "false" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: gitops + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: gitops-repo + key: parentdir + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: gitops-repo + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: gitops-repo + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAME="$(params.app-name)" + + SUBDIR="$(params.subdir)" + + if [[ -z "${SUBDIR}" ]]; then + SUBDIR="${APP_NAME}" + fi + + if [[ -n "$(params.parentdir)" ]]; then + if [[ -n "$(params.src-environment)" ]]; then + PARENT_DIR_SRC="$(params.parentdir)/$(params.app-path)/$(params.src-environment)" + fi + if [[ -n "$(params.dest-environment)" ]]; then + PARENT_DIR_DEST="$(params.parentdir)/$(params.app-path)/$(params.dest-environment)" + else + echo "Please set destination environment" + fi + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + if [[ -n "$(params.src-environment)" ]]; then + PARENT_DIR_SRC=$(eval $GIT_PARENT_DIR | tail -n 1)"/$(params.app-path)/$(params.src-environment)" + fi + if [[ -n "$(params.dest-environment)" ]]; then + PARENT_DIR_DEST=$(eval $GIT_PARENT_DIR | tail -n 1)"/$(params.app-path)/$(params.dest-environment)" + else + echo "Please set destination environment" + fi + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + if [[ -n "$(params.src-environment)" ]]; then + PARENT_DIR_SRC="${GIT_PARENT_DIR}/$(params.app-path)/$(params.src-environment)" + fi + if [[ -n "$(params.dest-environment)" ]]; then + PARENT_DIR_DEST="${GIT_PARENT_DIR}/$(params.app-path)/$(params.dest-environment)" + else + echo "Please set destination environment" + fi + else + if [[ -n "$(params.src-environment)" ]]; then + PARENT_DIR_SRC="." + fi + if [[ -n "$(params.dest-environment)" ]]; then + PARENT_DIR_DEST="." + else + echo "Please set destination environment" + fi + fi + + if [[ -n "$(params.src-environment)" ]]; then + SUBDIR_SRC="${PARENT_DIR_SRC}/${SUBDIR}" + fi + if [[ -n "$(params.dest-environment)" ]]; then + SUBDIR_DEST="${PARENT_DIR_DEST}/${SUBDIR}" + else + echo "Please set destination environment" + fi + + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + YAML_FILE="$(params.yaml)" + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + + set +x + if [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} gitops_cd + set -x + cd gitops_cd + + if [[ -z "$(params.src-environment)" ]]; then + VERSION="$(params.version)" + HELM_URL="$(params.helm-url)" + else + VERSION="$(grep 'version:' ./$(params.app-path)/$(params.src-environment)/$(params.app-name)/${YAML_FILE} | awk 'NR==1{print $2}')" + HELM_URL="$(grep 'repository:' ./$(params.app-path)/$(params.src-environment)/$(params.app-name)/requirements.yaml | awk 'NR==1{print $2}')" + fi + + if [[ -z "${SUBDIR_SRC}" && -f "${SUBDIR_DEST}/${YAML_FILE}" ]]; then + echo "Requirements before update" + cat "${SUBDIR_DEST}/${YAML_FILE}" + + yq r "${SUBDIR_DEST}/${YAML_FILE}" -j | \ + jq --arg APP_NAME "${APP_NAME}" --arg VERSION "${VERSION}" --arg REPO "${HELM_URL}" '.dependencies |= map((select(.name == $APP_NAME) | .version = $VERSION | .repository = $REPO) // .)' | \ + yq r --prettyPrint - > "${SUBDIR_DEST}/${YAML_FILE}.new" + + rm "${SUBDIR_DEST}/${YAML_FILE}" + mv "${SUBDIR_DEST}/${YAML_FILE}.new" "${SUBDIR_DEST}/${YAML_FILE}" + + echo "Requirements after update" + cat "${SUBDIR_DEST}/${YAML_FILE}" + + elif [[ ! -z "${SUBDIR_SRC}" && -f "${SUBDIR_DEST}/${YAML_FILE}" ]]; then + echo "Requirements before update" + cat "${SUBDIR_DEST}/${YAML_FILE}" + + rm -rf ${SUBDIR_DEST}/${YAML_FILE} && cp -r ${SUBDIR_SRC}/${YAML_FILE} ${SUBDIR_DEST}/${YAML_FILE} + + echo "Requirements after update" + cat "${SUBDIR_DEST}/${YAML_FILE}" + + elif [[ -n "${HELM_URL}" ]]; then + if [[ ! -z ${SUBDIR_DEST} ]]; then + files=$(ls ${SUBDIR_DEST} | wc -l) + if [[ ${files} -gt 1 && ${files} -lt 3 ]]; then + echo "${SUBDIR_DEST} is present but files are not existing" + rm -rf ${SUBDIR_DEST} + fi + fi + echo "Creating first time chart using ${SUBDIR_DEST}" + # create directory + mkdir -p "${SUBDIR_DEST}" + + # WARNING: Do not indent the cat commands below + + cat <"${SUBDIR_DEST}/Chart.yaml" + apiVersion: v2 + version: 0.1.0 + name: ${APP_NAME} + description: Chart to configure ArgoCD with the ${APP_NAME} project and its applications + EOF + + cat <"${SUBDIR_DEST}/${YAML_FILE}" + dependencies: + - name: ${APP_NAME} + version: ${VERSION} + repository: ${HELM_URL} + EOF + + cat <"${SUBDIR_DEST}/values.yaml" + global: {} + ${APP_NAME}: + replicaCount: 1 + EOF + + else + echo "GitOps repo configured but unable to update application config" + exit 1 + fi + + APP_VERSION="$(git rev-parse HEAD | cut -c 1-8)" + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + elif [[ "$(params.git-pr)" = "false" ]]; then + git add "${SUBDIR_DEST}/" + git commit -m "Updates ${APP_NAME} to ${VERSION}" + git push -v + else + git checkout -b cntk-ci-pipeline-${APP_NAME}-${APP_VERSION} + + # push changes to git + git status + git add "${SUBDIR_DEST}/" + git commit -m "Cloudnative toolkit pipeline updates ${APP_NAME}" --no-edit --signoff + + git push origin cntk-ci-pipeline-${APP_NAME}-${APP_VERSION} + + GIT_PUSH_URL="${PROTOCOL}://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/pulls" + curl -u ${GIT_AUTH_USER}:${GIT_AUTH_PWD} -d '{"title":"PR to promote to '$(params.dest-environment)' for '$(params.app-name)'","base":"'${GIT_BRANCH}'", "head":"'${GIT_ORG}':cntk-ci-pipeline-'${APP_NAME}'-'${APP_VERSION}'"}' ${GIT_PUSH_URL} + + fi diff --git a/mq/environments/ci/tasks/12-functional-tests.yaml b/mq/environments/ci/tasks/12-functional-tests.yaml new file mode 100644 index 0000000..0ed36af --- /dev/null +++ b/mq/environments/ci/tasks/12-functional-tests.yaml @@ -0,0 +1,110 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-functional-test + annotations: + description: Perfrom functional tests + app.openshift.io/description: Functional tests + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + default: "" + - name: git-revision + default: master + - name: source-dir + default: /source + - name: src-environment + default: "" + - name: test-file + default: "" + results: + - name: app-name + description: The app name + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: resolve-route + image: quay.io/openshift/origin-cli:latest + workingDir: $(params.source-dir) + script: | + #!/bin/bash + set -e + SLEEP_TIME_SEC=10 + RETRIES=20 + SRC_ENV=$(echo $(params.src-environment) | cut -d "-" -f2) + url=$(params.git-url) + basename=$(basename $url) + GIT_REPO=${basename%.*} + echo $GIT_REPO + route=$(oc -n ${SRC_ENV} get route ${GIT_REPO} -o jsonpath='{.spec.host}' --ignore-not-found) + + if [[ -z "$route" ]]; then + echo "This is a QueueManager ... Skipping this step" + exit 0 + else + echo -n $route > /source/route.txt + fi + - name: run-test + image: postman/newman:ubuntu + workingDir: $(params.source-dir) + script: | + #!/bin/sh + set -ex + if [ ! -f /source/route.txt ]; then + echo "This is a QueueManager ... Skipping this step" + exit 0 + fi + route=$(cat /source/route.txt) + echo $route + test_file="$(params.test-file)" + if [ -e $test_file ]; then + newman run \ + --env-var base-url=$route \ + $test_file + else + echo "Skipping tests ... Postman collections does not exist" + fi + - name: app-name + image: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + workingDir: $(params.source-dir) + script: | + url=$(params.git-url) + basename=$(basename $url) + GIT_REPO=${basename%.*} + echo $GIT_REPO + echo -n "${GIT_REPO}" | tee $(results.app-name.path) diff --git a/mq/environments/ci/tasks/13-jmeter-performance-test.yaml b/mq/environments/ci/tasks/13-jmeter-performance-test.yaml new file mode 100644 index 0000000..4558625 --- /dev/null +++ b/mq/environments/ci/tasks/13-jmeter-performance-test.yaml @@ -0,0 +1,126 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-jmeter-performance-test + annotations: + description: Executes a JMeter Test from a GIT repo (preview) + app.openshift.io/description: Executes a JMeter Test from a GIT repo (preview) + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + default: "" + - name: git-revision + default: master + - name: source-dir + default: /source + - name: src-environment + default: "" + - name: test-plan + default: "" + results: + - name: app-name + description: The app name + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: resolve-route + image: quay.io/openshift/origin-cli:latest + workingDir: $(params.source-dir) + script: | + #!/bin/bash + set -e + SLEEP_TIME_SEC=10 + RETRIES=20 + SRC_ENV=$(echo $(params.src-environment) | cut -d "-" -f2) + + url=$(params.git-url) + basename=$(basename $url) + echo $basename + GIT_REPO=${basename%.*} + echo $GIT_REPO + route=$(oc -n ${SRC_ENV} get route ${GIT_REPO} -o jsonpath='{.spec.host}' --ignore-not-found) + + if [[ -z "$route" ]]; then + echo "This is a QueueManager ... Skipping this step" + exit 0 + else + echo -n $route > /source/route.txt + fi + - name: jmeter-it + image: quay.io/hemankita/jmeter-11:latest + workingDir: $(params.source-dir) + script: | + #!/usr/bin/env bash + set -ex + if [ ! -f /source/route.txt ]; then + echo "This is a QueueManager ... Skipping this step" + exit 0 + fi + route=$(cat /source/route.txt) + echo $route + test_plan="$(params.test-plan)" + ls + if [ -e $test_plan ]; then + # note: the export does not like the - sign + ${JMETER_BIN}/jmeter.sh \ + -n -t $(params.test-plan) \ + -Jroute=$route \ + -l /source/report.jtl + cat /source/report.jtl + echo "checking for the existance of errors .." + LINES=$(grep false /source/report.jtl | wc -l) + TOTAL_LINES=$(cat /source/report.jtl | wc -l) + if [ $LINES -eq 0 ] ; then + echo "no errors in jmeter test -> ready to promote the code" + exit 0 + else + echo "oops, errors were found." + exit 1 + fi + else + echo "Skipping tests ... Jmeter test plan does not exist" + fi + - name: app-name + image: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + workingDir: $(params.source-dir) + script: | + url=$(params.git-url) + basename=$(basename $url) + GIT_REPO=${basename%.*} + echo $GIT_REPO + echo -n "${GIT_REPO}" | tee $(results.app-name.path) diff --git a/mq/environments/ci/tasks/4-smoke-tests-mq.yaml b/mq/environments/ci/tasks/4-smoke-tests-mq.yaml new file mode 100644 index 0000000..5cbb7df --- /dev/null +++ b/mq/environments/ci/tasks/4-smoke-tests-mq.yaml @@ -0,0 +1,297 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-smoke-tests-mq + annotations: + description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: app-namespace + default: "" + - name: app-name + default: "" + - name : security + default: "" + - name: ha + default: "" + - name: deploy-ingress-type + default: "route" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: service-port + - name: resource-type + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: deploy + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="$(params.image-repository)" + fi + IMAGE_SERVER="$(params.image-server)" + IMAGE_NAMESPACE="$(params.image-namespace)" + IMAGE_REPOSITORY="$(params.image-repository)" + IMAGE_VERSION="$(params.image-tag)" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + FILE_NUM=$(find . -name 'Chart*.yaml' |wc -l) + if [[ "${FILE_NUM}" -gt 1 ]]; then + echo "Error: Found >1 Chart*.yaml" + exit 1 + fi + + export CHART=$(find . -name 'Chart*.yaml') + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "1.0.0-rc${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - --style single "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + helm dep update "${CHART_PATH}" + + # Using 'upgrade --install" for rolling updates. Note that subsequent updates will occur in the same namespace the release is currently deployed in, ignoring the explicit--namespace argument". + helm template ${RELEASE_NAME} ${CHART_PATH} \ + --namespace ${APP_NAMESPACE} \ + --set ${PREFIX}ingress.tlsSecretName="${TLS_SECRET_NAME}" \ + --set ${PREFIX}ingress.subdomain="${INGRESS_SUBDOMAIN}" \ + --set security="$(params.security)" \ + --set ha="$(params.ha)" > ./release.yaml + + echo -e "Generated release yaml for: ${APP_NAMESPACE}/${APP_NAME}" + cat ./release.yaml + + echo -e "Deploying into: ${APP_NAMESPACE}/${APP_NAME}" + kubectl apply -n ${APP_NAMESPACE} -f ./release.yaml --validate=false > results.out + cat results.out + echo "Waiting for rollout of ${APP_NAMESPACE}/${APP_NAME}" + + + cat results.out | \ + grep -E "deployment|statefulset|integrationserver|queuemanager" | \ + sed "s/deployment.apps/deployment/g" | \ + sed "s/statefulset.apps/statefulset/g" | \ + sed "s/configured//g" | \ + sed "s/created//g" | \ + sed "s/unchanged//g" | while read target; do + echo "Waiting for rollout of ${target} in ${APP_NAMESPACE}" + if [[ ${target} == *"integrationserver"* ]]; then + kubectl wait --timeout=-1s --for=condition=Ready ${target} + elif [[ ${target} == *"queuemanager"* ]]; then + until [[ "$(kubectl get ${target} -o 'jsonpath={.status.phase}')" = "Running" ]]; + do + sleep 5 + echo "Waiting for Queuemanager to be ready." + done + else + kubectl rollout status -n ${APP_NAMESPACE} ${target} + SERVICE_PORT=$(kubectl get svc "${APP_NAME}" -n "${APP_NAMESPACE}" -o jsonpath="{.spec.ports[?(@.name == 'http')].port}") + echo -n "${SERVICE_PORT}" | tee $(results.service-port.path) + fi + echo -n "${target}" | cut -f1 -d / | tee $(results.resource-type.path) + done + securityContext: + privileged: true + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + APP_NAME="$(params.app-name)" + + # RELEASE_NAME="${APP_NAME}" + RELEASE_NAME="qm-dev" + echo "RELEASE_NAME: $RELEASE_NAME" + + podname=$(kubectl get pods --selector=app.kubernetes.io/instance=$RELEASE_NAME -o custom-columns=POD:.metadata.name --no-headers | head -n 1) + echo "podname: $podname" + + queue="QM1" + echo "queue name: $queue" + + echo "Sleep before test to make sure QMGR is up" + sleep 20 + + echo "Print the queue details: ..." + echo "" + kubectl exec $podname -- /bin/bash -c "echo \"define qlocal($queue) replace\" | runmqsc " + + echo "Print the queue details: ..." + echo "" + kubectl exec $podname -- /bin/bash -c "echo \"DISPLAY QL($queue) ALL\" | runmqsc" > checkQ.txt 2>&1 + cat checkQ.txt + + if grep -q "QUEUE($queue)" checkQ.txt; then + echo "Queue has been successfully created." + else + exit 1 + fi + + # put message on queue + kubectl exec $podname -- /bin/bash -c "echo \"hello-world\" | /opt/mqm/samp/bin/amqsput $queue" > putMessage.txt 2>&1 + cat putMessage.txt + echo "----------" + fail="reason code" + if grep -q "$fail" putMessage.txt; then + exit 1 + else + echo "Message has been successfully put the queue." + fi + + # get message on queue + kubectl exec $podname -c qmgr -- /opt/mqm/samp/bin/amqsget $queue > getMessage.txt 2>&1 + cat getMessage.txt + if grep -q "hello-world" getMessage.txt; then + echo "Message has been found on the queue." + else + echo "Error: Message has not been retrieved from the queue." + exit 1 + fi + - name: cleanup + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAMESPACE="$(params.app-namespace)" + + kubectl delete -n ${APP_NAMESPACE} -f ./release.yaml diff --git a/mq/environments/ci/tasks/4-smoke-tests.yaml b/mq/environments/ci/tasks/4-smoke-tests.yaml new file mode 100644 index 0000000..4276206 --- /dev/null +++ b/mq/environments/ci/tasks/4-smoke-tests.yaml @@ -0,0 +1,304 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-smoke-tests + annotations: + description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 0.0.0 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: security + default: "" + - name: deploy-ingress-type + default: "route" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: health-protocol + default: "https" + - name: health-endpoint + default: "/health" + - name: health-url + default: "" + - name: health-curl + default: "-k" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: resource-type + default: "" + results: + - name: service-port + - name: resource-type + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: deploy + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + securityContext: + privileged: true + script: | + #!/usr/bin/env bash + set -ex + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="$(params.image-repository)" + fi + IMAGE_SERVER="$(params.image-server)" + IMAGE_NAMESPACE="$(params.image-namespace)" + IMAGE_REPOSITORY="$(params.image-repository)" + IMAGE_VERSION="$(params.image-tag)" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + FILE_NUM=$(find . -name 'Chart*.yaml' |wc -l) + if [[ "${FILE_NUM}" -gt 1 ]]; then + echo "Error: Found >1 Chart*.yaml" + exit 1 + fi + + export CHART=$(find . -name 'Chart*.yaml') + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "1.0.0-rc${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - --style single "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + helm dep update "${CHART_PATH}" + + # Using 'upgrade --install" for rolling updates. Note that subsequent updates will occur in the same namespace the release is currently deployed in, ignoring the explicit--namespace argument". + helm template ${RELEASE_NAME} ${CHART_PATH} \ + --namespace ${APP_NAMESPACE} \ + --set ${PREFIX}ingress.tlsSecretName="${TLS_SECRET_NAME}" \ + --set ${PREFIX}ingress.subdomain="${INGRESS_SUBDOMAIN}" \ + --set security="$(params.security)" > ./release.yaml + + echo -e "Generated release yaml for: ${APP_NAMESPACE}/${APP_NAME}" + cat ./release.yaml + + echo -e "Deploying into: ${APP_NAMESPACE}/${APP_NAME}" + kubectl apply -n ${APP_NAMESPACE} -f ./release.yaml --validate=false > results.out + cat results.out + echo "Waiting for rollout of ${APP_NAMESPACE}/${APP_NAME}" + + + cat results.out | \ + grep -E "deployment|statefulset|integrationserver|queuemanager" | \ + sed "s/deployment.apps/deployment/g" | \ + sed "s/statefulset.apps/statefulset/g" | \ + sed "s/configured//g" | \ + sed "s/created//g" | \ + sed "s/unchanged//g" | while read target; do + echo "Waiting for rollout of ${target} in ${APP_NAMESPACE}" + if [[ ${target} == *"integrationserver"* ]]; then + kubectl wait --timeout=-1s --for=condition=Ready ${target} + elif [[ ${target} == *"queuemanager"* ]]; then + until [[ "$(kubectl get ${target} -o 'jsonpath={.status.phase}')" = "Running" ]]; + do + sleep 5 + echo "Waiting for Queuemanager to be ready." + done + else + kubectl rollout status -n ${APP_NAMESPACE} ${target} + SERVICE_PORT=$(kubectl get svc "${APP_NAME}" -n "${APP_NAMESPACE}" -o jsonpath="{.spec.ports[?(@.name == 'http')].port}") + echo -n "${SERVICE_PORT}" | tee $(results.service-port.path) + fi + echo -n "${target}" | cut -f1 -d / | tee $(results.resource-type.path) + done + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + URL="$(params.health-url)" + CURL_FLAGS="$(params.health-curl)" + + if [[ -z "${URL}" ]]; then + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + PROTOCOL="$(params.health-protocol)" + INGRESS_TYPE="$(params.deploy-ingress-type)" + HEALTH_ENDPOINT="$(params.health-endpoint)" + + echo "resource-type: $(params.resource-type)" + + if [[ "$(params.resource-type)" == *"integrationserver"* ]]; then + HOST=$(kubectl get route/${APP_NAME}-${PROTOCOL} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + elif [[ "${INGRESS_TYPE}" == "route" ]]; then + HOST=$(kubectl get route/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + else + HOST=$(kubectl get ingress/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.rules[0].host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="http" + fi + fi + + URL="${PROTOCOL}://${HOST}${HEALTH_ENDPOINT}" + + fi + + sleep_countdown=5 + # sleep for 10 seconds to allow enough time for the server to start + sleep 10 + echo "Health check start" + while [[ $(curl ${CURL_FLAGS} -sL -w "%{http_code}\\n" "${URL}" -o /dev/null --connect-timeout 3 --max-time 5 --retry 3 --retry-max-time 30) != "200" ]]; do + sleep 30 + echo "Health check failure. Remaining retries: $sleep_countdown" + sleep_countdown=$((sleep_countdown-1)) + if [[ $sleep_countdown -eq 0 ]]; then + echo "Could not reach health endpoint: ${URL}" + exit 1; + fi + done + echo "Successfully reached health endpoint: ${URL}" + echo "=====================================================================" + - name: cleanup + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAMESPACE="$(params.app-namespace)" + + kubectl delete -n ${APP_NAMESPACE} -f ./release.yaml diff --git a/mq/environments/ci/tasks/ibm-build-tag-push-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-build-tag-push-v2-6-13.yaml new file mode 100644 index 0000000..1efb718 --- /dev/null +++ b/mq/environments/ci/tasks/ibm-build-tag-push-v2-6-13.yaml @@ -0,0 +1,122 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-build-tag-push-v2-6-13 + annotations: + description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: BUILDER_IMAGE + default: quay.io/buildah/stable:v1.15.0 + - name: DOCKERFILE + default: ./Dockerfile + - name: CONTEXT + default: . + - name: TLSVERIFY + default: "false" + - name: FORMAT + default: "docker" + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + volumes: + - name: varlibcontainers + emptyDir: {} + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.BUILDER_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + - name: IBM_ENTITLED_REGISTRY_USER + valueFrom: + secretKeyRef: + name: ibm-entitled-registry-credentials + key: IBM_ENTITLED_REGISTRY_USER + optional: true + - name: IBM_ENTITLED_REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: ibm-entitled-registry-credentials + key: IBM_ENTITLED_REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + APP_IMAGE="$(params.image-server)/$(params.image-namespace)/$(params.image-repository):$(params.image-tag)" + if [[ -n "${IBM_ENTITLED_REGISTRY_USER}" ]] && [[ -n "${IBM_ENTITLED_REGISTRY_PASSWORD}" ]]; then + buildah login -u ${IBM_ENTITLED_REGISTRY_USER} -p ${IBM_ENTITLED_REGISTRY_PASSWORD} cp.icr.io + echo "buildah login -u "${IBM_ENTITLED_REGISTRY_USER}" -p "xxxxx" cp.icr.io" + fi + buildah --layers --storage-driver=$(params.STORAGE_DRIVER) bud --format=$(params.FORMAT) --tls-verify=$(params.TLSVERIFY) -f $(params.DOCKERFILE) -t ${APP_IMAGE} $(params.CONTEXT) + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "$(params.image-server)" != "image-registry.openshift-image-registry.svc:5000" ]]; then + buildah login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" "$(params.image-server)" + echo "buildah login -u "${REGISTRY_USER}" -p "xxxxx" "$(params.image-server)"" + fi + set -x + buildah --storage-driver=$(params.STORAGE_DRIVER) push --tls-verify=$(params.TLSVERIFY) --digestfile ./image-digest ${APP_IMAGE} docker://${APP_IMAGE} diff --git a/mq/environments/ci/tasks/ibm-helm-release-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-helm-release-v2-6-13.yaml new file mode 100644 index 0000000..29ae550 --- /dev/null +++ b/mq/environments/ci/tasks/ibm-helm-release-v2-6-13.yaml @@ -0,0 +1,289 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-helm-release-v2-6-13 + annotations: + description: Publishes the helm chart to the helm repository using the version provided in the image-url + app.openshift.io/description: Publishes the helm chart to the helm repository using the version provided in the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-url + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: helm-curl + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: helm-url + description: The url of the helm repository + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: package-helm + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + - name: ARTIFACTORY_URL + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_URL + optional: true + - name: ARTIFACTORY_USER + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_USER + optional: true + - name: ARTIFACTORY_ENCRYPT + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_ENCRYPT + optional: true + - name: ARTIFACTORY_REPOSITORY_KEY + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_REPOSITORY_KEY + optional: true + - name: HELM_URL + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_URL + optional: true + - name: HELM_USER + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_USER + optional: true + - name: HELM_PASSWORD + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_PASSWORD + optional: true + securityContext: + privileged: true + script: | + #!/usr/bin/env bash + set -ex + + CURL_FLAGS="$(params.helm-curl)" + + echo "1. Package Helm Chart" + + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + + IMAGE_SERVER="$(echo "$(params.image-url)" | awk -F / '{print $1}')" + IMAGE_NAMESPACE="$(echo "$(params.image-url)" | awk -F / '{print $2}')" + IMAGE_REPOSITORY="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}')" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="${IMAGE_REPOSITORY}" + fi + + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + export CHART=$(find . -name Chart*.yaml) + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + echo "" + echo "Chart ${CHART_PATH}" + cat ${CHART_PATH}/Chart.yaml + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + + echo "2. Publish Helm Chart" + + if [[ -z "${HELM_URL}" ]] && [[ -z "${HELM_USER}" ]]; then + if [[ -z "${ARTIFACTORY_URL}" ]]; then + echo "It looks like Artifactory has not been installed (ARTIFACTORY_URL from artifactory-acess secret is missing). Skipping step." + exit 0 + fi + + set +x + if [[ -z "${ARTIFACTORY_USER}" ]]; then + echo "Something's wrong... The Artifactory url is configured but the Artifactory credentials cannot be found. Check your artifactory-access secret." + exit 1 + fi + + if [[ -z "${ARTIFACTORY_ENCRYPT}" ]]; then + echo "It looks like your Artifactory installation is not complete. Please complete the steps found here - http://ibm.biz/complete-setup" + exit 1 + fi + + HELM_USER="${ARTIFACTORY_USER}" + set +x + HELM_PASSWORD="${ARTIFACTORY_ENCRYPT}" + set -x + + if [[ -z "${ARTIFACTORY_REPOSITORY_KEY}" ]]; then + ARTIFACTORY_REPOSITORY_KEY="generic-local" + fi + + if [[ -z "${HELM_URL}" ]]; then + HELM_URL="${ARTIFACTORY_URL}/artifactory/${ARTIFACTORY_REPOSITORY_KEY}" + fi + + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + export CHART_NAME="${APP_NAME}" + echo "CHART_NAME: $CHART_NAME" + + CHART_PATH="${CHART_ROOT}/${CHART_NAME}" + + helm dep update "${CHART_PATH}" + + # Package Helm Chart + helm package --version ${IMAGE_VERSION} ${CHART_PATH} + + # Get the index and re index it with current Helm Chart + set +x + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -O ${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -O "${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + set -x + + apiVersion=$(grep apiVersion ./index.yaml | sed -E "s/apiVersion: (.*)/\1/g") + if [[ $(cat index.yaml | jq '.errors[0].status') != "404" ]] && [[ -n "${apiVersion}" ]]; then + # Merge the chart index with the current index.yaml held in Artifactory + echo "Merging Chart into index.yaml for Chart Repository" + helm repo index . --url ${HELM_URL}/${IMAGE_NAMESPACE} --merge index.yaml + else + # Dont Merge this is first time one is being created + echo "Creating a new index.yaml for Chart Repository" + rm index.yaml + helm repo index . --url ${HELM_URL}/${IMAGE_NAMESPACE} + fi; + + # Persist the Helm Chart in Helm repo for us by ArgoCD + set +x + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -s -T ${CHART_NAME}-${IMAGE_VERSION}.tgz ${HELM_URL}/${IMAGE_NAMESPACE}/${CHART_NAME}-${IMAGE_VERSION}.tgz" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -s -T ${CHART_NAME}-${IMAGE_VERSION}.tgz "${HELM_URL}/${IMAGE_NAMESPACE}/${CHART_NAME}-${IMAGE_VERSION}.tgz" + + # Persist the Helm Index in the helm repo for us by ArgoCD + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -s -T index.yaml ${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -s -T index.yaml "${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + + echo -n "${HELM_URL}/${IMAGE_NAMESPACE}" | tee $(results.helm-url.path) diff --git a/mq/environments/ci/tasks/ibm-img-release-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-img-release-v2-6-13.yaml new file mode 100644 index 0000000..aeaf365 --- /dev/null +++ b/mq/environments/ci/tasks/ibm-img-release-v2-6-13.yaml @@ -0,0 +1,79 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-release-v2-6-13 + annotations: + description: Tags the git repository and releases the intermediate container image with the version tag + app.openshift.io/description: Tags the git repository and releases the intermediate container image with the version tag + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: image-from + default: "" + - name: image-to + default: "" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "true" + - name: IMAGE_TO_TLS_VERIFY + default: "true" + results: + - name: image-url + description: The url of the image to be pushed + volumes: + - name: varlibcontainers + emptyDir: {} + steps: + - name: image-tag + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + IMAGE_FROM="$(params.image-from)" + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="$(params.image-to)" + REGISTRY_SERVER_TO=$(echo "${IMAGE_TO}" | awk -F / '{print $1}') + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + IMAGE_TO_TLS_VERIFY=$(params.IMAGE_TO_TLS_VERIFY) + + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_FROM}" =~ ":" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + IMAGE_TO_CREDS="--dest-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [[ "${REGISTRY_SERVER_FROM}" =~ ":" ]]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + if [[ "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + IMAGE_TO_TLS_VERIFY="false" + fi + + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} --dest-creds=xxxx --dest-tls-verify=${IMAGE_TO_TLS_VERIFY} docker://${IMAGE_FROM} docker://${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} ${IMAGE_TO_CREDS} --dest-tls-verify=${IMAGE_TO_TLS_VERIFY} docker://${IMAGE_FROM} docker://${IMAGE_TO} + set -x + echo -n "${IMAGE_TO}" | tee $(results.image-url.path) \ No newline at end of file diff --git a/mq/environments/ci/tasks/ibm-img-scan-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-img-scan-v2-6-13.yaml new file mode 100644 index 0000000..5076beb --- /dev/null +++ b/mq/environments/ci/tasks/ibm-img-scan-v2-6-13.yaml @@ -0,0 +1,181 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-scan-v2-6-13 + annotations: + description: Runs an image scan with Trivy or IBM VA and fails the build if issues are found. + app.openshift.io/description: Runs an image scan with Trivy or IBM VA and fails the build if issues are found. + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: image-url + description: "The location of image to scan on IBM Container Registry //:" + - name: scan-trivy + description: Flag indicating that a scan should be performed with Trivy + default: "false" + - name: scan-ibm + description: Flag indicating that a scan should be performed with IBM VA + default: "false" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "false" + - name: TRIVY_IMAGE + default: quay.io/ibmgaragecloud/aquasec-trivy + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: oci-image + emptyDir: {} + steps: + - name: trivy-pull + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/oci + name: oci-image + securityContext: + privileged: true + script: | + set -ex + PERFORM_SCAN="$(params.scan-trivy)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + IMAGE_FROM=$(params.image-url) + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="oci:/var/oci/image" + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "${REGISTRY_SERVER_FROM}" != "image-registry.openshift-image-registry.svc:5000" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [ "${REGISTRY_SERVER_FROM}" =~ ":" ]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO} + - name: trivy-scan + image: $(params.TRIVY_IMAGE) + volumeMounts: + - mountPath: /var/oci + name: oci-image + script: | + set -ex + PERFORM_SCAN="$(params.scan-trivy)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + PATH_TO_IMAGE="/var/oci/image" + echo -e "Trivy Security Scan image in registry" + trivy image --exit-code 0 --input ${PATH_TO_IMAGE} + trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE} + my_exit_code=$? + echo "Scan exit code :--- $my_exit_code" + if [ ${my_exit_code} == 1 ]; then + echo "Trivy scanning completed. CRITICAL Vulnerabilities found." + exit 1 + else + echo "Trivy scanning completed. CRITICAL vulnerabilities not found." + fi + - name: ibm-scan + image: $(params.tools-image) + env: + - name: HOME + value: /home/devops + - name: IBM_CLOUD_APIKEY + valueFrom: + secretKeyRef: + key: APIKEY + name: ibmcloud-apikey + optional: true + - name: IBM_CLOUD_REGION + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: REGION + optional: true + script: | + #!/usr/bin/env bash + set -ex + PERFORM_SCAN="$(params.scan-ibm)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Vulnerability Advisor validation." + exit 0 + fi + + IMAGE_URL=$(params.image-url) + REGISTRY_SERVER=$(echo $(params.image-url) | awk -F / '{print $1}') + + + + if [[ ! "${REGISTRY_SERVER}" =~ icr.io ]]; then + echo "The image is not stored in the IBM Cloud Image Registry. Skipping Vulnerability Advisor validation" + exit 0 + fi + + + echo -e "VA Security Scan image in registry" + + echo "Registry URL: ${REGISTRY_SERVER}" + + set +x + ibmcloud login --apikey ${IBM_CLOUD_APIKEY} -r ${IBM_CLOUD_REGION} + ibmcloud target -r ${IBM_CLOUD_REGION} + set -x + ibmcloud cr namespace-list + + echo "Getting the VA status of ${IMAGE_URL}" + + set +e + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + while [ $retry -eq 0 ]; do + sleep 30 + echo "Trying again to see if scan is done" + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + done + set -e + ibmcloud cr va ${IMAGE_URL} --output json + echo "Saving results to va-result.json" + ibmcloud cr va ${IMAGE_URL} --output json > va-result.json + VA_STATUS=$(cat va-result.json | jq -r '.[].status') + + echo "VA scan status: ${VA_STATUS}" + + if [[ "${VA_STATUS}" == "OK" ]]; then + echo "VA - No Issues in the image" + exit 0 + elif [[ $(cat va-result.json | jq -r '.[].vulnerabilities | length') -gt 0 ]]; then + echo "VA Failure: $(cat va-result.json | jq -r '.[].vulnerabilities | length') vulnerabilities found in the image" + cat va-result.json | jq -r '.[].vulnerabilities' + exit 1 + elif [[ $(cat va-result.json | jq -r '.[].configuration_issues | length') -gt 0 ]]; then + echo "VA Warning - $(cat va-result.json | jq -r '.[].configuration_issues | length') configuration issues found in the image" + cat va-result.json | jq -r '.[].configuration_issues' + exit 0 + else + echo "VA Warning: non-OK status from Vulnerability Advisor ${VA_STATUS}" + cat va-result.json | jq -r '.[]' + fi \ No newline at end of file diff --git a/mq/environments/ci/tasks/ibm-java-maven-test-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-java-maven-test-v2-6-13.yaml new file mode 100644 index 0000000..f32a85a --- /dev/null +++ b/mq/environments/ci/tasks/ibm-java-maven-test-v2-6-13.yaml @@ -0,0 +1,124 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-java-maven-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a Java maven application + app.openshift.io/description: Executes build, test, and sonarscan logic for a Java maven application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: app-name + default: "my-java-maven-app" + - name: maven-image + default: quay.io/ibmgaragecloud/maven:3.6.3-jdk-11-slim + - name: sonarqube-java-bin-path + default: target + - name: sonarqube-cli + default: quay.io/ibmgaragecloud/sonarsource-sonar-scanner-cli + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.maven-image) + workingDir: $(params.source-dir) + script: | + if [[ -f "./mvnw" ]]; then + ./mvnw package + else + mvn package + fi + - name: test + image: $(params.maven-image) + workingDir: $(params.source-dir) + script: | + if [[ -f "./mvnw" ]]; then + ./mvnw test + else + mvn test + fi + - name: sonar-scan + image: $(params.sonarqube-cli) + workingDir: $(params.source-dir) + env: + - name: SONAR_USER_HOME + value: $(params.source-dir) + - name: SONARQUBE_URL + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_URL + optional: true + - name: SONARQUBE_USER + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_USER + optional: true + - name: SONARQUBE_PASSWORD + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_PASSWORD + optional: true + script: | + APP_NAME=$(params.app-name) + SONARQUBE_JAVA_BINARIES_PATH="$(params.sonarqube-java-bin-path)" + + if ! command -v sonar-scanner &> /dev/null + then + echo "Skipping SonarQube step, no task defined" + exit 0 + fi + + if [ -n "${SONARQUBE_URL}" ]; then + + sonar-scanner \ + -Dsonar.login=${SONARQUBE_USER} \ + -Dsonar.password=${SONARQUBE_PASSWORD} \ + -Dsonar.host.url=${SONARQUBE_URL} \ + -Dsonar.projectKey=${APP_NAME} \ + -Dsonar.java.binaries=${SONARQUBE_JAVA_BINARIES_PATH} + + else + echo "Skipping Sonar Qube step for now but include" + fi \ No newline at end of file diff --git a/mq/environments/ci/tasks/ibm-setup-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-setup-v2-6-13.yaml new file mode 100644 index 0000000..73fd087 --- /dev/null +++ b/mq/environments/ci/tasks/ibm-setup-v2-6-13.yaml @@ -0,0 +1,280 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-setup-v2-6-13 + annotations: + description: Sets up the pipeline environment and generates/normalizes a number of param values + app.openshift.io/description: Sets up the pipeline environment and generates/normalizes a number of param values + app.openshift.io/vcs-ref: master + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + labels: + version: 2.6.13 +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: source-dir + default: /source + - name: image-url + description: The dev image (use image-release for released image) + default: "" + - name: image-server + description: The dev image registry server if params.image-url not provided + default: "" + - name: image-namespace + description: The dev image registry namespace if params.image-url not provided + default: "" + - name: image-repository + description: The dev image registry repository/imagename if params.image-url not provided + default: "" + - name: image-tag + description: The dev image registry tag if params.image-url not provided + default: "" + - name: image-release + description: The url of final released image + default: "" + - name: app-namespace + description: The openshift/kubernetes namespace to deploy dev app + default: "" + - name: app-name + description: The app name to be use in openshift/kuberentes deployment and helm chart + default: "" + - name: deploy-ingress-type + default: "route" + - name: health-protocol + default: "https" + - name: health-endpoint + description: Endpoint to check health after deployment, liberty uses / not /health + default: "/health" + - name: health-url + description: Override for health check url + default: "" + - name: health-curl + description: Override for health check curl flags + default: "-k" + - name: scan-image + description: Flag indicating that a Vulnerability Advisor scan should be performed + default: "false" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + - name: ace-project + description: Name of the ACE Toolkit project + default: "" + - name: lint-dockerfile + description: Flag indication that Dockerfile will be linted + default: "true" + results: + - name: git-url + - name: git-revision + - name: source-dir + - name: image-url + - name: image-server + - name: image-namespace + - name: image-repository + - name: image-tag + - name: image-release + - name: app-namespace + - name: app-name + - name: deploy-ingress-type + - name: health-protocol + - name: health-endpoint + - name: health-url + - name: health-curl + - name: tools-image + - name: js-image + - name: scan-image + - name: scan-trivy + - name: scan-ibm + - name: ace-project + - name: dockerfile-lint + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: REGISTRY_RELEASE_SERVER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_URL + optional: true + - name: REGISTRY_RELEASE_NAMESPACE + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_NAMESPACE + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + git clone $(params.git-url) $(params.source-dir) + fi + cd $(params.source-dir) + git checkout $(params.git-revision) + + # Results + # Defaults + echo -n "$(params.git-url)">$(results.git-url.path) + echo -n "$(git rev-parse --verify HEAD)">$(results.git-revision.path) + echo -n "$(params.source-dir)">$(results.source-dir.path) + echo -n "$(params.app-namespace)">$(results.app-namespace.path) + echo -n "$(params.app-name)">$(results.app-name.path) + echo -n "$(params.deploy-ingress-type)">$(results.deploy-ingress-type.path) + echo -n "$(params.health-protocol)">$(results.health-protocol.path) + echo -n "$(params.health-endpoint)">$(results.health-endpoint.path) + echo -n "$(params.health-url)">$(results.health-url.path) + echo -n "$(params.health-curl)">$(results.health-curl.path) + echo -n "$(params.tools-image)">$(results.tools-image.path) + echo -n "$(params.js-image)">$(results.js-image.path) + echo -n "$(params.ace-project)">$(results.ace-project.path) + + + REGISTRY_SERVER="$(params.image-server)" + REGISTRY_NAMESPACE="$(params.image-namespace)" + REGISTRY_REPOSITORY="$(params.image-repository)" + REGISTRY_TAG="$(params.image-tag)" + + if [[ -n "$(params.image-url)" ]]; then + REGISTRY_SERVER_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $1}') + if [[ -n "${REGISTRY_SERVER_VALUE}" ]]; then + REGISTRY_SERVER="${REGISTRY_SERVER_VALUE}" + fi + + REGISTRY_NAMESPACE_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $2}') + if [[ -n "${REGISTRY_NAMESPACE_VALUE}" ]]; then + if [[ "${REGISTRY_NAMESPACE_VALUE}" = '$NAMESPACE' ]]; then + REGISTRY_NAMESPACE=${NAMESPACE} + else + REGISTRY_NAMESPACE="${REGISTRY_NAMESPACE_VALUE}" + fi + fi + + REGISTRY_REPOSITORY_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}') + if [[ -n "${REGISTRY_REPOSITORY_VALUE}" ]]; then + REGISTRY_REPOSITORY="${REGISTRY_REPOSITORY_VALUE}" + fi + + REGISTRY_TAG_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}') + if [[ -n "${REGISTRY_TAG_VALUE}" ]]; then + REGISTRY_TAG="${REGISTRY_TAG_VALUE}" + fi + fi + + if [[ -z "${REGISTRY_SERVER}" ]]; then + # Assume is internal + REGISTRY_SERVER="image-registry.openshift-image-registry.svc:5000" + fi + if [[ -z "${REGISTRY_NAMESPACE}" ]]; then + # Assume current k8s namespace + REGISTRY_NAMESPACE="${NAMESPACE}" + fi + if [[ -z "${REGISTRY_REPOSITORY}" ]]; then + # Assume repo dir is image repository/image-name + REGISTRY_REPOSITORY="$(basename $(echo -n $(git config --get remote.origin.url)) .git | tr '[:upper:]' '[:lower:]' | sed 's/_/-/g')" + fi + if [[ -z "${REGISTRY_TAG}" ]]; then + # Assume short git commit revision + REGISTRY_TAG="$(git rev-parse --verify HEAD --short)" + fi + echo -n "${REGISTRY_SERVER}">$(results.image-server.path) + echo -n "${REGISTRY_NAMESPACE}">$(results.image-namespace.path) + echo -n "${REGISTRY_REPOSITORY}">$(results.image-repository.path) + echo -n "${REGISTRY_TAG}">$(results.image-tag.path) + echo -n "${REGISTRY_SERVER}/${REGISTRY_NAMESPACE}/${REGISTRY_REPOSITORY}:${REGISTRY_TAG}">$(results.image-url.path) + + if [[ -z "$(params.app-namespace)" ]]; then + # Assume current namespace + echo -n "${NAMESPACE}">$(results.app-namespace.path) + fi + + if [[ -z "$(params.app-name)" ]]; then + # Assume image repository/name + echo -n "${REGISTRY_REPOSITORY}">$(results.app-name.path) + fi + + + if [[ -n "$(params.image-release)" ]]; then + REGISTRY_RELEASE_SERVER_VALUE=$(echo "$(params.image-release)" | awk -F / '{print $1}') + if [[ -n "${REGISTRY_RELEASE_SERVER_VALUE}" ]]; then + REGISTRY_RELEASE_SERVER="${REGISTRY_RELEASE_SERVER_VALUE}" + fi + + REGISTRY_RELEASE_NAMESPACE_VALUE=$(echo "$(params.image-release)" | awk -F / '{print $2}') + if [[ -n "${REGISTRY_RELEASE_NAMESPACE_VALUE}" ]]; then + if [[ "${REGISTRY_RELEASE_NAMESPACE_VALUE}" = '$NAMESPACE' ]]; then + REGISTRY_RELEASE_NAMESPACE=${NAMESPACE} + else + REGISTRY_RELEASE_NAMESPACE="${REGISTRY_RELEASE_NAMESPACE_VALUE}" + fi + elif [[ "${REGISTRY_RELEASE_SERVER}" = "image-registry.openshift-image-registry.svc:5000" ]]; then + REGISTRY_RELEASE_NAMESPACE=${NAMESPACE} + fi + fi + if [[ -z "${REGISTRY_RELEASE_NAMESPACE}" ]]; then + # Assume current k8s namespace + REGISTRY_RELEASE_NAMESPACE="${NAMESPACE}" + fi + if [[ -z "${REGISTRY_RELEASE_SERVER}" ]]; then + # Assume internal registry + REGISTRY_RELEASE_SERVER="image-registry.openshift-image-registry.svc:5000" + fi + REGISTRY_RELEASE_URL="${REGISTRY_RELEASE_SERVER}/${REGISTRY_RELEASE_NAMESPACE}/${REGISTRY_REPOSITORY}" + echo -n "${REGISTRY_RELEASE_URL}">$(results.image-release.path) + + PERFORM_SCAN="$(params.scan-image)" + PERFORM_SCAN_IBM="false" + PERFORM_SCAN_TRIVY="false" + if [[ "${PERFORM_SCAN}" == "true" ]]; then + echo "User selected to perform container image scanning" + if echo "$REGISTRY_RELEASE_URL" | grep 'icr.io'; then + echo "Using IBM Container registry, enabling scanning using VA" + PERFORM_SCAN_IBM="true" + else + echo "Not using IBM Container registry, enabling scanning using trivy" + PERFORM_SCAN_TRIVY="true" + fi + fi + + echo -n "${PERFORM_SCAN}">$(results.scan-image.path) + echo -n "${PERFORM_SCAN_TRIVY}">$(results.scan-trivy.path) + echo -n "${PERFORM_SCAN_IBM}">$(results.scan-ibm.path) + + if [[ -z "$(params.ace-project)" ]]; then + # Retrieve name of ACE Toolkit project + ACE_PROJECT=$(ls workspace || true) + echo -n "${ACE_PROJECT}">$(results.ace-project.path) + fi + + PERFORM_LINT="$(params.lint-dockerfile)" + echo -n "${PERFORM_LINT}">$(results.dockerfile-lint.path) + + for f in /tekton/results/*; do echo "results.$(basename $f)=$(cat $f)"; done \ No newline at end of file diff --git a/mq/environments/ci/tasks/ibm-tag-release-v2-6-13.yaml b/mq/environments/ci/tasks/ibm-tag-release-v2-6-13.yaml new file mode 100644 index 0000000..0519a83 --- /dev/null +++ b/mq/environments/ci/tasks/ibm-tag-release-v2-6-13.yaml @@ -0,0 +1,106 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-tag-release-v2-6-13 + annotations: + description: Tags the git repository with the next version release value + app.openshift.io/description: Tags the git repository with the next version release value + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: skip-push + default: "" + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + results: + - name: tag + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + # Need to create branch to make release-it work + git switch -c local + - name: git-tag + image: $(params.js-image) + workingDir: $(params.source-dir) + script: | + #!/usr/bin/env bash + set -ex + + echo "Current branch: $(git rev-parse --abbrev-ref HEAD)" + git fetch --tags + git config --global user.email "cloud-native-toolkit@example.com" + git config --global user.name "Cloud Native Toolkit Pipeline" + if [[ $(git describe --tag `git rev-parse HEAD`) =~ (^[0-9]+.[0-9]+.[0-9]+$) ]]; then + echo "Latest commit is already tagged" + NEW_TAG="$(git describe --abbrev=0 --tags)" + echo -n "${NEW_TAG}" | tee $(results.tag.path) + exit 0 + fi + mkdir -p ~/.npm + npm config set prefix ~/.npm + export PATH=$PATH:~/.npm/bin + npm i -g release-it + + release-it patch \ + --ci \ + --no-npm \ + --no-git.push \ + --no-git.requireCleanWorkingDir \ + --no-git.requireUpstream \ + -VV + + if [[ -z "$(params.skip-push)" ]]; then + set +x + git push --tags -v + set -x + fi + + NEW_TAG="$(git describe --abbrev=0 --tags)" + if [[ -z "${NEW_TAG}" ]]; then + echo "Error: NEW_TAG not defined" + exit 1 + fi + echo -n "${NEW_TAG}" | tee $(results.tag.path) \ No newline at end of file diff --git a/mq/environments/ci/triggerbindings/cntk-binding.yaml b/mq/environments/ci/triggerbindings/cntk-binding.yaml new file mode 100644 index 0000000..372bb8b --- /dev/null +++ b/mq/environments/ci/triggerbindings/cntk-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerBinding +metadata: + labels: + app: cnkt-trigger-binding + name: cnkt-trigger-binding +spec: + params: + - name: gitrevision + value: $(body.head_commit.id) + - name: gitrepositoryurl + value: $(body.repository.url) diff --git a/mq/environments/ci/triggertemplates/mq-infra-dev.yaml b/mq/environments/ci/triggertemplates/mq-infra-dev.yaml new file mode 100644 index 0000000..a42a7c8 --- /dev/null +++ b/mq/environments/ci/triggertemplates/mq-infra-dev.yaml @@ -0,0 +1,25 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerTemplate +metadata: + labels: + app: mq-infra-dev + name: mq-infra-dev +spec: + params: + - description: The git revision + name: gitrevision + - description: The git repository url + name: gitrepositoryurl + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + generateName: mq-infra-dev- + spec: + params: + - name: git-url + value: $(tt.params.gitrepositoryurl) + - name: git-revision + value: $(tt.params.gitrevision) + pipelineRef: + name: mq-infra-dev diff --git a/mq/environments/ci/triggertemplates/mq-spring-app-dev.yaml b/mq/environments/ci/triggertemplates/mq-spring-app-dev.yaml new file mode 100644 index 0000000..59e5ee2 --- /dev/null +++ b/mq/environments/ci/triggertemplates/mq-spring-app-dev.yaml @@ -0,0 +1,25 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerTemplate +metadata: + labels: + app: mq-spring-app-dev + name: mq-spring-app-dev +spec: + params: + - description: The git revision + name: gitrevision + - description: The git repository url + name: gitrepositoryurl + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + generateName: mq-spring-app-dev- + spec: + params: + - name: git-url + value: $(tt.params.gitrepositoryurl) + - name: git-revision + value: $(tt.params.gitrevision) + pipelineRef: + name: mq-spring-app-dev diff --git a/mq/environments/dev/certificates/.keep b/mq/environments/dev/certificates/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/dev/certificates/dev-mq-client-certificate.sh b/mq/environments/dev/certificates/dev-mq-client-certificate.sh new file mode 100755 index 0000000..e36139f --- /dev/null +++ b/mq/environments/dev/certificates/dev-mq-client-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < dev-mq-client-certificate.yaml \ No newline at end of file diff --git a/mq/environments/dev/certificates/dev-mq-client-certificate.yaml_template b/mq/environments/dev/certificates/dev-mq-client-certificate.yaml_template new file mode 100644 index 0000000..8f36b88 --- /dev/null +++ b/mq/environments/dev/certificates/dev-mq-client-certificate.yaml_template @@ -0,0 +1,28 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: dev-mq-client-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + keystores: + jks: + create: true + passwordSecretRef: + key: KEY_STORE_PASSWORD + name: mq-client-jks-password + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-client-jks + subject: + organizations: + - ibm diff --git a/mq/environments/dev/certificates/dev-mq-server-certificate.sh b/mq/environments/dev/certificates/dev-mq-server-certificate.sh new file mode 100755 index 0000000..5155e6f --- /dev/null +++ b/mq/environments/dev/certificates/dev-mq-server-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < dev-mq-server-certificate.yaml \ No newline at end of file diff --git a/mq/environments/dev/certificates/dev-mq-server-certificate.yaml_template b/mq/environments/dev/certificates/dev-mq-server-certificate.yaml_template new file mode 100644 index 0000000..7da06ba --- /dev/null +++ b/mq/environments/dev/certificates/dev-mq-server-certificate.yaml_template @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: dev-mq-server-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-server-cert + subject: + organizations: + - ibm diff --git a/mq/environments/dev/kustomization.yaml b/mq/environments/dev/kustomization.yaml new file mode 100644 index 0000000..1109c8b --- /dev/null +++ b/mq/environments/dev/kustomization.yaml @@ -0,0 +1,10 @@ +resources: +#- certificates/dev-mq-client-certificate.yaml +#- certificates/dev-mq-server-certificate.yaml +#- secrets/mq-client-jks-password-secret.yaml + +## NOTES: +## - mq-infra/* is explicitly not handled here as it is handled by +## /mq/config/argocd/dev/dev-mq-infra-instance.yaml +## - mq-spring-app/* is explicitly not handled here as it is handled by +## /mq/config/argocd/dev/dev-mq-spring-app-instance.yaml diff --git a/mq/environments/dev/mq-infra/.keep b/mq/environments/dev/mq-infra/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/dev/mq-spring-app/.keep b/mq/environments/dev/mq-spring-app/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/dev/secrets/mq-client-jks-password-secret.sh b/mq/environments/dev/secrets/mq-client-jks-password-secret.sh new file mode 100755 index 0000000..89c3f4d --- /dev/null +++ b/mq/environments/dev/secrets/mq-client-jks-password-secret.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Set variables +KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD:-mqclientdev} +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +oc create secret generic mq-client-jks-password \ +--from-literal=KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD} \ +--dry-run=client -o yaml > delete-mq-client-jks-password-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n dev --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-mq-client-jks-password-secret.yaml > mq-client-jks-password-secret.yaml + +# NOTE, do not check delete-mq-client-jks-password-secret.yaml into git! +rm delete-mq-client-jks-password-secret.yaml diff --git a/mq/environments/dev/secrets/mq-client-jks-password-secret.yaml b/mq/environments/dev/secrets/mq-client-jks-password-secret.yaml new file mode 100644 index 0000000..28702dc --- /dev/null +++ b/mq/environments/dev/secrets/mq-client-jks-password-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password +spec: + encryptedData: + KEY_STORE_PASSWORD: REPLACE + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password \ No newline at end of file diff --git a/mq/environments/prod/certificates/.keep b/mq/environments/prod/certificates/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/prod/certificates/prod-mq-client-certificate.sh b/mq/environments/prod/certificates/prod-mq-client-certificate.sh new file mode 100755 index 0000000..2f4ac5d --- /dev/null +++ b/mq/environments/prod/certificates/prod-mq-client-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < prod-mq-client-certificate.yaml \ No newline at end of file diff --git a/mq/environments/prod/certificates/prod-mq-client-certificate.yaml_template b/mq/environments/prod/certificates/prod-mq-client-certificate.yaml_template new file mode 100644 index 0000000..7cedf1a --- /dev/null +++ b/mq/environments/prod/certificates/prod-mq-client-certificate.yaml_template @@ -0,0 +1,28 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: prod-mq-client-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + keystores: + jks: + create: true + passwordSecretRef: + key: KEY_STORE_PASSWORD + name: mq-client-jks-password + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-client-jks + subject: + organizations: + - ibm diff --git a/mq/environments/prod/certificates/prod-mq-server-certificate.sh b/mq/environments/prod/certificates/prod-mq-server-certificate.sh new file mode 100755 index 0000000..8a360af --- /dev/null +++ b/mq/environments/prod/certificates/prod-mq-server-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < prod-mq-server-certificate.yaml diff --git a/mq/environments/prod/certificates/prod-mq-server-certificate.yaml_template b/mq/environments/prod/certificates/prod-mq-server-certificate.yaml_template new file mode 100644 index 0000000..356c8d1 --- /dev/null +++ b/mq/environments/prod/certificates/prod-mq-server-certificate.yaml_template @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: prod-mq-server-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-server-cert + subject: + organizations: + - ibm diff --git a/mq/environments/prod/kustomization.yaml b/mq/environments/prod/kustomization.yaml new file mode 100644 index 0000000..ae40aad --- /dev/null +++ b/mq/environments/prod/kustomization.yaml @@ -0,0 +1,10 @@ +resources: +#- certificates/prod-mq-client-certificate.yaml +#- certificates/prod-mq-server-certificate.yaml +#- secrets/mq-client-jks-password-secret.yaml + +## NOTES: +## - mq-infra/* is explicitly not handled here as it is handled by +## /mq/config/argocd/prod/prod-mq-infra-instance.yaml +## - mq-spring-app/* is explicitly not handled here as it is handled by +## /mq/config/argocd/prod/prod-mq-spring-app-instance.yaml diff --git a/mq/environments/prod/mq-infra/.keep b/mq/environments/prod/mq-infra/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/prod/mq-spring-app/.keep b/mq/environments/prod/mq-spring-app/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/prod/secrets/mq-client-jks-password-secret.sh b/mq/environments/prod/secrets/mq-client-jks-password-secret.sh new file mode 100755 index 0000000..05a4959 --- /dev/null +++ b/mq/environments/prod/secrets/mq-client-jks-password-secret.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Set variables +KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD:-mqclientprod} +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +oc create secret generic mq-client-jks-password \ +--from-literal=KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD} \ +--dry-run=client -o yaml > delete-mq-client-jks-password-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n prod --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-mq-client-jks-password-secret.yaml > mq-client-jks-password-secret.yaml + +# NOTE, do not check delete-mq-client-jks-password-secret.yaml into git! +rm delete-mq-client-jks-password-secret.yaml diff --git a/mq/environments/prod/secrets/mq-client-jks-password-secret.yaml b/mq/environments/prod/secrets/mq-client-jks-password-secret.yaml new file mode 100644 index 0000000..28702dc --- /dev/null +++ b/mq/environments/prod/secrets/mq-client-jks-password-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password +spec: + encryptedData: + KEY_STORE_PASSWORD: REPLACE + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password \ No newline at end of file diff --git a/mq/environments/staging/certificates/staging-mq-client-certificate.sh b/mq/environments/staging/certificates/staging-mq-client-certificate.sh new file mode 100755 index 0000000..fbc9f84 --- /dev/null +++ b/mq/environments/staging/certificates/staging-mq-client-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < staging-mq-client-certificate.yaml \ No newline at end of file diff --git a/mq/environments/staging/certificates/staging-mq-client-certificate.yaml_template b/mq/environments/staging/certificates/staging-mq-client-certificate.yaml_template new file mode 100644 index 0000000..66e3ec5 --- /dev/null +++ b/mq/environments/staging/certificates/staging-mq-client-certificate.yaml_template @@ -0,0 +1,28 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: staging-mq-client-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - client auth + keystores: + jks: + create: true + passwordSecretRef: + key: KEY_STORE_PASSWORD + name: mq-client-jks-password + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-client-jks + subject: + organizations: + - ibm diff --git a/mq/environments/staging/certificates/staging-mq-server-certificate.sh b/mq/environments/staging/certificates/staging-mq-server-certificate.sh new file mode 100755 index 0000000..32daa23 --- /dev/null +++ b/mq/environments/staging/certificates/staging-mq-server-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < staging-mq-server-certificate.yaml diff --git a/mq/environments/staging/certificates/staging-mq-server-certificate.yaml_template b/mq/environments/staging/certificates/staging-mq-server-certificate.yaml_template new file mode 100644 index 0000000..d9b601a --- /dev/null +++ b/mq/environments/staging/certificates/staging-mq-server-certificate.yaml_template @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: staging-mq-server-cert +spec: + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-mq-cluster-issuer + secretName: mq-server-cert + subject: + organizations: + - ibm diff --git a/mq/environments/staging/kustomization.yaml b/mq/environments/staging/kustomization.yaml new file mode 100644 index 0000000..76bceed --- /dev/null +++ b/mq/environments/staging/kustomization.yaml @@ -0,0 +1,10 @@ +resources: +#- certificates/staging-mq-client-certificate.yaml +#- certificates/staging-mq-server-certificate.yaml +#- secrets/mq-client-jks-password-secret.yaml + +## NOTES: +## - mq-infra/* is explicitly not handled here as it is handled by +## /mq/config/argocd/staging/staging-mq-infra-instance.yaml +## - mq-spring-app/* is explicitly not handled here as it is handled by +## /mq/config/argocd/staging/staging-mq-spring-app-instance.yaml diff --git a/mq/environments/staging/mq-infra/.keep b/mq/environments/staging/mq-infra/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/staging/mq-spring-app/.keep b/mq/environments/staging/mq-spring-app/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/staging/secrets/mq-client-jks-password-secret.sh b/mq/environments/staging/secrets/mq-client-jks-password-secret.sh new file mode 100755 index 0000000..79e229c --- /dev/null +++ b/mq/environments/staging/secrets/mq-client-jks-password-secret.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Set variables +KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD:-mqclientstaging} +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +SEALED_SECRET_CONTOLLER_NAME=${SEALED_SECRET_CONTOLLER_NAME:-sealed-secrets} + +# Create Kubernetes Secret yaml +oc create secret generic mq-client-jks-password \ +--from-literal=KEY_STORE_PASSWORD=${KEY_STORE_PASSWORD} \ +--dry-run=client -o yaml > delete-mq-client-jks-password-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n staging --controller-name=${SEALED_SECRET_CONTOLLER_NAME} --controller-namespace=${SEALED_SECRET_NAMESPACE} -o yaml < delete-mq-client-jks-password-secret.yaml > mq-client-jks-password-secret.yaml + +# NOTE, do not check delete-mq-client-jks-password-secret.yaml into git! +rm delete-mq-client-jks-password-secret.yaml diff --git a/mq/environments/staging/secrets/mq-client-jks-password-secret.yaml b/mq/environments/staging/secrets/mq-client-jks-password-secret.yaml new file mode 100644 index 0000000..28702dc --- /dev/null +++ b/mq/environments/staging/secrets/mq-client-jks-password-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password +spec: + encryptedData: + KEY_STORE_PASSWORD: REPLACE + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: mq-client-jks-password \ No newline at end of file diff --git a/mq/environments/tools/certificates/.keep b/mq/environments/tools/certificates/.keep new file mode 100644 index 0000000..e69de29 diff --git a/mq/environments/tools/certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.sh b/mq/environments/tools/certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.sh new file mode 100755 index 0000000..bfb3088 --- /dev/null +++ b/mq/environments/tools/certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +CLUSTER_DOMAIN=$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + +# Create Kubernetes Secret yaml +( echo "cat < mq-self-signed-ca-certificate.yaml \ No newline at end of file diff --git a/mq/environments/tools/certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.yaml_template b/mq/environments/tools/certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.yaml_template new file mode 100644 index 0000000..96f8c57 --- /dev/null +++ b/mq/environments/tools/certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.yaml_template @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mq-self-signed-ca-cert + annotations: + argocd.argoproj.io/sync-wave: "260" + labels: + gitops.tier.group: cntk +spec: + commonName: any.common.name + isCA: true + dnsNames: + - >- + *.${CLUSTER_DOMAIN} + secretName: mq-self-signed-ca-cert + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned-cluster-issuer diff --git a/mq/environments/tools/cluster-issuers/mq-selfsigned-clusterissuer/mq-self-signed-clusterissuer.yaml b/mq/environments/tools/cluster-issuers/mq-selfsigned-clusterissuer/mq-self-signed-clusterissuer.yaml new file mode 100644 index 0000000..bf60443 --- /dev/null +++ b/mq/environments/tools/cluster-issuers/mq-selfsigned-clusterissuer/mq-self-signed-clusterissuer.yaml @@ -0,0 +1,11 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-mq-cluster-issuer + annotations: + argocd.argoproj.io/sync-wave: "265" + labels: + gitops.tier.group: cntk +spec: + ca: + secretName: mq-self-signed-ca-cert diff --git a/mq/environments/tools/cluster-issuers/selfsigned-clusterissuer/clusterissuer.yaml b/mq/environments/tools/cluster-issuers/selfsigned-clusterissuer/clusterissuer.yaml new file mode 100644 index 0000000..b4a436f --- /dev/null +++ b/mq/environments/tools/cluster-issuers/selfsigned-clusterissuer/clusterissuer.yaml @@ -0,0 +1,10 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-cluster-issuer + annotations: + argocd.argoproj.io/sync-wave: "255" + labels: + gitops.tier.group: cntk +spec: + selfSigned: {} diff --git a/mq/environments/tools/kustomization.yaml b/mq/environments/tools/kustomization.yaml new file mode 100644 index 0000000..6dac477 --- /dev/null +++ b/mq/environments/tools/kustomization.yaml @@ -0,0 +1,4 @@ +resources: +#- certificates/mq-selfsigned-certificate/mq-self-signed-ca-certificate.yaml +#- cluster-issuers/mq-selfsigned-clusterissuer/mq-self-signed-clusterissuer.yaml +#- cluster-issuers/selfsigned-clusterissuer/clusterissuer.yaml \ No newline at end of file diff --git a/pm/config/argocd/classic/pm-prod-instance-app.yaml b/pm/config/argocd/classic/pm-prod-instance-app.yaml new file mode 100644 index 0000000..d2a755c --- /dev/null +++ b/pm/config/argocd/classic/pm-prod-instance-app.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pm-prod-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prod + server: https://kubernetes.default.svc + project: applications + source: + path: pm/environments/classic + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: {} diff --git a/pm/config/argocd/prod/pm-prod-instance-app.yaml b/pm/config/argocd/prod/pm-prod-instance-app.yaml new file mode 100644 index 0000000..4bf99d1 --- /dev/null +++ b/pm/config/argocd/prod/pm-prod-instance-app.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pm-prod-instance + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prod + server: https://kubernetes.default.svc + project: applications + source: + path: pm/environments/prod + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: {} diff --git a/pm/environments/classic/ibm-process-mining-prod.yaml b/pm/environments/classic/ibm-process-mining-prod.yaml new file mode 100644 index 0000000..0601977 --- /dev/null +++ b/pm/environments/classic/ibm-process-mining-prod.yaml @@ -0,0 +1,37 @@ +apiVersion: processmining.ibm.com/v1beta1 +kind: ProcessMining +metadata: + name: process-mining-prod + namespace: prod +spec: + defaultStorageClassName: ibmc-file-gold-gid + license: + accept: true + cloudPak: IBM Cloud Pak for Business Automation + loglevel: INFO + processmining: + images: + imagepullpolicy: Always + storage: + database: + create: true + name: processmining-mongo + size: '10' + events: + create: true + name: processmining-repository + size: '50' + taskmining: + images: + imagepullpolicy: Always + install: true + storage: + database: + create: true + name: taskmining-mysql + size: '10' + events: + create: true + name: taskmining-data + size: '100' + version: 1.10.2 \ No newline at end of file diff --git a/pm/environments/prod/ibm-process-mining-prod.yaml b/pm/environments/prod/ibm-process-mining-prod.yaml new file mode 100644 index 0000000..fcd5649 --- /dev/null +++ b/pm/environments/prod/ibm-process-mining-prod.yaml @@ -0,0 +1,37 @@ +apiVersion: processmining.ibm.com/v1beta1 +kind: ProcessMining +metadata: + name: process-mining-prod + namespace: prod +spec: + defaultStorageClassName: ocs-storagecluster-cephfs + license: + accept: true + cloudPak: IBM Cloud Pak for Business Automation + loglevel: INFO + processmining: + images: + imagepullpolicy: Always + storage: + database: + create: true + name: processmining-mongo + size: '10' + events: + create: true + name: processmining-repository + size: '50' + taskmining: + images: + imagepullpolicy: Always + install: true + storage: + database: + create: true + name: taskmining-mysql + size: '10' + events: + create: true + name: taskmining-data + size: '100' + version: 1.10.2 \ No newline at end of file diff --git a/scripts/ace-bootstrap.sh b/scripts/ace-bootstrap.sh new file mode 100755 index 0000000..4e64912 --- /dev/null +++ b/scripts/ace-bootstrap.sh @@ -0,0 +1,107 @@ +#!/usr/bin/env bash + +set -eo pipefail + +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +ROOTDIR="${SCRIPTDIR}/.." +[[ -n "${DEBUG:-}" ]] && set -x + +pushd () { + command pushd "$@" > /dev/null +} + +popd () { + command popd "$@" > /dev/null +} + + +if [ -z ${GIT_USER} ]; then echo "Please set GIT_USER when running script"; exit 1; fi + +if [ -z ${GIT_TOKEN} ]; then echo "Please set GIT_TOKEN when running script"; exit 1; fi + +if [ -z ${GIT_ORG} ]; then echo "Please set GIT_ORG when running script"; exit 1; fi + +SKIP_ARGO_REPLACE_GIT=${SKIP_ARGO_REPLACE_GIT:-true} +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} +GIT_HOST=${GIT_HOST:-github.com} +GIT_BASEURL=${GIT_BASEURL-https://${GIT_HOST}} +GIT_GITOPS_APPLICATIONS=${GIT_GITOPS_APPLICATIONS:-multi-tenancy-gitops-apps} +GIT_GITOPS_APPLICATIONS_BRANCH=${GIT_GITOPS_APPLICATIONS_BRANCH:-master} +GIT_ACE_APP=${GIT_ACE_APP:-ace-customer-details} + + +wait_kubeseal_ready () { + while ! oc wait pod --timeout=-1s --for=condition=Ready -l '!job-name' -n ${SEALED_SECRET_NAMESPACE} > /dev/null; do sleep 30; done +} + +ace_git_pull () { + pushd $ROOTDIR + git pull + popd +} +ace_kubeseal_git () { + pushd $ROOTDIR/ace/environments/ci/secrets + source git-credentials-secret.sh + popd +} + +ace_gitops_repo_cm () { + pushd $ROOTDIR/ace/environments/ci/configmaps + source gitops-repo-configmap.sh + popd +} + +ace_update_git () { + + find ${ROOTDIR}/ace/environments -name '*.yaml' -print0 | + while IFS= read -r -d '' File; do + echo "Processing $File" + sed -i'.bak' -e "s#https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git#${GIT_BASEURL}/${GIT_ORG}/${GIT_GITOPS_APPLICATIONS}#" $File + sed -i'.bak' -e "s#https://github.com/cloud-native-toolkit-demos/ace-customer-details.git#${GIT_BASEURL}/${GIT_ORG}/${GIT_ACE_APP}#" $File + rm "${File}.bak" + done + + if [[ "${SKIP_ARGO_REPLACE_GIT}" == "false" ]]; then + find ${ROOTDIR}/ace/config/argocd -name '*.yaml' -print0 | + while IFS= read -r -d '' File; do + echo "Processing $File" + sed -i'.bak' -e "s#https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git#${GIT_BASEURL}/${GIT_ORG}/${GIT_GITOPS_APPLICATIONS}#" $File + sed -i'.bak' -e "s#targetRevision: master#targetRevision: ${GIT_GITOPS_APPLICATIONS_BRANCH}#" $File + rm "${File}.bak" + done + fi + +} + +ace_review_git () { + pushd $ROOTDIR/ace + git --no-pager diff + popd +} + +ace_git_add_commit_push () { + pushd $ROOTDIR/ace + git add . + git commit -m "update for ace files" + git push origin + popd +} + +# main + +wait_kubeseal_ready + +ace_git_pull + +ace_kubeseal_git + +ace_gitops_repo_cm + +ace_update_git + +ace_review_git + +ace_git_add_commit_push + + + diff --git a/scripts/mq-bootstrap.sh b/scripts/mq-bootstrap.sh new file mode 100755 index 0000000..6353574 --- /dev/null +++ b/scripts/mq-bootstrap.sh @@ -0,0 +1,184 @@ +#!/usr/bin/env bash + +set -eo pipefail + +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +ROOTDIR="${SCRIPTDIR}/.." +[[ -n "${DEBUG:-}" ]] && set -x + +pushd () { + command pushd "$@" > /dev/null +} + +popd () { + command popd "$@" > /dev/null +} + +SEALED_SECRET_NAMESPACE=${SEALED_SECRET_NAMESPACE:-sealed-secrets} + +if [ -z ${GIT_USER} ]; then echo "Please set GIT_USER when running script"; exit 1; fi + +if [ -z ${GIT_TOKEN} ]; then echo "Please set GIT_TOKEN when running script"; exit 1; fi + +if [ -z ${GIT_ORG} ]; then echo "Please set GIT_ORG when running script"; exit 1; fi + +#if [ -z ${ARTIFACTORY_NEW_PASSWORD} ]; then echo "Please set ARTIFACTORY_NEW_PASSWORD when running script"; exit 1; fi + + +wait_kubeseal_ready () { + while ! oc wait pod --timeout=-1s --for=condition=Ready -l '!job-name' -n ${SEALED_SECRET_NAMESPACE} > /dev/null; do sleep 30; done +} + +mq_kubeseal_artifactory () { + pushd $ROOTDIR/mq/environments/ci/secrets + source artifactory-access-secret.sh + popd +} + +mq_kubeseal_git () { + pushd $ROOTDIR/mq/environments/ci/secrets + source git-credentials-secret.sh + popd +} + +mq_gitops_repo_cm () { + pushd $ROOTDIR/mq/environments/ci/configmaps + source gitops-repo-configmap.sh + popd +} + +kubseal_ibm_entitled_registry () { + pushd $ROOTDIR/mq/environments/ci/secrets + source ibm-entitled-registry-credentials-secret.sh + popd +} + +mq_kubseal_client_jks_pass_ci () { + pushd $ROOTDIR/mq/environments/ci/secrets + source mq-client-jks-password-secret.sh + popd +} + +mq_client_certificate_ci () { + pushd $ROOTDIR/mq/environments/ci/certificates + source ci-mq-client-certificate.sh + popd +} + +mq_server_certificate_ci () { + pushd $ROOTDIR/mq/environments/ci/certificates + source ci-mq-server-certificate.sh + popd +} + +mq_kubseal_client_jks_pass_dev () { + pushd $ROOTDIR/mq/environments/dev/secrets + source mq-client-jks-password-secret.sh + popd +} + +mq_client_certificate_dev () { + pushd $ROOTDIR/mq/environments/dev/certificates + source dev-mq-client-certificate.sh + popd +} + +mq_server_certificate_dev () { + pushd $ROOTDIR/mq/environments/dev/certificates + source dev-mq-server-certificate.sh + popd +} + +mq_kubseal_client_jks_pass_staging () { + pushd $ROOTDIR/mq/environments/staging/secrets + source mq-client-jks-password-secret.sh + popd +} + +mq_client_certificate_staging () { + pushd $ROOTDIR/mq/environments/staging/certificates + source staging-mq-client-certificate.sh + popd +} + +mq_server_certificate_staging () { + pushd $ROOTDIR/mq/environments/staging/certificates + source staging-mq-server-certificate.sh + popd +} + +mq_kubseal_client_jks_pass_prod () { + pushd $ROOTDIR/mq/environments/prod/secrets + source mq-client-jks-password-secret.sh + popd +} + +mq_client_certificate_prod () { + pushd $ROOTDIR/mq/environments/prod/certificates + source prod-mq-client-certificate.sh + popd +} + +mq_server_certificate_prod () { + pushd $ROOTDIR/mq/environments/prod/certificates + source prod-mq-server-certificate.sh + popd +} + +mq_selfsigned_certificate () { + pushd $ROOTDIR/mq/environments/tools/certificates/mq-selfsigned-certificate + source mq-self-signed-ca-certificate.sh + popd +} + +mq_review_git () { + pushd $ROOTDIR/mq + git diff + popd +} + +mq_git_add_commit_push () { + pushd $ROOTDIR/mq + git add . + git commit -m "update kubseal for mq files" + git push origin + popd +} + +# main +wait_kubeseal_ready + +# execute scripts in mq/environments/ci +mq_kubeseal_artifactory +mq_kubeseal_git +mq_gitops_repo_cm + +# mq_kubseal_client_jks_pass_ci +# mq_client_certificate_ci +# mq_server_certificate_ci +# kubseal_ibm_entitled_registry + +# execute scripts in mq/environments/dev +# mq_kubseal_client_jks_pass_dev +# mq_client_certificate_dev +# mq_server_certificate_dev + +# execute scripts in mq/environments/staging +# mq_kubseal_client_jks_pass_staging +# mq_client_certificate_staging +# mq_server_certificate_staging + +# execute scripts in mq/environments/prod +# mq_kubseal_client_jks_pass_prod +# mq_client_certificate_prod +# mq_server_certificate_prod + +# execute scripts in mq/environments/tools +#mq_selfsigned_certificate + +# review and commit +mq_review_git +mq_git_add_commit_push + + + diff --git a/scripts/set-git-source.sh b/scripts/set-git-source.sh new file mode 100755 index 0000000..8efa109 --- /dev/null +++ b/scripts/set-git-source.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -eo pipefail + +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +ROOTDIR="${SCRIPTDIR}/.." +[[ -n "${DEBUG:-}" ]] && set -x + + +if [ -z ${GIT_ORG} ]; then echo "Please set GIT_ORG when running script, optional GIT_BASEURL and GIT_REPO to formed the git url GIT_BASEURL/GIT_ORG/*"; exit 1; fi + + +GIT_HOST=${GIT_HOST:-github.com} +GIT_BASEURL="https://${GIT_HOST}" +GIT_GITOPS_APPLICATIONS=${GIT_GITOPS_APPLICATIONS:-multi-tenancy-gitops-apps} +GIT_GITOPS_APPLICATIONS_BRANCH=${GIT_GITOPS_APPLICATIONS_BRANCH:-master} + + +find ${ROOTDIR}/ -name '*.yaml' -print0 | +while IFS= read -r -d '' File; do + if grep -q "kind: Application" "$File"; then + sed -i'.bak' -e "s#https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git#${GIT_BASEURL}/${GIT_ORG}/${GIT_GITOPS_APPLICATIONS}#" $File + sed -i'.bak' -e "s#targetRevision: master#targetRevision: ${GIT_GITOPS_APPLICATIONS_BRANCH}#" $File + rm "${File}.bak" + fi +done + +echo "done replacing variables in ArgoCD Application files" +echo "git commit and push changes now" diff --git a/shared/config/ci/instances/scc/Chart.yaml b/shared/config/ci/instances/scc/Chart.yaml new file mode 100644 index 0000000..424e716 --- /dev/null +++ b/shared/config/ci/instances/scc/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: tekton-pipeline-scc +version: 0.1.0 +appVersion: 1.16.0 +description: Tekton pipeline service account configuration +dependencies: + - name: service-account + version: 0.5.0 + repository: https://cloud-native-toolkit.github.io/toolkit-charts/ + diff --git a/shared/config/ci/instances/scc/values.yaml b/shared/config/ci/instances/scc/values.yaml new file mode 100644 index 0000000..9fe2972 --- /dev/null +++ b/shared/config/ci/instances/scc/values.yaml @@ -0,0 +1,7 @@ + +global: {} + +service-account: + name: pipeline + create: false + sccs: ["privileged"] diff --git a/shared/config/cp4a/cp4acluster/cp4a-resources/.helmignore b/shared/config/cp4a/cp4acluster/cp4a-resources/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/shared/config/cp4a/cp4acluster/cp4a-resources/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/shared/config/cp4a/cp4acluster/cp4a-resources/Chart.yaml b/shared/config/cp4a/cp4acluster/cp4a-resources/Chart.yaml new file mode 100644 index 0000000..587f625 --- /dev/null +++ b/shared/config/cp4a/cp4acluster/cp4a-resources/Chart.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v2 +name: icp4a-resources +description: Resources for for Cloud Pak for Business Automation + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "1.0" diff --git a/shared/config/cp4a/cp4acluster/cp4a-resources/templates/icp4a-cluster.yaml b/shared/config/cp4a/cp4acluster/cp4a-resources/templates/icp4a-cluster.yaml new file mode 100644 index 0000000..2283e57 --- /dev/null +++ b/shared/config/cp4a/cp4acluster/cp4a-resources/templates/icp4a-cluster.yaml @@ -0,0 +1,306 @@ +--- +apiVersion: icp4a.ibm.com/v1 +kind: ICP4ACluster +metadata: + name: icp4adeploy + labels: + app.kubernetes.io/instance: ibm-dba + app.kubernetes.io/managed-by: ibm-dba + app.kubernetes.io/name: ibm-dba +spec: + olm_ent_workflow: false + olm_ent_option_bai: false + olm_demo_application: false + olm_deployment_type: demo + olm_ent_decisions_ads: false + olm_ent_option_adp: + cmis: false + css: false + document_processing_runtime: false + es: false + olm_ibm_license: true + initialize_configuration: + ic_ldap_creation: + ic_ldap_admins_groups_name: + - '' + ic_obj_store_creation: + object_stores: + - oc_cpe_obj_store_conn: + dc_os_datasource_name: FNOS1DS + dc_os_xa_datasource_name: FNOS1DSXA + oc_cpe_obj_store_display_name: OS1 + oc_cpe_obj_store_symb_name: OS1 + - oc_cpe_obj_store_admin_user_groups: + - '' + - '' + oc_cpe_obj_store_conn: + dc_os_datasource_name: DEVOS1DS + dc_os_xa_datasource_name: DEVOS1DSXA + oc_cpe_obj_store_display_name: DEVOS1 + oc_cpe_obj_store_symb_name: DEVOS1 + - oc_cpe_obj_store_conn: + dc_os_datasource_name: BAWDOCS + dc_os_xa_datasource_name: BAWDOCSXA + oc_cpe_obj_store_display_name: BAWDOCS + oc_cpe_obj_store_symb_name: BAWDOCS + - oc_cpe_obj_store_conn: + dc_os_datasource_name: BAWDOS + dc_os_xa_datasource_name: BAWDOSXA + oc_cpe_obj_store_display_name: BAWDOS + oc_cpe_obj_store_symb_name: BAWDOS + - oc_cpe_obj_store_conn: + dc_os_datasource_name: BAWTOS + dc_os_xa_datasource_name: BAWTOSXA + oc_cpe_obj_store_display_name: BAWTOS + oc_cpe_obj_store_enable_workflow: true + oc_cpe_obj_store_symb_name: BAWTOS + oc_cpe_obj_store_workflow_admin_group: '' + oc_cpe_obj_store_workflow_config_group: '' + oc_cpe_obj_store_workflow_data_tbl_space: '' + oc_cpe_obj_store_workflow_pe_conn_point_name: '' + - oc_cpe_obj_store_conn: + dc_os_datasource_name: AEOS + dc_os_xa_datasource_name: AEOSXA + oc_cpe_obj_store_display_name: AEOS + oc_cpe_obj_store_symb_name: AEOS + olm_ent_option_application: + app_designer: false + olm_ent_option_ads: + ads_designer: true + ads_runtime: true + olm_demo_decisions: true + olm_demo_document_processing: false + olm_demo_workflow: true + olm_demo_content: false + olm_demo_option_bai: true + olm_ent_application: false + olm_ent_option_decisions: + decisionCenter: false + decisionRunner: false + decisionServerRuntime: false + ums: false + olm_demo_option_adp: + cmis: false + css: false + olm_ent_option_content: + cmis: false + css: false + es: false + iccsap: false + ier: false + tm: false + ums: false + olm_ent_decisions: false + olm_ent_document_processing: false + olm_ent_content: false + appVersion: 21.0.1.1 + olm_demo_decisions_ads: false + datasource_configuration: + dc_ca_datasource: + tenant_databases: [] + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_max_retries_for_client_reroute: 3 + database_port: '' + dc_database_ssl_enabled: true + dc_hadr_standby_port: '' + database_ip: '' + database_name: '' + dc_hadr_standby_ip: '' + database_servername: '' + dc_hadr_validation_timeout: 15 + dc_hadr_standby_servername: '' + dc_database_type: db2 + dc_ums_datasource: + dc_ums_oauth_ssl: true + dc_ums_teamserver_host: '' + dc_ums_teamserver_name: '' + dc_ums_oauth_type: db2 + dc_ums_teamserver_alternate_hosts: '' + dc_ums_teamserver_ssl_secret_name: '' + dc_ums_oauth_schema: OAuthDBSchema + dc_ums_oauth_port: '' + dc_ums_teamserver_ssl: true + dc_ums_teamserver_alternate_ports: '' + dc_ums_teamserver_driverfiles: '' + dc_ums_oauth_host: '' + dc_ums_teamserver_type: db2 + dc_ums_oauth_name: '' + dc_ums_oauth_ssl_secret_name: '' + dc_ums_teamserver_port: '' + database_precheck: true + dc_odm_datasource: + database_servername: '' + dc_common_database_instance_secret: '' + dc_common_database_name: '' + dc_common_database_port: '' + dc_common_ssl_enabled: true + dc_database_type: db2 + dc_ssl_secret_name: '' + dc_ssl_enabled: true + dc_icn_datasource: + database_ssl_secret_name: '' + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_max_retries_for_client_reroute: 3 + database_port: '' + dc_common_icn_datasource_name: ECMClientDS + dc_hadr_standby_port: '' + database_name: '' + database_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_icn_jdbc_url: '' + dc_hadr_standby_servername: '' + dc_database_type: db2 + olm_dc_os_adp_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: DEVOS1DS + dc_common_os_xa_datasource_name: DEVOS1DSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: devos1 + olm_dc_os_workflow_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: BAWDOCS + dc_common_os_xa_datasource_name: BAWDOCSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: '' + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: BAWDOS + dc_common_os_xa_datasource_name: BAWDOSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: '' + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: BAWTOS + dc_common_os_xa_datasource_name: BAWTOSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: '' + dc_gcd_datasource: + database_ssl_secret_name: '' + dc_oracle_gcd_jdbc_url: '' + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_max_retries_for_client_reroute: 3 + database_port: '' + dc_hadr_standby_port: '' + database_name: '' + database_servername: '' + dc_hadr_validation_timeout: 15 + dc_hadr_standby_servername: '' + dc_common_gcd_xa_datasource_name: FNGCDDSXA + dc_common_gcd_datasource_name: FNGCDDS + dc_database_type: db2 + olm_dc_os_ae_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: AEOS + dc_common_os_xa_datasource_name: AEOSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: aeos + olm_dc_os_content_datasources: + - database_name: '' + database_port: '' + database_servername: '' + database_ssl_secret_name: '' + dc_common_os_datasource_name: FNOS1DS + dc_common_os_xa_datasource_name: FNOS1DSXA + dc_database_type: db2 + dc_hadr_max_retries_for_client_reroute: 3 + dc_hadr_retry_interval_for_client_reroute: 15 + dc_hadr_standby_port: '' + dc_hadr_standby_servername: '' + dc_hadr_validation_timeout: 15 + dc_oracle_os_jdbc_url: '' + dc_os_label: os + shared_configuration: + image_pull_secrets: + - admin.registrykey + trusted_certificate_list: [] + sc_deployment_baw_license: non-production + sc_content_verification: false + storage_configuration: + sc_dynamic_storage_classname: {{.Values.storageclass.gold}} + sc_fast_file_storage_classname: {{.Values.storageclass.gold}} + sc_medium_file_storage_classname: {{.Values.storageclass.silver}} + sc_slow_file_storage_classname: {{.Values.storageclass.bronze}} + sc_deployment_hostname_suffix: {{.Values.spec.shared_configuration.sc_deployment_hostname_suffix}} + root_ca_secret: icp4a-root-ca + sc_content_initialization: false + sc_deployment_license: non-production + sc_ingress_enable: false + sc_image_repository: cp.icr.io + sc_ingress_tls_secret_name: '' + sc_deployment_platform: {{.Values.spec.shared_configuration.sc_deployment_platform}} + sc_deployment_fncm_license: non-production + olm_demo_option_content: + cmis: false + css: false + iccsap: false + ier: false + tm: false + ums: false + olm_ent_option_ae_data_persistence: false + ldap_configuration: + tds: + lc_group_filter: >- + (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls))) + lc_user_filter: (&(cn=%v)(objectclass=person)) + ad: + lc_ad_gc_host: '' + lc_ad_gc_port: '' + lc_group_filter: (&(samAccountName=%v)(objectclass=group)) + lc_user_filter: (&(samAccountName=%v)(objectClass=user)) + lc_ldap_user_display_name_attr: sAMAccountName + lc_ldap_group_base_dn: '' + lc_ldap_base_dn: '' + lc_bind_secret: ldap-bind-secret + lc_ldap_user_name_attribute: 'user:sAMAccountName' + lc_ldap_group_member_id_map: 'memberOf:member' + lc_ldap_port: '636' + lc_ldap_server: '' + lc_ldap_group_membership_search_filter: (&(cn=%v)(objectcategory=group)) + lc_selected_ldap_type: '' + lc_ldap_ssl_secret_name: '' + lc_ldap_group_name_attribute: '*:cn' + lc_ldap_group_display_name_attr: cn + lc_ldap_ssl_enabled: true diff --git a/shared/config/cp4a/cp4acluster/cp4a-resources/templates/roks-db2-no-squash.yaml b/shared/config/cp4a/cp4acluster/cp4a-resources/templates/roks-db2-no-squash.yaml new file mode 100644 index 0000000..5d7695b --- /dev/null +++ b/shared/config/cp4a/cp4acluster/cp4a-resources/templates/roks-db2-no-squash.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: roks-db2-root-no-squash + annotations: + argocd.argoproj.io/hook: PreSync + namespace: openshift-gitops +spec: + template: + spec: + containers: + - name: config + image: quay.io/openshift/origin-cli:latest + env: + - name: ARGOCD_APP_NAME + value: cp4a-app + - name: ARGOCD_NAMESPACE + value: openshift-gitops + command: + - /bin/sh + - -c + - | + set -eo pipefail + set -x + # https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/21.0.x?topic=deployment-installing-capabilities-in-operator-hub + platform=$(oc get Infrastructure cluster -o jsonpath={.status.platform}) + if [ "${platform}" == "IBMCloud" ]; then + oc get no -l node-role.kubernetes.io/worker --no-headers -o name | \ + xargs -I {} \ + -- oc debug {} \ + -- chroot /host sh -c 'grep "^Domain = slnfsv4.coms" /etc/idmapd.conf || ( sed -i "s/.*Domain =.*/Domain = slnfsv4.com/g" /etc/idmapd.conf; nfsidmap -c; rpc.idmapd )' + fi + restartPolicy: Never + serviceAccountName: {{.Values.serviceaccount.argocd_application_controller}} + backoffLimit: 4 diff --git a/shared/config/cp4a/cp4acluster/cp4a-resources/values.yaml b/shared/config/cp4a/cp4acluster/cp4a-resources/values.yaml new file mode 100644 index 0000000..5f8d4ef --- /dev/null +++ b/shared/config/cp4a/cp4acluster/cp4a-resources/values.yaml @@ -0,0 +1,11 @@ +--- +serviceaccount: + argocd_application_controller: argocd-cluster-argocd-application-controller +spec: + shared_configuration: + sc_deployment_hostname_suffix: to-be-set + sc_deployment_platform: ROKS +storageclass: + gold: cp4a-file-retain-gold-gid + silver: cp4a-file-retain-silver-gid + bronze: cp4a-file-retain-bronze-gid diff --git a/shared/config/cp4a/pvc/operator-shared-log.yaml b/shared/config/cp4a/pvc/operator-shared-log.yaml new file mode 100644 index 0000000..14d7bbc --- /dev/null +++ b/shared/config/cp4a/pvc/operator-shared-log.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: cp4a-shared-log-pvc + labels: + app.kubernetes.io/instance: ibm-dba + app.kubernetes.io/managed-by: ibm-dba + app.kubernetes.io/name: ibm-dba + release: 21.0.1 +spec: + accessModes: + - ReadWriteMany + storageClassName: cp4a-file-retain-gold-gid + resources: + requests: + storage: 100Gi diff --git a/shared/config/cp4a/pvc/operator-shared-pvc.yaml b/shared/config/cp4a/pvc/operator-shared-pvc.yaml new file mode 100644 index 0000000..b295f58 --- /dev/null +++ b/shared/config/cp4a/pvc/operator-shared-pvc.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: operator-shared-pvc + labels: + app.kubernetes.io/instance: ibm-dba + app.kubernetes.io/managed-by: ibm-dba + app.kubernetes.io/name: ibm-dba + release: 21.0.1 +spec: + accessModes: + - ReadWriteMany + storageClassName: cp4a-file-retain-bronze-gid + resources: + requests: + storage: 1Gi diff --git a/shared/config/cp4a/rolebinding/cluster-role-binding.yaml b/shared/config/cp4a/rolebinding/cluster-role-binding.yaml new file mode 100644 index 0000000..d8fee78 --- /dev/null +++ b/shared/config/cp4a/rolebinding/cluster-role-binding.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cp4a-cp4a-operator + labels: + app.kubernetes.io/instance: ibm-dba + app.kubernetes.io/managed-by: ibm-dba + app.kubernetes.io/name: ibm-dba + release: 21.0.1 +roleRef: + name: ibm-cp4a-operator + # CP4A instructions had the apiVersion: authorization.openshift.io/v1 + # which sidesteps the need for apiGroup and kind, but Argo 1.8.4 could + # not deal with that apiVersion, indicating that the resource was + # missing in the cluster even right after applying it. + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +subjects: + - kind: ServiceAccount + name: ibm-cp4a-operator + namespace: cloudpak diff --git a/shared/config/cp4a/rolebinding/cluster-role.yaml b/shared/config/cp4a/rolebinding/cluster-role.yaml new file mode 100644 index 0000000..417b9f3 --- /dev/null +++ b/shared/config/cp4a/rolebinding/cluster-role.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ibm-cp4a-operator + labels: + app.kubernetes.io/instance: ibm-dba + app.kubernetes.io/managed-by: ibm-dba + app.kubernetes.io/name: ibm-dba + release: 21.0.1 +rules: + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - icp4a.ibm.com + resources: + - "*" + verbs: + - "*" + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - "*" + - apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - "*" + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - "get" + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - "get" + - "create" + - "patch" + - "update" + # for one-click to send operand request to ibm-common-services + - apiGroups: + - operator.ibm.com + resources: + - operandrequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.ibm.com + resources: + - operandrequests/status + verbs: + - get diff --git a/shared/config/cp4a/secrets/ibm-entitled-key-secret.sh b/shared/config/cp4a/secrets/ibm-entitled-key-secret.sh new file mode 100755 index 0000000..bd00c14 --- /dev/null +++ b/shared/config/cp4a/secrets/ibm-entitled-key-secret.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Set variables +IBM_ENTITLEMENT_KEY= +NAMESPACE=openshift-operators +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret docker-registry admin.registrykey \ +--docker-username=cp \ +--docker-server=cp.icr.io \ +--docker-password=${IBM_ENTITLEMENT_KEY} \ +--namespace=${NAMESPACE} \ +--dry-run=true -o yaml > delete-ibm-entitled-key-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ${NAMESPACE} --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-entitled-key-secret.yaml > ibm-entitled-key-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-key-secret.yaml \ No newline at end of file diff --git a/shared/config/cp4a/secrets/ibm-entitled-key-secret.yaml b/shared/config/cp4a/secrets/ibm-entitled-key-secret.yaml new file mode 100644 index 0000000..77a3666 --- /dev/null +++ b/shared/config/cp4a/secrets/ibm-entitled-key-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: admin.registrykey + namespace: cloudpak +spec: + encryptedData: + .dockerconfigjson: AgAHDOeosYsMjXs869t/RopgrtQ+5bLZtzXSRjrJMnq9F5nkTFfxnteKjMiReULx8+WtrfSAB070Yi4N9EkejC7fmBjNrVdcgGPuX5sHlbeGjFI4eGuG8kB7PZrdcOTx/fxWT090VRnuTTChFO8AVJOrSMGXSmjeif7rFMtYr4IZMtFjUkjJfRVRVo17w/zyKcZpS2/D080T+4CkrRlJPsAJ6DODngVftgzYmSNGVLdma6xc+m6GXXB5SHJStzyXkshrzphJARCp5clr4fABe0nDR4ImVQIFQALMFPekGOo8DlcXp1YkKMuJZnWpXuwxJhO9khFIwMkPX3oIFXEbgwRkGcw8P+r7DtEyTx3F6Ap9Z0c9TQO3eCA8k5x/mCst/5pEs66dgN+0kaqXWX3ORWzawGCyMNGxfr0Df8ULsr2iBQEtIDswRh9sxUpf5aR8kvdPL3xEBysEHCpCpTAUyoGt0dVycvSmcl9UZdIHKOzbAZrxxi1tJs/ECi0gOcSew8mpD/9dr8SBgOtqLQMy35cP+/fI0Yez0D6eykVPzB4dH2rwbSAp+JZ8EzTXvSyq/FaSgN9DwEyM6BHtn7zCwtXbdOTJwWpEVbPM/itjBmD68MBSRGHYbyhkwHgWF+TmlJA0kVT1gon1ecYcJTouGWMo21hTpeC2NB5jObF3MHqYn7meoJ+AWggU5ou1p+G0NNda79Euiqzm2cFRrk1Qc8MAO73JUpGbi1s9Hj7WK0Pu4cU0Lh6TVTuHKKqwSIFGrAGsUadQTnOicCYTuaTRJUU/fi/FGmkcFX74XuwYPJa06ntciINZoT/1Yaf2o2ZOrJrUGmxN8hvn/hwAgjzrvkYrGKtV9+7Ut1Pfg/Df9yVhSLcpcQn+wv5FAgIPi9jCLltdIsF6wVE19ML1SvhY5nVtK69BYYyay8ai395eJMgGea80scMRFUffAg/IIpujs9wx3lAG8Gu/JWvql4beyJaXShawndOGo5OFCfIWfijkizuiaHTIIiZEfWCwKpvWRZA2cY9cjhoChbMSw87Df/LVX5AijgB+pnAhyuRGtxrCMRnAFQmbxFEP9t3hATV36ni3c16k+3okCNdDU/Y7NaJHUvBC3mPB46iB/VDvZJFuh4+IiRHhco7mqGJ9elyG0yJwH6Fx8HgEGYaxgTQ3L8KUZ+N0o55DKiQvlqG/vjuQicNAggFcDqEQTbTt3qDqlPgGHPguEN27KR3dp5B7TkJhT1CGO32s5o87MvldDgobzOEmfFVZ2YrWVWe20duOf61o6NmhHjgdFHJRbF8GI6Qp5fgpv5n3r+ltizOvJI6nl0WPnOWJWmcFsa8jvidJD3sv + template: + metadata: + creationTimestamp: null + name: admin.registrykey + namespace: cloudpak + type: kubernetes.io/dockerconfigjson + diff --git a/shared/config/cp4d/ibmcpd/ibmcpd.yaml b/shared/config/cp4d/ibmcpd/ibmcpd.yaml new file mode 100644 index 0000000..c768083 --- /dev/null +++ b/shared/config/cp4d/ibmcpd/ibmcpd.yaml @@ -0,0 +1,11 @@ +apiVersion: cpd.ibm.com/v1 +kind: Ibmcpd +metadata: + name: ibmcpd-cr +spec: + license: + accept: true + license: Enterprise + storageClass: ocs-storagecluster-cephfs + zenCoreMetadbStorageClass: ocs-storagecluster-ceph-rbd + version: "4.0.1" \ No newline at end of file diff --git a/shared/config/cp4d/ibmcpd/operandrequest.yaml b/shared/config/cp4d/ibmcpd/operandrequest.yaml new file mode 100644 index 0000000..579fe78 --- /dev/null +++ b/shared/config/cp4d/ibmcpd/operandrequest.yaml @@ -0,0 +1,6 @@ +apiVersion: operator.ibm.com/v1alpha1 +kind: OperandRequest +metadata: + name: empty-request +spec: + requests: [] \ No newline at end of file diff --git a/shared/config/cp4d/secrets/ibm-entitled-key-cp4d-secret.yaml b/shared/config/cp4d/secrets/ibm-entitled-key-cp4d-secret.yaml new file mode 100644 index 0000000..db0e64c --- /dev/null +++ b/shared/config/cp4d/secrets/ibm-entitled-key-cp4d-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ibm-entitlement-key + namespace: ibm-common-services +spec: + encryptedData: + .dockerconfigjson: AgAdWSigUBw6KK+8OAZowhPRnGEK2NqTwMomf5JSp1nGnRKvdT2RyrwBCVIEhXIIMexAF7vHE86ahSsrKPgbxK/Ctl611MT40DtGDbMhalppNIaX8+w/E09DXQ0qDqbySBoHDFtTbjdmzgWjocLEJ5/HrsMxyg5acHInjoO8u+T0tPYtPCjnnNrMoM9FDSEECVXXE8g3wWQHyeZa1Qi8H8OhfvrEd4fO1NDGgk45NUTlQbmdOaCvqvTNeRvy3cBB0aH4/x539BBQndfoypP/YcJ6h46lj+HLYq1zedtM80lorDo83tfEFJ9sU/jQJ78mZPMnoPpxl8gigw+2BgzCQQ76A88cDjj6g3HKUUYEgae3+B5pHZiDR8z2dH2Vi8Y1NqkDtchaosvObomViofhXTN+wHVhL1+XLL042BCtYQZqUoCLmKmX+F6n1Fe7TNbTD0ZanjZakwn8m41S/Z+2thmPBcKe3lbKFWLux62LdTlWJmbiP6DFZZ+xvPqgTvWwSjWSJIJefYRwxyNiLq9zVz188bViKD8BuBZyGhMRE40np18GzPdKZp1SQ0U+RLaqIRsmdGDQkWlkJe+a0dwmCGIZ9LV5lUO9C/IXze4Rj1qvHLh+2z+zMDSkxgjUCAhZVY2EY33228KVdyIhMOGGRt1drdWWMba2q6U1+tKoRqam0EJ1S7xEz/poc6/Qvv9gFz/2/sJWOEbC27uzCa/d89zAf9pBrU6IPojDn0yO+bxicL0phbTHvf+Fr38ejCQCi5mBm0yO+g/IDxvvssAtTYhFmfZXLG553NOBvoqR/DT0JdYIs3dcyJEc3jwt0MeEeHAKJF8RfH9g2k6i6KCzj9PnEdCmK4DTcEVNtBGu3kG5t2uW8CcSPXMhT1wOtuuLz034psXq+AuM9YKXWDTKc4LjUCjc0llH7iCQzGIVPhAXjCPLOfNhhoiKzkA5AjtWNoi+HuIIBGxZHLqs5cyJYWl3G7moYIXBCeg1B09SG3zhRzNp6BdLuc8Sg8h2xNpo2dWMV48+fAEHtUzUH2Taglh88rYUFjMDz9GfZBe6MyHZPIwpqKk3HgVoajssVgJczQ96GuJI/RVFZlhXld0f7A3/KSmLv7gzN8P+5E3RApHwYd/oKdBGThz7zvfc4cR6Ux6jAWPiGHQXHwrJMjyknDHmXAWWrWruRZuJSy15aVNyIrYZjbVzLiA/AZwZrgTLtydhyJjOLJn+PR11FfZ5o70qnG7IM4KCagLeWbpJX0N8IwlN4immI1zuwI2iPs57UK6vMhvO68QnGOdkDSftQkEoerUvBICeoKcRk9yUNbK3Myb+2E3lZQB6SFbq5A8zhiCK + template: + metadata: + creationTimestamp: null + name: ibm-entitlement-key + namespace: ibm-common-services + type: kubernetes.io/dockerconfigjson + diff --git a/shared/config/ibm-entitlement-key/ibm-entitled-key-secret.sh b/shared/config/ibm-entitlement-key/ibm-entitled-key-secret.sh new file mode 100755 index 0000000..8909259 --- /dev/null +++ b/shared/config/ibm-entitlement-key/ibm-entitled-key-secret.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# Set variables +IBM_ENTITLEMENT_KEY= +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret docker-registry ibm-entitlement-key \ +--docker-username=cp \ +--docker-server=cp.icr.io \ +--docker-password=${IBM_ENTITLEMENT_KEY} \ +--dry-run=true -o yaml > delete-ibm-entitled-key-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal --scope cluster-wide --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-entitled-key-secret.yaml > ibm-entitled-key-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-key-secret.yaml \ No newline at end of file diff --git a/shared/config/ibm-entitlement-key/ibm-entitled-key-secret.yaml b/shared/config/ibm-entitlement-key/ibm-entitled-key-secret.yaml new file mode 100644 index 0000000..1a0c49e --- /dev/null +++ b/shared/config/ibm-entitlement-key/ibm-entitled-key-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitlement-key +spec: + encryptedData: + .dockerconfigjson: AgArH78ctv5gcq4Qr21IOiK/tUZYtyhfCOK7t0WV65jwiw2D9vZV/FjMsEE3l8kiMyaHMcCmi3+mpGI+aJRe9YLB294tjKG/lz3Q3tfsQZUMCuRUfiOTigg3i6jjqwzRcxn7Np8GaagLY/03QRQGWN7wXJDCNwV14zwkNZrl+65KYS6GNxuN4WFBiYoLITQ0JEvCytOfoNApVh1+GprurlRlZGw/cem+VEdVhpzRCAWKUqk+wvFqngBmqbzyIQPqlRUqHNS4fShD5I78wZuMy97x1/b52XSd2LZFxCKClGvLIqI8LouFEAivq2Iusg7v8fbXLlHLLqf/FrjRZTtWznUDEgXfZuGUNDRRE1HIvprIXqekxvrZ3bARobFz/uiBqH6k58w8iY93GR/0v5pu4uovqytmkmkV2SimpROqcWU7e4a1K+p8puERFes9fXYUlmizV+g89bnsVOFDnGrk8dwqJdl4a3mRbFu/bF1nD3ioPmHAw0ON35mXMx7nWxh/NvBw4ey0mag7i7X+ci/dFFkJNqp/E3Kg5yaXeDw10A3tC18IXOn+qMCikZbTpQvBO1F0NGxhXcsq8zAQSG4OquggeD6j3aPsJHezTgm8y7NMb6UFa2+t6clK2HRu/FwUXGIKvn3C5G5lGDQefQFZF3QdIu6mo4iLsE005Xug++4GtDhACJHiwBWuv05SbgdNJ/TUL/nO3ec0Q5+CsPqUhLQEDle/sCxaoSVf+Xcz7pXvL9F9VJueJqKzIKMBCzP4RThiDWBLAYaxpa3YzDeOtXPwg2FMSGq/blZ2rv4ja79Gfl6TFhOT1swMs7jPzkuxn1PPTyizkgAyz7CbnE0foApDzWhSJELHiJDN9VCcaKJ1yFYOMJi4utYEsLP+QE3tAOxyi/tksxcwjXc4DiY7xNWmc/JYk5fo4Y0VPbikZpeK20BSAZisA4TfM0c2xRyprPuvughGfDimcKl1Mqw8XaZMLwoi9UdumNAe1JLMMxoLM86wOcWslH3vx1PggYAtmTFAVgghspqgqoDIZKDVuBme5xDvlnT3fWyvA9oHyItgNoxf9NGRO1EYc2TPONYcQmhmZi6LSfy7Syz6ZJzkuCadmX6VviL/7Wc4w30oiYgBO7DHoaFrV43Y7wdsuhsa+halEvZesLoqAafwh2Ku1za+YOk5n+STZfRm7tkij/2K5uLB8iJ4zcpSNnNgNAy0ORSlAUlblJ98X2lFey24QRQ1IZiFRm4MSE55SJdr8vzrywBBAs4jYn+/886aIgTFtNdErCUwQf0Ue+QzYk5SuYG+CEC/q/H/OoDlObI1OXtL9GPX2tn0dm0JHntUcxgHbNyZ + template: + metadata: + annotations: + sealedsecrets.bitnami.com/cluster-wide: "true" + creationTimestamp: null + name: ibm-entitlement-key + type: kubernetes.io/dockerconfigjson + diff --git a/shared/config/openshift-pipelines/configmap/config-defaults.yaml b/shared/config/openshift-pipelines/configmap/config-defaults.yaml new file mode 100644 index 0000000..8a8909a --- /dev/null +++ b/shared/config/openshift-pipelines/configmap/config-defaults.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults + namespace: openshift-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # default-timeout-minutes contains the default number of + # minutes to use for TaskRun and PipelineRun, if none is specified. + default-timeout-minutes: "60" # 60 minutes + + # default-service-account contains the default service account name + # to use for TaskRun and PipelineRun, if none is specified. + default-service-account: "default" + + # default-managed-by-label-value contains the default value given to the + # "app.kubernetes.io/managed-by" label applied to all Pods created for + # TaskRuns. If a user's requested TaskRun specifies another value for this + # label, the user's request supercedes. + default-managed-by-label-value: "tekton-pipelines" + + # default-pod-template contains the default pod template to use + # TaskRun and PipelineRun, if none is specified. If a pod template + # is specified, the default pod template is ignored. + # default-pod-template: + + # default-cloud-events-sink contains the default CloudEvents sink to be + # used for TaskRun and PipelineRun, when no sink is specified. + # Note that right now it is still not possible to set a PipelineRun or + # TaskRun specific sink, so the default is the only option available. + # If no sink is specified, no CloudEvent is generated + # default-cloud-events-sink: + + # default-task-run-workspace-binding contains the default workspace + # configuration provided for any Workspaces that a Task declares + # but that a TaskRun does not explicitly provide. + # default-task-run-workspace-binding: | + # emptyDir: {} + default-service-account: pipeline + default-cloud-events-sink: http://broker-ingress.knative-eventing.svc.cluster.local/slack-notifications/default \ No newline at end of file diff --git a/shared/config/tools/.keep b/shared/config/tools/.keep new file mode 100644 index 0000000..e69de29 diff --git a/shared/config/tools/instances/.keep b/shared/config/tools/instances/.keep new file mode 100644 index 0000000..e69de29 diff --git a/shared/config/tools/instances/cloud-native-toolkit/release_v2.6.13.yaml b/shared/config/tools/instances/cloud-native-toolkit/release_v2.6.13.yaml new file mode 100644 index 0000000..3641139 --- /dev/null +++ b/shared/config/tools/instances/cloud-native-toolkit/release_v2.6.13.yaml @@ -0,0 +1,6371 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gitops-edge-v2-6-13 + annotations: + description: Registers the image with the Edge server using the hzn cli + app.openshift.io/description: Registers the image with the Edge server using the hzn cli + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-url + default: "" + - name: service-name + default: "" + - name: version + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + - name: icp-ca + secret: + secretName: edge-access + items: + - key: HZN_CERTIFICATE + path: icp-ca.crt + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: gitops-edge + image: $(params.tools-image) + workingDir: $(params.source-dir) + securityContext: + allowPrivilegeEscalation : true + env: + - name: HOME + value: /home/devops + - name: HZN_EXCHANGE_URL + valueFrom: + secretKeyRef: + name: edge-access + key: HZN_EXCHANGE_URL + optional: true + - name: HZN_ORG_ID + valueFrom: + secretKeyRef: + name: edge-access + key: HZN_ORG_ID + optional: true + - name: HZN_EXCHANGE_USER_AUTH + valueFrom: + secretKeyRef: + name: edge-access + key: HZN_EXCHANGE_USER_AUTH + optional: true + - name: HZN_CERTIFICATE + valueFrom: + secretKeyRef: + name: edge-access + key: HZN_CERTIFICATE + optional: true + volumeMounts: + - mountPath: /opt/certs + name: icp-ca + script: | + #!/usr/bin/env bash + set -ex + + if [[ -z "${HZN_EXCHANGE_URL}" ]]; then + echo "Edge Exchange has not been configured. Skipping trigger step" + exit 0 + fi + + SERVICE_NAME="$(params.service-name)" + VERSION="$(params.version)" + REGISTRY_SERVER_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $1}') + REGISTRY_NAMESPACE_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $2}') + REGISTRY_REPOSITORY_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}') + REGISTRY_TAG_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}') + BASE_IMAGE="${REGISTRY_SERVER_VALUE}/${REGISTRY_NAMESPACE_VALUE}" + + if [[ -z "${SERVICE_NAME}" ]]; then + # if service name not passed explicit assume to use image repository + SERVICE_NAME="${REGISTRY_REPOSITORY_VALUE}" + fi + + if [[ -z "${VERSION}" ]]; then + # if version not passed explicit assume to use image tag + VERSION="${REGISTRY_TAG_VALUE}" + fi + + if [[ -z "${SERVICE_NAME}" ]] || [[ -z "${VERSION}" ]] || [[ -z "${BASE_IMAGE}" ]] || [[ "${BASE_IMAGE}" = "/" ]]; then + echo "Edge Service, Version, or Base image parameters missing" + exit 1 + fi + + if [[ -z "${HZN_EXCHANGE_USER_AUTH}" ]] || [[ -z "${HZN_CERTIFICATE}" ]]; then + echo "Edge Credentials or Certificate not set" + exit 1 + fi + + set +x + if [[ -z "${HZN_EXCHANGE_USER_AUTH}" ]] || [[ -z "${HZN_CERTIFICATE}" ]]; then + echo "Edge Credentials or Certificate not set" + exit 1 + fi + set -x + + + + hzn version + + # Verify the Edge Cert is visible from the Tekton Task + ls /opt/certs/*.crt + + cp /opt/certs/icp-ca.crt /usr/local/share/ca-certificates && update-ca-certificates + + mkdir -p ./horizon + + cat <./horizon/hzn.json + { + "HZN_ORG_ID": "${HZN_ORG_ID}", + "MetadataVars": { + "DOCKER_IMAGE_BASE": "${BASE_IMAGE}", + "SERVICE_NAME": "${SERVICE_NAME}", + "SERVICE_VERSION": "${VERSION}" + } + } + JSON + + cat ./horizon/hzn.json + + # Publish Service to Edge Application Manager + hzn key create "IBM" "user@us.ibm.com" + + make publish-service + + echo "Edge Service registered" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-operator-bundle-v2-6-13 + annotations: + description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-url + default: "" + - name: image-suffix + default: "-bundle" + - name: image-tag + default: "" + - name: default-channel + default: "alpha" + - name: BUNDLE_IMAGE + default: quay.io/ibmgaragecloud/operator-sdk:v0.10.4 + - name: BUILDER_IMAGE + default: quay.io/buildah/stable:v1.15.0 + - name: DOCKERFILE + default: ./bundle.Dockerfile + - name: CONTEXT + default: . + - name: TLSVERIFY + default: "false" + - name: FORMAT + default: "docker" + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + results: + - name: bundle-image-url + volumes: + - name: varlibcontainers + emptyDir: {} + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.BUNDLE_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + export VERSION="$(params.image-tag)" + export IMG="$(params.image-url):$(params.image-tag)" + export BUNDLE_IMG_BASE="$(params.image-url)$(params.image-suffix)" + export BUNDLE_IMG="${BUNDLE_IMG_BASE}:$(params.image-tag)" + + IMAGE_SERVER=$(echo "${BUNDLE_IMG}" | awk -F / '{print $1}') + + make bundle + + # TODO missing default channel + echo "LABEL operators.operatorframework.io.bundle.channel.default.v1=$(params.default-channel)" >> $(params.DOCKERFILE) + cat $(params.DOCKERFILE) + echo " operators.operatorframework.io.bundle.channel.default.v1: $(params.default-channel)" >> bundle/metadata/annotations.yaml + cat bundle/metadata/annotations.yaml + + podman --storage-driver=$(params.STORAGE_DRIVER) build --format=$(params.FORMAT) --tls-verify=$(params.TLSVERIFY) -f $(params.DOCKERFILE) -t ${BUNDLE_IMG} $(params.CONTEXT) + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "${IMAGE_SERVER}" != "image-registry.openshift-image-registry.svc:5000" ]]; then + podman login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" "${IMAGE_SERVER}" + echo "podman login -u "${REGISTRY_USER}" -p "xxxxx" "${IMAGE_SERVER}"" + fi + set -x + podman --storage-driver=$(params.STORAGE_DRIVER) push --tls-verify=$(params.TLSVERIFY) --digestfile ./image-digest ${BUNDLE_IMG} docker://${BUNDLE_IMG} + + echo -n "${BUNDLE_IMG_BASE}" > $(results.bundle-image-url.path) + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gradle-pact-verify-v2-6-13 + annotations: + description: Performs pact verification on the service provider + app.openshift.io/description: Performs pact verification on the service provider + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: service-protocol + default: "http" + - name: service-host + - name: service-port + default: "80" + - name: gradle-image + default: quay.io/ibmgaragecloud/gradle:jdk11 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: pact-verify + image: $(params.gradle-image) + workingDir: $(params.source-dir) + env: + - name: GRADLE_USER_HOME + value: $(params.source-dir) + - name: PACTBROKER_URL + valueFrom: + secretKeyRef: + name: pactbroker-access + key: PACTBROKER_URL + optional: true + - name: PACTBROKER_USER + valueFrom: + secretKeyRef: + name: pactbroker-access + key: PACTBROKER_USER + optional: true + - name: PACTBROKER_PASSWORD + valueFrom: + secretKeyRef: + name: pactbroker-access + key: PACTBROKER_PASSWORD + optional: true + script: | + #!/usr/bin/env bash + set -ex + + if [[ -z "${PACTBROKER_URL}" ]]; then + echo "PactBroker url not set. Skipping pact verification" + exit 0 + fi + + if ./gradlew tasks --all | grep -Eq "^pactVerify"; then + echo "Pact Verify task found" + else + echo "Skipping Pact Verify step, no task defined" + exit 0 + fi + + PROTOCOL=$(params.service-protocol) + HOST=$(params.service-host) + PORT=$(params.service-port) + + ./gradlew pactVerify \ + -PpactBrokerUrl=${PACTBROKER_URL} \ + -PpactProtocol=${PROTOCOL} \ + -PpactHost=${HOST} \ + -PpactPort=${PORT} \ + -Ppact.verifier.publishResults=true + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-health-check-mq-v2-6-13 + annotations: + description: Performs a health check on the queue manager + app.openshift.io/description: Performs a health check on the queue manager + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + steps: + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + APP_NAME="$(params.app-name)" + + # RELEASE_NAME="${APP_NAME}" + RELEASE_NAME="qm-dev" + echo "RELEASE_NAME: $RELEASE_NAME" + + podname=$(kubectl get pods --selector=app.kubernetes.io/instance=$RELEASE_NAME -o custom-columns=POD:.metadata.name --no-headers | head -n 1) + echo "podname: $podname" + + queue="QM1" + echo "queue name: $queue" + + echo "Sleep before test to make sure QMGR is up" + sleep 20 + + echo "Print the queue details: ..." + echo "" + kubectl exec $podname -- /bin/bash -c "echo \"define qlocal($queue) replace\" | runmqsc " + + echo "Print the queue details: ..." + echo "" + kubectl exec $podname -- /bin/bash -c "echo \"DISPLAY QL($queue) ALL\" | runmqsc" > checkQ.txt 2>&1 + cat checkQ.txt + + if grep -q "QUEUE($queue)" checkQ.txt; then + echo "Queue has been successfully created." + else + exit 1 + fi + + # put message on queue + kubectl exec $podname -- /bin/bash -c "echo \"hello-world\" | /opt/mqm/samp/bin/amqsput $queue" > putMessage.txt 2>&1 + cat putMessage.txt + echo "----------" + fail="reason code" + if grep -q "$fail" putMessage.txt; then + exit 1 + else + echo "Message has been successfully put the queue." + fi + + # get message on queue + kubectl exec $podname -c qmgr -- /opt/mqm/samp/bin/amqsget $queue > getMessage.txt 2>&1 + cat getMessage.txt + if grep -q "hello-world" getMessage.txt; then + echo "Message has been found on the queue." + else + echo "Error: Message has not been retrieved from the queue." + exit 1 + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-build-tag-push-v2-6-13 + annotations: + description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: BUILDER_IMAGE + default: quay.io/buildah/stable:v1.15.0 + - name: DOCKERFILE + default: ./Dockerfile + - name: CONTEXT + default: . + - name: TLSVERIFY + default: "false" + - name: FORMAT + default: "docker" + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + volumes: + - name: varlibcontainers + emptyDir: {} + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.BUILDER_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + - name: IBM_ENTITLED_REGISTRY_USER + valueFrom: + secretKeyRef: + name: ibm-entitled-registry-credentials + key: IBM_ENTITLED_REGISTRY_USER + optional: true + - name: IBM_ENTITLED_REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: ibm-entitled-registry-credentials + key: IBM_ENTITLED_REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + APP_IMAGE="$(params.image-server)/$(params.image-namespace)/$(params.image-repository):$(params.image-tag)" + if [[ -n "${IBM_ENTITLED_REGISTRY_USER}" ]] && [[ -n "${IBM_ENTITLED_REGISTRY_PASSWORD}" ]]; then + buildah login -u ${IBM_ENTITLED_REGISTRY_USER} -p ${IBM_ENTITLED_REGISTRY_PASSWORD} cp.icr.io + echo "buildah login -u "${IBM_ENTITLED_REGISTRY_USER}" -p "xxxxx" cp.icr.io" + fi + buildah --layers --storage-driver=$(params.STORAGE_DRIVER) bud --format=$(params.FORMAT) --tls-verify=$(params.TLSVERIFY) -f $(params.DOCKERFILE) -t ${APP_IMAGE} $(params.CONTEXT) + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "$(params.image-server)" != "image-registry.openshift-image-registry.svc:5000" ]]; then + buildah login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" "$(params.image-server)" + echo "buildah login -u "${REGISTRY_USER}" -p "xxxxx" "$(params.image-server)"" + fi + set -x + buildah --storage-driver=$(params.STORAGE_DRIVER) push --tls-verify=$(params.TLSVERIFY) --digestfile ./image-digest ${APP_IMAGE} docker://${APP_IMAGE} + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-dockerfile-lint-v2-6-13 + annotations: + description: Optional linter for Dockerfiles; if a ".hadolint" file is in the repo root, this task automatically picks up; otherwise hadolint file name must be passed via ConfigMap. See Hadolint on Dockerhub for more + app.openshift.io/description: Optional linter for Dockerfiles; if a ".hadolint" file is in the repo root, this task automatically picks up; otherwise hadolint file name must be passed via ConfigMap + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: DOCKERFILE + default: Dockerfile + - name: CONTEXT + default: . + - name: LINT_IMAGE + default: ghcr.io/hadolint/hadolint:v2.3.0-alpine + - name: lint-dockerfile + default: "true" + + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: alpine/git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: lint + image: $(params.LINT_IMAGE) + workingDir: $(params.source-dir) + env: + - name: HADOLINT_CFG + valueFrom: + configMapKeyRef: + name: hadolint-config + key: HADOLINT_CFG + optional: true + script: | + PERFORM_LINT="$(params.lint-dockerfile)" + if [[ "${PERFORM_LINT}" == "false" ]] || [[ -z "${PERFORM_LINT}" ]]; then + echo "User selected to skip Dockerfile linting. Skipping this task." + exit 0 + fi + + FILE="$(params.source-dir)"/.hadolint.yaml + + if [ -f "${HADOLINT_CFG}" ]; then + FILE="$(params.source-dir)/${HADOLINT_CFG}" + echo "In this step, hadolint will lint your Dockerfile, using ${FILE}, with the following rules: " + cat ${FILE} + echo "For more information about hadolint please refer to https://cloudnativetoolkit.dev/" + hadolint --config ${HADOLINT_CFG} $(params.DOCKERFILE) + + elif [ -f "${FILE}" ]; then + echo "In this step, hadolint will lint your Dockerfile, using .hadolint.yaml in your repository, with the following rules: " + cat "${FILE}" + echo "For more information about hadolint please refer to https://cloudnativetoolkit.dev/" + hadolint $(params.DOCKERFILE) + + else + echo "In this step, hadolint will lint your Dockerfile" + echo "If you would like to configure hadolint, please see https://github.com/hadolint/hadolint" + echo "For more information about hadolint please refer to https://cloudnativetoolkit.dev/" + hadolint $(params.DOCKERFILE) + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-operator-catalog-gitops-v2-6-13 + annotations: + description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: app-name + default: "" + - name: source-dir + default: /source + - name: gitops-dir + default: /gitops + - name: subdir + default: "" + - name: parentdir + default: "" + - name: deploy-dir + default: deploy + - name: image-url + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + - name: gitops + emptyDir: { } + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + - name: gitops + mountPath: $(params.gitops-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: gitops + image: $(params.tools-image) + workingDir: $(params.gitops-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: username + optional: true + - name: GIT_PASSWORD_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: gitops-repo + key: parentdir + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: gitops-repo + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: gitops-repo + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAME="$(params.app-name)" + SUBDIR="$(params.subdir)" + if [[ -z "${SUBDIR}" ]]; then + SUBDIR="${APP_NAME}" + fi + if [[ -n "$(params.parentdir)" ]]; then + PARENT_DIR="$(params.parentdir)" + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR}" + else + PARENT_DIR="." + fi + SUBDIR="${PARENT_DIR}/${SUBDIR}" + + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + + BUNDLE_URL="$(params.image-url)" + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + + set +x + if [[ -n "${GIT_USERNAME_CD}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME_CD}" + GIT_AUTH_PWD="${GIT_PASSWORD_CD}" + elif [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} $(params.gitops-dir) + set -x + cd $(params.gitops-dir) + + mkdir -p ${SUBDIR} + if [[ -d $(params.source-dir)/$(params.deploy-dir) ]] && grep -q CatalogSource $(params.source-dir)/$(params.deploy-dir)/*; then + echo "Copying files from $(params.deploy-dir)/ into the GitOps repo ${SUBDIR}/" + # Copy any non-CatalogSource files + grep -L CatalogSource $(params.source-dir)/$(params.deploy-dir)/* | while read file; do + dest_file=$(basename ${file}) + + echo "Copying ${file} to ${SUBDIR}/${dest_file}" + cp "${file}" ${SUBDIR}/${dest_file} + done + # Copy the CatalogSource and replace the image with the BUNDLE_URL + grep -l CatalogSource $(params.source-dir)/$(params.deploy-dir)/* | while read file; do + dest_file=$(basename ${file}) + + echo "Copying ${file} to ${SUBDIR}/${dest_file}" + cat "${file}" | sed -E "s~([ ]+image: ).*~\1${BUNDLE_URL}~g" > ${SUBDIR}/${dest_file} + done + else + echo "Generating catalog-source.yaml" + cat > ${SUBDIR}/catalog-source.yaml << EOF + apiVersion: operators.coreos.com/v1alpha1 + kind: CatalogSource + metadata: + name: ${APP_NAME} + spec: + sourceType: grpc + image: ${BUNDLE_URL} + displayName: ${APP_NAME} + publisher: grpc + EOF + + echo "CatalogSource generated" + cat ${SUBDIR}/catalog-source.yaml + fi + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + git add "${SUBDIR}/" + git commit -m "Updates ${APP_NAME}" + git push -v + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-scan-trivy-v2-6-13 + annotations: + description: Runs an image scan with Trivy and fails the build if issues are found. + app.openshift.io/description: Runs an image scan with Trivy and fails the build if issues are found. + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: image-url + description: "The location of image to scan on IBM Container Registry //:" + - name: scan-image + description: Flag indicating that a scan should be performed + default: "false" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "false" + - name: TRIVY_IMAGE + default: quay.io/ibmgaragecloud/aquasec-trivy + volumes: + - name: oci-image + emptyDir: {} + steps: + - name: pull-image + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/oci + name: oci-image + securityContext: + privileged: true + script: | + PERFORM_SCAN="$(params.scan-image)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + IMAGE_FROM=$(params.image-url) + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="oci:/var/oci/image" + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "${REGISTRY_SERVER_FROM}" != "image-registry.openshift-image-registry.svc:5000" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [ "${REGISTRY_SERVER_FROM}" =~ ":" ]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO} + - name: scan-image + image: $(params.TRIVY_IMAGE) + volumeMounts: + - mountPath: /var/oci + name: oci-image + script: | + set -e + PERFORM_SCAN="$(params.scan-image)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + PATH_TO_IMAGE="/var/oci/image" + echo -e "Trivy Security Scan image in registry" + trivy image --exit-code 0 --input ${PATH_TO_IMAGE} + trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE} + my_exit_code=$? + echo "Scan exit code :--- $my_exit_code" + if [ ${my_exit_code} == 1 ]; then + echo "Trivy scanning completed. CRITICAL Vulnerabilities found." + exit 1 + else + echo "Trivy scanning completed. CRITICAL vulnerabilities not found." + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-health-check-v2-6-13 + annotations: + description: Performs a health check on the deployed application + app.openshift.io/description: Performs a health check on the deployed application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: health-protocol + default: "https" + - name: health-endpoint + default: "/health" + - name: health-url + default: "" + - name: health-curl + default: "-k" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: resource-type + default: "" + steps: + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + URL="$(params.health-url)" + CURL_FLAGS="$(params.health-curl)" + + if [[ -z "${URL}" ]]; then + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + PROTOCOL="$(params.health-protocol)" + INGRESS_TYPE="$(params.deploy-ingress-type)" + HEALTH_ENDPOINT="$(params.health-endpoint)" + + echo "resource-type: $(params.resource-type)" + + if [[ "$(params.resource-type)" == *"integrationserver"* ]]; then + HOST=$(kubectl get route/${APP_NAME}-${PROTOCOL} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + elif [[ "${INGRESS_TYPE}" == "route" ]]; then + HOST=$(kubectl get route/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + else + HOST=$(kubectl get ingress/${APP_NAME} --namespace ${APP_NAMESPACE} --output=jsonpath='{ .spec.rules[0].host }') + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="http" + fi + fi + + URL="${PROTOCOL}://${HOST}${HEALTH_ENDPOINT}" + + fi + + sleep_countdown=5 + # sleep for 10 seconds to allow enough time for the server to start + sleep 10 + echo "Health check start" + while [[ $(curl ${CURL_FLAGS} -sL -w "%{http_code}\\n" "${URL}" -o /dev/null --connect-timeout 3 --max-time 5 --retry 3 --retry-max-time 30) != "200" ]]; do + sleep 30 + echo "Health check failure. Remaining retries: $sleep_countdown" + sleep_countdown=$((sleep_countdown-1)) + if [[ $sleep_countdown -eq 0 ]]; then + echo "Could not reach health endpoint: ${URL}" + exit 1; + fi + done + echo "Successfully reached health endpoint: ${URL}" + echo "=====================================================================" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-smoke-tests-mq-v2-6-13 + annotations: + description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: service-port + - name: resource-type + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: deploy + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="$(params.image-repository)" + fi + IMAGE_SERVER="$(params.image-server)" + IMAGE_NAMESPACE="$(params.image-namespace)" + IMAGE_REPOSITORY="$(params.image-repository)" + IMAGE_VERSION="$(params.image-tag)" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + FILE_NUM=$(find . -name 'Chart*.yaml' |wc -l) + if [[ "${FILE_NUM}" -gt 1 ]]; then + echo "Error: Found >1 Chart*.yaml" + exit 1 + fi + + export CHART=$(find . -name 'Chart*.yaml') + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "1.0.0-rc${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - --style single "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + helm dep update "${CHART_PATH}" + + # Using 'upgrade --install" for rolling updates. Note that subsequent updates will occur in the same namespace the release is currently deployed in, ignoring the explicit--namespace argument". + helm template ${RELEASE_NAME} ${CHART_PATH} \ + --namespace ${APP_NAMESPACE} \ + --set ${PREFIX}ingress.tlsSecretName="${TLS_SECRET_NAME}" \ + --set ${PREFIX}ingress.subdomain="${INGRESS_SUBDOMAIN}" > ./release.yaml + + echo -e "Generated release yaml for: ${APP_NAMESPACE}/${APP_NAME}" + cat ./release.yaml + + echo -e "Deploying into: ${APP_NAMESPACE}/${APP_NAME}" + kubectl apply -n ${APP_NAMESPACE} -f ./release.yaml --validate=false > results.out + cat results.out + echo "Waiting for rollout of ${APP_NAMESPACE}/${APP_NAME}" + + + cat results.out | \ + grep -E "deployment|statefulset|integrationserver|queuemanager" | \ + sed "s/deployment.apps/deployment/g" | \ + sed "s/statefulset.apps/statefulset/g" | \ + sed "s/configured//g" | \ + sed "s/created//g" | \ + sed "s/unchanged//g" | while read target; do + echo "Waiting for rollout of ${target} in ${APP_NAMESPACE}" + if [[ ${target} == *"integrationserver"* ]]; then + kubectl wait --timeout=-1s --for=condition=Ready ${target} + elif [[ ${target} == *"queuemanager"* ]]; then + until [[ "$(kubectl get ${target} -o 'jsonpath={.status.phase}')" = "Running" ]]; + do + sleep 5 + echo "Waiting for Queuemanager to be ready." + done + else + kubectl rollout status -n ${APP_NAMESPACE} ${target} + SERVICE_PORT=$(kubectl get svc "${APP_NAME}" -n "${APP_NAMESPACE}" -o jsonpath="{.spec.ports[?(@.name == 'http')].port}") + echo -n "${SERVICE_PORT}" | tee $(results.service-port.path) + fi + echo -n "${target}" | cut -f1 -d / | tee $(results.resource-type.path) + done + - name: health-check + image: $(params.tools-image) + script: | + #!/usr/bin/env bash + set -x + + APP_NAME="$(params.app-name)" + + # RELEASE_NAME="${APP_NAME}" + RELEASE_NAME="qm-dev" + echo "RELEASE_NAME: $RELEASE_NAME" + + podname=$(kubectl get pods --selector=app.kubernetes.io/instance=$RELEASE_NAME -o custom-columns=POD:.metadata.name --no-headers | head -n 1) + echo "podname: $podname" + + queue="QM1" + echo "queue name: $queue" + + echo "Sleep before test to make sure QMGR is up" + sleep 20 + + echo "Print the queue details: ..." + echo "" + kubectl exec $podname -- /bin/bash -c "echo \"define qlocal($queue) replace\" | runmqsc " + + echo "Print the queue details: ..." + echo "" + kubectl exec $podname -- /bin/bash -c "echo \"DISPLAY QL($queue) ALL\" | runmqsc" > checkQ.txt 2>&1 + cat checkQ.txt + + if grep -q "QUEUE($queue)" checkQ.txt; then + echo "Queue has been successfully created." + else + exit 1 + fi + + # put message on queue + kubectl exec $podname -- /bin/bash -c "echo \"hello-world\" | /opt/mqm/samp/bin/amqsput $queue" > putMessage.txt 2>&1 + cat putMessage.txt + echo "----------" + fail="reason code" + if grep -q "$fail" putMessage.txt; then + exit 1 + else + echo "Message has been successfully put the queue." + fi + + # get message on queue + kubectl exec $podname -c qmgr -- /opt/mqm/samp/bin/amqsget $queue > getMessage.txt 2>&1 + cat getMessage.txt + if grep -q "hello-world" getMessage.txt; then + echo "Message has been found on the queue." + else + echo "Error: Message has not been retrieved from the queue." + exit 1 + fi + - name: cleanup + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAMESPACE="$(params.app-namespace)" + + kubectl delete -n ${APP_NAMESPACE} -f ./release.yaml + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-nodejs-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a NodeJS application + app.openshift.io/description: Executes build, test, and sonarscan logic for a NodeJS application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: app-name + default: '' + - name: source-dir + default: /source + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + - name: sonarqube-cli + default: quay.io/ibmgaragecloud/sonarsource-sonar-scanner-cli + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.js-image) + workingDir: $(params.source-dir) + env: + - name: npm_config_registry + valueFrom: + secretKeyRef: + name: npm-config + key: npm_config_registry + optional: true + script: | + npm install + if [ -d client ]; then + cd client + npm install + cd - + fi + npm run build --if-present + - name: test + image: $(params.js-image) + workingDir: $(params.source-dir) + script: | + CI=true npm test + - name: publish-pact + image: $(params.js-image) + workingDir: $(params.source-dir) + env: + - name: PACTBROKER_URL + valueFrom: + secretKeyRef: + name: pactbroker-access + key: PACTBROKER_URL + optional: true + script: | + if [ -n "${PACTBROKER_URL}" ]; then + npm run pact:publish --if-present + else + echo "Skipping Pact publish" + fi + - name: verify-pact + image: $(params.js-image) + workingDir: $(params.source-dir) + env: + - name: PACTBROKER_URL + valueFrom: + secretKeyRef: + name: pactbroker-access + key: PACTBROKER_URL + optional: true + script: | + if [ -n "${PACTBROKER_URL}" ]; then + npm run pact:verify --if-present + else + echo "Skipping Pact publish" + fi + - name: sonar-scan + image: $(params.sonarqube-cli) + workingDir: $(params.source-dir) + env: + - name: SONAR_USER_HOME + value: $(params.source-dir) + - name: SONARQUBE_URL + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_URL + optional: true + - name: SONARQUBE_USER + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_USER + optional: true + - name: SONARQUBE_PASSWORD + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_PASSWORD + optional: true + script: | + APP_NAME=$(params.app-name) + + if ! command -v sonar-scanner &> /dev/null + then + echo "Skipping SonarQube step, no task defined" + exit 0 + fi + + if [ -n "${SONARQUBE_URL}" ]; then + + sonar-scanner \ + -Dsonar.login=${SONARQUBE_USER} \ + -Dsonar.password=${SONARQUBE_PASSWORD} \ + -Dsonar.host.url=${SONARQUBE_URL} \ + -Dsonar.projectKey=${APP_NAME} + + else + echo "Skipping Sonar Qube step" + fi + + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-release-v2-6-13 + annotations: + description: Tags the git repository and releases the intermediate container image with the version tag + app.openshift.io/description: Tags the git repository and releases the intermediate container image with the version tag + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: image-from + default: "" + - name: image-to + default: "" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "true" + - name: IMAGE_TO_TLS_VERIFY + default: "true" + results: + - name: image-url + description: The url of the image to be pushed + volumes: + - name: varlibcontainers + emptyDir: {} + steps: + - name: image-tag + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + IMAGE_FROM="$(params.image-from)" + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="$(params.image-to)" + REGISTRY_SERVER_TO=$(echo "${IMAGE_TO}" | awk -F / '{print $1}') + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + IMAGE_TO_TLS_VERIFY=$(params.IMAGE_TO_TLS_VERIFY) + + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_FROM}" =~ ":" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + IMAGE_TO_CREDS="--dest-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [[ "${REGISTRY_SERVER_FROM}" =~ ":" ]]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + if [[ "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + IMAGE_TO_TLS_VERIFY="false" + fi + + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} --dest-creds=xxxx --dest-tls-verify=${IMAGE_TO_TLS_VERIFY} docker://${IMAGE_FROM} docker://${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} ${IMAGE_TO_CREDS} --dest-tls-verify=${IMAGE_TO_TLS_VERIFY} docker://${IMAGE_FROM} docker://${IMAGE_TO} + set -x + echo -n "${IMAGE_TO}" | tee $(results.image-url.path) +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-golang-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a Golang application + app.openshift.io/description: Executes build, test, and sonarscan logic for a Golang application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: app-name + default: "my-golang-app" + - name: golang-image + default: quay.io/ibmgaragecloud/golang:stretch + - name: sonarqube-cli + default: quay.io/ibmgaragecloud/sonarsource-sonar-scanner-cli + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.golang-image) + workingDir: $(params.source-dir) + script: | + go build ./... + - name: test + image: $(params.golang-image) + workingDir: $(params.source-dir) + script: | + go test ./... + - name: sonar-scan + image: $(params.sonarqube-cli) + workingDir: $(params.source-dir) + env: + - name: SONAR_USER_HOME + value: $(params.source-dir) + - name: SONARQUBE_URL + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_URL + optional: true + - name: SONARQUBE_USER + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_USER + optional: true + - name: SONARQUBE_PASSWORD + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_PASSWORD + optional: true + script: | + APP_NAME=$(params.app-name) + + if ! command -v sonar-scanner &> /dev/null + then + echo "Skipping SonarQube step, no task defined" + exit 0 + fi + + if [ -n "${SONARQUBE_URL}" ]; then + + sonar-scanner \ + -Dsonar.login=${SONARQUBE_USER} \ + -Dsonar.password=${SONARQUBE_PASSWORD} \ + -Dsonar.host.url=${SONARQUBE_URL} \ + -Dsonar.projectKey=${APP_NAME} + + else + echo "Skipping Sonar Qube step for now but include" + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-scan-ibm-v2-6-13 + annotations: + description: Checks the results for the Vulnerability Advisor scan if deploying images to IBM Container Registry + app.openshift.io/description: Checks the results for the Vulnerability Advisor scan if deploying images to IBM Container Registry + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: image-url + description: "The location of image to scan on IBM Container Registry //:" + - name: scan-image + description: Flag indicating that a scan should be performed + default: "false" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: source-dir + default: /source + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: scan-image + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: HOME + value: /home/devops + - name: IBM_CLOUD_APIKEY + valueFrom: + secretKeyRef: + key: APIKEY + name: ibmcloud-apikey + optional: true + - name: IBM_CLOUD_REGION + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: REGION + optional: true + script: | + #!/usr/bin/env bash + set -ex + + IMAGE_URL=$(params.image-url) + REGISTRY_SERVER=$(echo $(params.image-url) | awk -F / '{print $1}') + PERFORM_SCAN="$(params.scan-image)" + + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Vulnerability Advisor validation." + exit 0 + fi + if [[ ! "${REGISTRY_SERVER}" =~ icr.io ]]; then + echo "The image is not stored in the IBM Cloud Image Registry. Skipping Vulnerability Advisor validation" + exit 0 + fi + + + echo -e "VA Security Scan image in registry" + + echo "Registry URL: ${REGISTRY_SERVER}" + + set +x + ibmcloud login --apikey ${IBM_CLOUD_APIKEY} -r ${IBM_CLOUD_REGION} + ibmcloud target -r ${IBM_CLOUD_REGION} + set -x + ibmcloud cr namespace-list + + echo "Getting the VA status of ${IMAGE_URL}" + + set +e + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + while [ $retry -eq 0 ]; do + sleep 30 + echo "Trying again to see if scan is done" + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + done + set -e + ibmcloud cr va ${IMAGE_URL} --output json + echo "Saving results to va-result.json" + ibmcloud cr va ${IMAGE_URL} --output json > va-result.json + VA_STATUS=$(cat va-result.json | jq -r '.[].status') + + echo "VA scan status: ${VA_STATUS}" + + if [[ "${VA_STATUS}" == "OK" ]]; then + echo "VA - No Issues in the image" + exit 0 + elif [[ $(cat va-result.json | jq -r '.[].vulnerabilities | length') -gt 0 ]]; then + echo "VA Failure: $(cat va-result.json | jq -r '.[].vulnerabilities | length') vulnerabilities found in the image" + cat va-result.json | jq -r '.[].vulnerabilities' + exit 1 + elif [[ $(cat va-result.json | jq -r '.[].configuration_issues | length') -gt 0 ]]; then + echo "VA Warning - $(cat va-result.json | jq -r '.[].configuration_issues | length') configuration issues found in the image" + cat va-result.json | jq -r '.[].configuration_issues' + exit 0 + else + echo "VA Warning: non-OK status from Vulnerability Advisor ${VA_STATUS}" + cat va-result.json | jq -r '.[]' + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-build-tag-push-ace-bar-v2-6-13 + annotations: + description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: BUILDER_IMAGE + default: quay.io/buildah/stable:v1.15.0 + - name: DOCKERFILE + default: ./Dockerfile + - name: CONTEXT + default: . + - name: TLSVERIFY + default: "false" + - name: FORMAT + default: docker + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + - name: app-name + default: "" + - name: ace-project + default: "" + volumes: + - name: varlibcontainers + emptyDir: {} + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: git-credentials + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + key: username + name: git-credentials + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: compile + image: docker.io/rsundara/ace-build + envFrom: + - secretRef: + name: artifactory-access + command: + - /bin/sh + args: + - -c + - | + set -eu; + echo "Compile BAR"; + + # Used for debugging with mqsicreatebar + /usr/bin/Xvfb :100 & + export DISPLAY=:100 + + cd $(params.source-dir)/workspace + echo "Generating BAR" + mqsicreatebar -data . -b $(params.source-dir)/$(params.app-name)-$(params.image-tag).bar -a $(params.ace-project) + + echo "Upload BAR to Artifactory" + curl -u ${ARTIFACTORY_USER}:${ARTIFACTORY_ENCRYPT} -T $(params.source-dir)/$(params.app-name)-$(params.image-tag).bar "$(ARTIFACTORY_URL)/artifactory/generic-local/$(params.app-name)-$(params.image-tag).bar" + - name: build + image: $(params.BUILDER_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + key: REGISTRY_USER + name: registry-access + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: REGISTRY_PASSWORD + name: registry-access + optional: true + envFrom: + - secretRef: + name: ibm-entitled-registry-credentials + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + APP_IMAGE="$(params.image-server)/$(params.image-namespace)/$(params.image-repository):$(params.image-tag)" + buildah login -u ${IBM_ENTITLED_REGISTRY_USER} -p ${IBM_ENTITLED_REGISTRY_PASSWORD} cp.icr.io + buildah --layers --storage-driver=$(params.STORAGE_DRIVER) bud --format=$(params.FORMAT) --tls-verify=$(params.TLSVERIFY) -f $(params.DOCKERFILE) -t ${APP_IMAGE} $(params.CONTEXT) + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "$(params.image-server)" != "image-registry.openshift-image-registry.svc:5000" ]]; then + buildah login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" "$(params.image-server)" + echo "buildah login -u "${REGISTRY_USER}" -p "xxxxx" "$(params.image-server)"" + fi + set -x + buildah --storage-driver=$(params.STORAGE_DRIVER) push --tls-verify=$(params.TLSVERIFY) --digestfile ./image-digest ${APP_IMAGE} docker://${APP_IMAGE} + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-java-gradle-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a Java gradle application + app.openshift.io/description: Executes build, test, and sonarscan logic for a Java gradle application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: app-name + default: "my-java-gradle-app" + - name: gradle-image + default: quay.io/ibmgaragecloud/gradle:jdk11 + - name: sonarqube-java-bin-path + default: build + - name: sonarqube-cli + default: quay.io/ibmgaragecloud/sonarsource-sonar-scanner-cli + volumes: + - name: source + emptyDir: {} + stepTemplate: + env: + - name: GRADLE_USER_HOME + value: $(params.source-dir) + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.gradle-image) + workingDir: $(params.source-dir) + script: | + ./gradlew assemble --no-daemon + - name: test + image: $(params.gradle-image) + workingDir: $(params.source-dir) + script: | + ./gradlew testClasses --no-daemon + - name: sonar-scan + image: $(params.sonarqube-cli) + workingDir: $(params.source-dir) + env: + - name: SONAR_USER_HOME + value: $(params.source-dir) + - name: SONARQUBE_URL + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_URL + optional: true + - name: SONARQUBE_USER + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_USER + optional: true + - name: SONARQUBE_PASSWORD + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_PASSWORD + optional: true + script: | + APP_NAME=$(params.app-name) + SONARQUBE_JAVA_BINARIES_PATH="$(params.sonarqube-java-bin-path)" + + if ! command -v sonar-scanner &> /dev/null + then + echo "Skipping SonarQube step, no task defined" + exit 0 + fi + + if [ -n "${SONARQUBE_URL}" ]; then + + sonar-scanner \ + -Dsonar.login=${SONARQUBE_USER} \ + -Dsonar.password=${SONARQUBE_PASSWORD} \ + -Dsonar.host.url=${SONARQUBE_URL} \ + -Dsonar.projectKey=${APP_NAME} \ + -Dsonar.java.binaries=${SONARQUBE_JAVA_BINARIES_PATH} + + else + echo "Skipping Sonar Qube step for now but include" + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-operator-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a Java gradle application + app.openshift.io/description: Executes build, test, and sonarscan logic for a Java gradle application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: app-name + default: "my-java-gradle-app" + - name: build-image + default: quay.io/ibmgaragecloud/operator-sdk:v0.10.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: test + image: $(params.build-image) + workingDir: $(params.source-dir) + script: | + make test + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-operator-catalog-build-v2-6-13 + annotations: + description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/description: Executes logic to build, tag and push a container image using the intermediate sha tag to the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: subdir + default: "" + - name: image-url + default: "" + - name: OPM_IMAGE + default: quay.io/ibmgaragecloud/operator-sdk:v0.10.4 + - name: BUILDER_IMAGE + default: quay.io/buildah/stable:v1.15.1 + - name: DOCKERFILE + default: ./index.Dockerfile + - name: CONTEXT + default: . + - name: TLSVERIFY + default: "true" + - name: FORMAT + default: "docker" + - name: BUNDLE_CATALOG + default: "bundles.txt" + - name: STORAGE_DRIVER + description: Set buildah storage driver + default: overlay + volumes: + - name: varlibcontainers + emptyDir: {} + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: generate-catalog + image: $(params.OPM_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_URL + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_URL + optional: true + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: parentdir + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + + if [[ -n "${GIT_PARENT_DIR}" ]]; then + cd "${GIT_PARENT_DIR}" + fi + + if [[ -n "$(params.subdir)" ]]; then + cd "$(params.subdir)" + fi + + if [[ "$(params.TLSVERIFY)" == "false" ]] || [[ "${REGISTRY_URL}" == "image-registry.openshift-image-registry.svc:5000" ]]; then + SKIPTLS="--skip-tls=true" + fi + + touch $(params.BUNDLE_CATALOG) + + BUNDLES=$(cat $(params.BUNDLE_CATALOG) | paste -sd "," -) + + set +x + + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ -n "{REGISTRY_URL}" ]] && [[ "${REGISTRY_URL}" != "image-registry.openshift-image-registry.svc:5000" ]]; then + mkdir -p "${HOME}/.docker" + echo "podman login -u "${REGISTRY_USER}" -p "xxxxx" --authfile="${HOME}/.docker/config.json" "${REGISTRY_URL}"" + podman login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" --authfile="${HOME}/.docker/config.json" "${REGISTRY_URL}" + fi + + set -x + + opm index add ${SKIPTLS} --bundles "${BUNDLES}" --generate -d $(params.DOCKERFILE) + - name: build + image: $(params.BUILDER_IMAGE) + workingDir: $(params.source-dir) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: parentdir + optional: true + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + securityContext: + privileged: true + script: | + + if [[ -n "${GIT_PARENT_DIR}" ]]; then + cd "${GIT_PARENT_DIR}" + fi + if [[ -n "$(params.subdir)" ]]; then + cd "$(params.subdir)" + fi + + IMAGE_TO="$(params.image-url)" + REGISTRY_SERVER_TO=$(echo "${IMAGE_TO}" | awk -F / '{print $1}') + + buildah --layers --storage-driver=$(params.STORAGE_DRIVER) bud --format=$(params.FORMAT) --tls-verify=$(params.TLSVERIFY) -f $(params.DOCKERFILE) -t ${IMAGE_TO} $(params.CONTEXT) + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ ! "${REGISTRY_SERVER_TO}" =~ ":" ]]; then + buildah login -u "${REGISTRY_USER}" -p "${REGISTRY_PASSWORD}" ${REGISTRY_SERVER_TO} + echo "buildah login -u "${REGISTRY_USER}" -p "xxxxx" ${REGISTRY_SERVER_TO}" + fi + set -x + buildah --storage-driver=$(params.STORAGE_DRIVER) push --tls-verify=$(params.TLSVERIFY) --digestfile ./image-digest ${APP_IMAGE} docker://${IMAGE_TO} + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-sonar-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a Python application + app.openshift.io/description: Executes build, test, and sonarscan logic for a NodeJS application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: app-name + default: '' + - name: source-dir + default: /source + - name: sonarqube-cli + default: quay.io/ibmgaragecloud/sonarsource-sonar-scanner-cli + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: sonar-scan + image: $(params.sonarqube-cli) + workingDir: $(params.source-dir) + env: + - name: SONAR_USER_HOME + value: $(params.source-dir) + - name: SONARQUBE_URL + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_URL + optional: true + - name: SONARQUBE_USER + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_USER + optional: true + - name: SONARQUBE_PASSWORD + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_PASSWORD + optional: true + script: | + APP_NAME=$(params.app-name) + + if ! command -v sonar-scanner &> /dev/null + then + echo "Skipping SonarQube step, no task defined" + exit 0 + fi + + if [ -n "${SONARQUBE_URL}" ]; then + + sonar-scanner \ + -Dsonar.login=${SONARQUBE_USER} \ + -Dsonar.password=${SONARQUBE_PASSWORD} \ + -Dsonar.host.url=${SONARQUBE_URL} \ + -Dsonar.projectKey=${APP_NAME} + + else + echo "Skipping Sonar Qube step" + fi + + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-tag-release-v2-6-13 + annotations: + description: Tags the git repository with the next version release value + app.openshift.io/description: Tags the git repository with the next version release value + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: skip-push + default: "" + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + results: + - name: tag + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + # Need to create branch to make release-it work + git switch -c local + - name: git-tag + image: $(params.js-image) + workingDir: $(params.source-dir) + script: | + #!/usr/bin/env bash + set -ex + + echo "Current branch: $(git rev-parse --abbrev-ref HEAD)" + git fetch --tags + git config --global user.email "cloud-native-toolkit@example.com" + git config --global user.name "Cloud Native Toolkit Pipeline" + if [[ $(git describe --tag `git rev-parse HEAD`) =~ (^[0-9]+.[0-9]+.[0-9]+$) ]]; then + echo "Latest commit is already tagged" + NEW_TAG="$(git describe --abbrev=0 --tags)" + echo -n "${NEW_TAG}" | tee $(results.tag.path) + exit 0 + fi + mkdir -p ~/.npm + npm config set prefix ~/.npm + export PATH=$PATH:~/.npm/bin + npm i -g release-it + + release-it patch \ + --ci \ + --no-npm \ + --no-git.push \ + --no-git.requireCleanWorkingDir \ + --no-git.requireUpstream \ + -VV + + if [[ -z "$(params.skip-push)" ]]; then + set +x + git push --tags -v + set -x + fi + + NEW_TAG="$(git describe --abbrev=0 --tags)" + if [[ -z "${NEW_TAG}" ]]; then + echo "Error: NEW_TAG not defined" + exit 1 + fi + echo -n "${NEW_TAG}" | tee $(results.tag.path) +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gitops-with-pr-v2-6-13 + annotations: + description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: app-name + default: "" + - name: version + default: "" + - name: source-dir + default: /source + - name: subdir + default: "" + - name: parentdir + default: "" + - name: yaml + default: "requirements.yaml" + - name: helm-url + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: gitops + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: username + optional: true + - name: GIT_PASSWORD_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: gitops-repo + key: parentdir-services + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: gitops-repo + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: gitops-repo + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAME="$(params.app-name)" + SUBDIR="$(params.subdir)" + if [[ -z "${SUBDIR}" ]]; then + SUBDIR="${APP_NAME}" + fi + if [[ -n "$(params.parentdir)" ]]; then + PARENT_DIR="$(params.parentdir)" + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR}" + else + PARENT_DIR="." + fi + SUBDIR="${PARENT_DIR}/${SUBDIR}" + + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + YAML_FILE="$(params.yaml)" + VERSION="$(params.version)" + HELM_URL="$(params.helm-url)" + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + + set +x + if [[ -n "${GIT_USERNAME_CD}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME_CD}" + GIT_AUTH_PWD="${GIT_PASSWORD_CD}" + elif [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} gitops_cd + set -x + cd gitops_cd + + if [[ -f "${SUBDIR}/${YAML_FILE}" ]]; then + echo "Requirements before update" + cat "${SUBDIR}/${YAML_FILE}" + + yq r "${SUBDIR}/${YAML_FILE}" -j | \ + jq --arg APP_NAME "${APP_NAME}" --arg VERSION "${VERSION}" --arg REPO "${HELM_URL}" '.dependencies |= map((select(.name == $APP_NAME) | .version = $VERSION | .repository = $REPO) // .)' | \ + yq r --prettyPrint - > "${SUBDIR}/${YAML_FILE}.new" + + rm "${SUBDIR}/${YAML_FILE}" + mv "${SUBDIR}/${YAML_FILE}.new" "${SUBDIR}/${YAML_FILE}" + + echo "Requirements after update" + cat "${SUBDIR}/${YAML_FILE}" + + elif [[ -n "${HELM_URL}" ]]; then + echo "Creating first time chart using ${SUBDIR}" + # create directory + mkdir -p "${SUBDIR}" + + # WARNING: Do not indent the cat commands below + + cat <"${SUBDIR}/Chart.yaml" + apiVersion: v2 + version: 0.1.0 + name: ${APP_NAME} + description: Chart to configure ArgoCD with the ${APP_NAME} project and its applications + EOF + + cat <"${SUBDIR}/${YAML_FILE}" + dependencies: + - name: ${APP_NAME} + version: ${VERSION} + repository: >- + ${HELM_URL} + EOF + + cat <"${SUBDIR}/values.yaml" + global: {} + ${APP_NAME}: + replicaCount: 1 + EOF + + + else + echo "GitOps repo configured but unable to update application config" + exit 1 + fi + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + git checkout -b cntk-ci-pipeline-${APP_NAME}-${VERSION} + + # push changes to git + git add "${SUBDIR}/" + git commit -m "Cloudnative toolkit pipeline updates ${APP_NAME} to ${VERSION}" + git remote rm origin + + git remote add origin ${GIT_URL} > /dev/null 2>&1 + git push origin cntk-ci-pipeline-${APP_NAME}-${VERSION} + + GIT_PUSH_URL="${PROTOCOL}://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/pulls" + curl -u ${GIT_AUTH_USER}:${GIT_AUTH_PWD} -d '{"title":"PR to promote to next environment","base":"'${GIT_BRANCH}'", "head":"'${GIT_ORG}':cntk-ci-pipeline-'${APP_NAME}'-'${VERSION}'"}' ${GIT_PUSH_URL} + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-deploy-v2-6-13 + annotations: + description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/description: Deploys the application to the CI environment for verification using the provided helm chart + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-server + default: "" + - name: image-namespace + default: "" + - name: image-repository + default: "" + - name: image-tag + default: "" + - name: app-namespace + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: service-port + - name: resource-type + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: deploy + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + script: | + #!/usr/bin/env bash + set -ex + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + APP_NAMESPACE="$(params.app-namespace)" + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="$(params.image-repository)" + fi + IMAGE_SERVER="$(params.image-server)" + IMAGE_NAMESPACE="$(params.image-namespace)" + IMAGE_REPOSITORY="$(params.image-repository)" + IMAGE_VERSION="$(params.image-tag)" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + FILE_NUM=$(find . -name 'Chart*.yaml' |wc -l) + if [[ "${FILE_NUM}" -gt 1 ]]; then + echo "Error: Found >1 Chart*.yaml" + exit 1 + fi + + export CHART=$(find . -name 'Chart*.yaml') + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "1.0.0-rc${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - --style single "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + helm dep update "${CHART_PATH}" + + # Using 'upgrade --install" for rolling updates. Note that subsequent updates will occur in the same namespace the release is currently deployed in, ignoring the explicit--namespace argument". + helm template ${RELEASE_NAME} ${CHART_PATH} \ + --namespace ${APP_NAMESPACE} \ + --set ${PREFIX}ingress.tlsSecretName="${TLS_SECRET_NAME}" \ + --set ${PREFIX}ingress.subdomain="${INGRESS_SUBDOMAIN}" > ./release.yaml + + echo -e "Generated release yaml for: ${APP_NAMESPACE}/${APP_NAME}" + cat ./release.yaml + + echo -e "Deploying into: ${APP_NAMESPACE}/${APP_NAME}" + kubectl apply -n ${APP_NAMESPACE} -f ./release.yaml --validate=false > results.out + cat results.out + echo "Waiting for rollout of ${APP_NAMESPACE}/${APP_NAME}" + + + cat results.out | \ + grep -E "deployment|statefulset|integrationserver|queuemanager" | \ + sed "s/deployment.apps/deployment/g" | \ + sed "s/statefulset.apps/statefulset/g" | \ + sed "s/configured//g" | \ + sed "s/created//g" | \ + sed "s/unchanged//g" | while read target; do + echo "Waiting for rollout of ${target} in ${APP_NAMESPACE}" + if [[ ${target} == *"integrationserver"* ]]; then + kubectl wait --timeout=-1s --for=condition=Ready ${target} + elif [[ ${target} == *"queuemanager"* ]]; then + until [[ "$(kubectl get ${target} -o 'jsonpath={.status.phase}')" = "Running" ]]; + do + sleep 5 + echo "Waiting for Queuemanager to be ready." + done + else + kubectl rollout status -n ${APP_NAMESPACE} ${target} + SERVICE_PORT=$(kubectl get svc "${APP_NAME}" -n "${APP_NAMESPACE}" -o jsonpath="{.spec.ports[?(@.name == 'http')].port}") + echo -n "${SERVICE_PORT}" | tee $(results.service-port.path) + fi + echo -n "${target}" | cut -f1 -d / | tee $(results.resource-type.path) + done + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-setup-v2-6-13 + annotations: + description: Sets up the pipeline environment and generates/normalizes a number of param values + app.openshift.io/description: Sets up the pipeline environment and generates/normalizes a number of param values + app.openshift.io/vcs-ref: master + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + labels: + version: 2.6.13 +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: source-dir + default: /source + - name: image-url + description: The dev image (use image-release for released image) + default: "" + - name: image-server + description: The dev image registry server if params.image-url not provided + default: "" + - name: image-namespace + description: The dev image registry namespace if params.image-url not provided + default: "" + - name: image-repository + description: The dev image registry repository/imagename if params.image-url not provided + default: "" + - name: image-tag + description: The dev image registry tag if params.image-url not provided + default: "" + - name: image-release + description: The url of final released image + default: "" + - name: app-namespace + description: The openshift/kubernetes namespace to deploy dev app + default: "" + - name: app-name + description: The app name to be use in openshift/kuberentes deployment and helm chart + default: "" + - name: deploy-ingress-type + default: "route" + - name: health-protocol + default: "https" + - name: health-endpoint + description: Endpoint to check health after deployment, liberty uses / not /health + default: "/health" + - name: health-url + description: Override for health check url + default: "" + - name: health-curl + description: Override for health check curl flags + default: "-k" + - name: scan-image + description: Flag indicating that a Vulnerability Advisor scan should be performed + default: "false" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + - name: js-image + default: quay.io/ibmgaragecloud/node:lts-stretch + - name: ace-project + description: Name of the ACE Toolkit project + default: "" + - name: lint-dockerfile + description: Flag indication that Dockerfile will be linted + default: "true" + results: + - name: git-url + - name: git-revision + - name: source-dir + - name: image-url + - name: image-server + - name: image-namespace + - name: image-repository + - name: image-tag + - name: image-release + - name: app-namespace + - name: app-name + - name: deploy-ingress-type + - name: health-protocol + - name: health-endpoint + - name: health-url + - name: health-curl + - name: tools-image + - name: js-image + - name: scan-image + - name: scan-trivy + - name: scan-ibm + - name: ace-project + - name: dockerfile-lint + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: REGISTRY_RELEASE_SERVER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_URL + optional: true + - name: REGISTRY_RELEASE_NAMESPACE + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_NAMESPACE + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + git clone $(params.git-url) $(params.source-dir) + fi + cd $(params.source-dir) + git checkout $(params.git-revision) + + # Results + # Defaults + echo -n "$(params.git-url)">$(results.git-url.path) + echo -n "$(git rev-parse --verify HEAD)">$(results.git-revision.path) + echo -n "$(params.source-dir)">$(results.source-dir.path) + echo -n "$(params.app-namespace)">$(results.app-namespace.path) + echo -n "$(params.app-name)">$(results.app-name.path) + echo -n "$(params.deploy-ingress-type)">$(results.deploy-ingress-type.path) + echo -n "$(params.health-protocol)">$(results.health-protocol.path) + echo -n "$(params.health-endpoint)">$(results.health-endpoint.path) + echo -n "$(params.health-url)">$(results.health-url.path) + echo -n "$(params.health-curl)">$(results.health-curl.path) + echo -n "$(params.tools-image)">$(results.tools-image.path) + echo -n "$(params.js-image)">$(results.js-image.path) + echo -n "$(params.ace-project)">$(results.ace-project.path) + + + REGISTRY_SERVER="$(params.image-server)" + REGISTRY_NAMESPACE="$(params.image-namespace)" + REGISTRY_REPOSITORY="$(params.image-repository)" + REGISTRY_TAG="$(params.image-tag)" + + if [[ -n "$(params.image-url)" ]]; then + REGISTRY_SERVER_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $1}') + if [[ -n "${REGISTRY_SERVER_VALUE}" ]]; then + REGISTRY_SERVER="${REGISTRY_SERVER_VALUE}" + fi + + REGISTRY_NAMESPACE_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $2}') + if [[ -n "${REGISTRY_NAMESPACE_VALUE}" ]]; then + if [[ "${REGISTRY_NAMESPACE_VALUE}" = '$NAMESPACE' ]]; then + REGISTRY_NAMESPACE=${NAMESPACE} + else + REGISTRY_NAMESPACE="${REGISTRY_NAMESPACE_VALUE}" + fi + fi + + REGISTRY_REPOSITORY_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}') + if [[ -n "${REGISTRY_REPOSITORY_VALUE}" ]]; then + REGISTRY_REPOSITORY="${REGISTRY_REPOSITORY_VALUE}" + fi + + REGISTRY_TAG_VALUE=$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}') + if [[ -n "${REGISTRY_TAG_VALUE}" ]]; then + REGISTRY_TAG="${REGISTRY_TAG_VALUE}" + fi + fi + + if [[ -z "${REGISTRY_SERVER}" ]]; then + # Assume is internal + REGISTRY_SERVER="image-registry.openshift-image-registry.svc:5000" + fi + if [[ -z "${REGISTRY_NAMESPACE}" ]]; then + # Assume current k8s namespace + REGISTRY_NAMESPACE="${NAMESPACE}" + fi + if [[ -z "${REGISTRY_REPOSITORY}" ]]; then + # Assume repo dir is image repository/image-name + REGISTRY_REPOSITORY="$(basename $(echo -n $(git config --get remote.origin.url)) .git | tr '[:upper:]' '[:lower:]' | sed 's/_/-/g')" + fi + if [[ -z "${REGISTRY_TAG}" ]]; then + # Assume short git commit revision + REGISTRY_TAG="$(git rev-parse --verify HEAD --short)" + fi + echo -n "${REGISTRY_SERVER}">$(results.image-server.path) + echo -n "${REGISTRY_NAMESPACE}">$(results.image-namespace.path) + echo -n "${REGISTRY_REPOSITORY}">$(results.image-repository.path) + echo -n "${REGISTRY_TAG}">$(results.image-tag.path) + echo -n "${REGISTRY_SERVER}/${REGISTRY_NAMESPACE}/${REGISTRY_REPOSITORY}:${REGISTRY_TAG}">$(results.image-url.path) + + if [[ -z "$(params.app-namespace)" ]]; then + # Assume current namespace + echo -n "${NAMESPACE}">$(results.app-namespace.path) + fi + + if [[ -z "$(params.app-name)" ]]; then + # Assume image repository/name + echo -n "${REGISTRY_REPOSITORY}">$(results.app-name.path) + fi + + + if [[ -n "$(params.image-release)" ]]; then + REGISTRY_RELEASE_SERVER_VALUE=$(echo "$(params.image-release)" | awk -F / '{print $1}') + if [[ -n "${REGISTRY_RELEASE_SERVER_VALUE}" ]]; then + REGISTRY_RELEASE_SERVER="${REGISTRY_RELEASE_SERVER_VALUE}" + fi + + REGISTRY_RELEASE_NAMESPACE_VALUE=$(echo "$(params.image-release)" | awk -F / '{print $2}') + if [[ -n "${REGISTRY_RELEASE_NAMESPACE_VALUE}" ]]; then + if [[ "${REGISTRY_RELEASE_NAMESPACE_VALUE}" = '$NAMESPACE' ]]; then + REGISTRY_RELEASE_NAMESPACE=${NAMESPACE} + else + REGISTRY_RELEASE_NAMESPACE="${REGISTRY_RELEASE_NAMESPACE_VALUE}" + fi + elif [[ "${REGISTRY_RELEASE_SERVER}" = "image-registry.openshift-image-registry.svc:5000" ]]; then + REGISTRY_RELEASE_NAMESPACE=${NAMESPACE} + fi + fi + if [[ -z "${REGISTRY_RELEASE_NAMESPACE}" ]]; then + # Assume current k8s namespace + REGISTRY_RELEASE_NAMESPACE="${NAMESPACE}" + fi + if [[ -z "${REGISTRY_RELEASE_SERVER}" ]]; then + # Assume internal registry + REGISTRY_RELEASE_SERVER="image-registry.openshift-image-registry.svc:5000" + fi + REGISTRY_RELEASE_URL="${REGISTRY_RELEASE_SERVER}/${REGISTRY_RELEASE_NAMESPACE}/${REGISTRY_REPOSITORY}" + echo -n "${REGISTRY_RELEASE_URL}">$(results.image-release.path) + + PERFORM_SCAN="$(params.scan-image)" + PERFORM_SCAN_IBM="false" + PERFORM_SCAN_TRIVY="false" + if [[ "${PERFORM_SCAN}" == "true" ]]; then + echo "User selected to perform container image scanning" + if echo "$REGISTRY_RELEASE_URL" | grep 'icr.io'; then + echo "Using IBM Container registry, enabling scanning using VA" + PERFORM_SCAN_IBM="true" + else + echo "Not using IBM Container registry, enabling scanning using trivy" + PERFORM_SCAN_TRIVY="true" + fi + fi + + echo -n "${PERFORM_SCAN}">$(results.scan-image.path) + echo -n "${PERFORM_SCAN_TRIVY}">$(results.scan-trivy.path) + echo -n "${PERFORM_SCAN_IBM}">$(results.scan-ibm.path) + + if [[ -z "$(params.ace-project)" ]]; then + # Retrieve name of ACE Toolkit project + ACE_PROJECT=$(ls workspace || true) + echo -n "${ACE_PROJECT}">$(results.ace-project.path) + fi + + PERFORM_LINT="$(params.lint-dockerfile)" + echo -n "${PERFORM_LINT}">$(results.dockerfile-lint.path) + + for f in /tekton/results/*; do echo "results.$(basename $f)=$(cat $f)"; done + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-java-maven-test-v2-6-13 + annotations: + description: Executes build, test, and sonarscan logic for a Java maven application + app.openshift.io/description: Executes build, test, and sonarscan logic for a Java maven application + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: app-name + default: "my-java-maven-app" + - name: maven-image + default: quay.io/ibmgaragecloud/maven:3.6.3-jdk-11-slim + - name: sonarqube-java-bin-path + default: target + - name: sonarqube-cli + default: quay.io/ibmgaragecloud/sonarsource-sonar-scanner-cli + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: build + image: $(params.maven-image) + workingDir: $(params.source-dir) + script: | + if [[ -f "./mvnw" ]]; then + ./mvnw package + else + mvn package + fi + - name: test + image: $(params.maven-image) + workingDir: $(params.source-dir) + script: | + if [[ -f "./mvnw" ]]; then + ./mvnw test + else + mvn test + fi + - name: sonar-scan + image: $(params.sonarqube-cli) + workingDir: $(params.source-dir) + env: + - name: SONAR_USER_HOME + value: $(params.source-dir) + - name: SONARQUBE_URL + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_URL + optional: true + - name: SONARQUBE_USER + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_USER + optional: true + - name: SONARQUBE_PASSWORD + valueFrom: + secretKeyRef: + name: sonarqube-access + key: SONARQUBE_PASSWORD + optional: true + script: | + APP_NAME=$(params.app-name) + SONARQUBE_JAVA_BINARIES_PATH="$(params.sonarqube-java-bin-path)" + + if ! command -v sonar-scanner &> /dev/null + then + echo "Skipping SonarQube step, no task defined" + exit 0 + fi + + if [ -n "${SONARQUBE_URL}" ]; then + + sonar-scanner \ + -Dsonar.login=${SONARQUBE_USER} \ + -Dsonar.password=${SONARQUBE_PASSWORD} \ + -Dsonar.host.url=${SONARQUBE_URL} \ + -Dsonar.projectKey=${APP_NAME} \ + -Dsonar.java.binaries=${SONARQUBE_JAVA_BINARIES_PATH} + + else + echo "Skipping Sonar Qube step for now but include" + fi + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-helm-release-v2-6-13 + annotations: + description: Publishes the helm chart to the helm repository using the version provided in the image-url + app.openshift.io/description: Publishes the helm chart to the helm repository using the version provided in the image-url + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: git-url + - name: git-revision + default: master + - name: source-dir + default: /source + - name: image-url + default: "" + - name: app-name + default: "" + - name: deploy-ingress-type + default: "route" + - name: helm-curl + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + results: + - name: helm-url + description: The url of the helm repository + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: git-clone + image: quay.io/ibmgaragecloud/alpine-git + env: + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + script: | + set +x + if [[ -n "${GIT_USERNAME}" ]] && [[ -n "${GIT_PASSWORD}" ]]; then + git clone "$(echo $(params.git-url) | awk -F '://' '{print $1}')://${GIT_USERNAME}:${GIT_PASSWORD}@$(echo $(params.git-url) | awk -F '://' '{print $2}')" $(params.source-dir) + else + set -x + git clone $(params.git-url) $(params.source-dir) + fi + set -x + cd $(params.source-dir) + git checkout $(params.git-revision) + - name: package-helm + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: TLS_SECRET_NAME + optional: true + - name: INGRESS_SUBDOMAIN + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: INGRESS_SUBDOMAIN + optional: true + - name: ARTIFACTORY_URL + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_URL + optional: true + - name: ARTIFACTORY_USER + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_USER + optional: true + - name: ARTIFACTORY_ENCRYPT + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_ENCRYPT + optional: true + - name: ARTIFACTORY_REPOSITORY_KEY + valueFrom: + secretKeyRef: + name: artifactory-access + key: ARTIFACTORY_REPOSITORY_KEY + optional: true + - name: HELM_URL + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_URL + optional: true + - name: HELM_USER + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_USER + optional: true + - name: HELM_PASSWORD + valueFrom: + secretKeyRef: + name: helm-access + key: HELM_PASSWORD + optional: true + script: | + #!/usr/bin/env bash + set -ex + + CURL_FLAGS="$(params.helm-curl)" + + echo "1. Package Helm Chart" + + GIT_URL="$(params.git-url)" + GIT_REVISION="$(params.git-revision)" + + IMAGE_SERVER="$(echo "$(params.image-url)" | awk -F / '{print $1}')" + IMAGE_NAMESPACE="$(echo "$(params.image-url)" | awk -F / '{print $2}')" + IMAGE_REPOSITORY="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $1}')" + IMAGE_VERSION="$(echo "$(params.image-url)" | awk -F / '{print $3}' | awk -F : '{print $2}')" + IMAGE_URL="${IMAGE_SERVER}/${IMAGE_NAMESPACE}/${IMAGE_REPOSITORY}" + + APP_NAME="$(params.app-name)" + if [[ -z "${APP_NAME}" ]]; then + APP_NAME="${IMAGE_REPOSITORY}" + fi + + INGRESS_TYPE="$(params.deploy-ingress-type)" + if [[ "${INGRESS_TYPE}" == "route" ]]; then + ROUTE_ENABLED="true" + INGRESS_ENABLED="false" + else + ROUTE_ENABLED="false" + INGRESS_ENABLED="true" + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + export CHART=$(find . -name Chart*.yaml) + echo "CHART: $CHART" + + export CHART_NAME=$(cat $CHART | yq r - name) + echo "CHART_NAME: $CHART_NAME" + + # Update Chart name and version + if [[ "${CHART_NAME}" != "${APP_NAME}" ]]; then + echo "Renaming chart from ${CHART_NAME} to ${APP_NAME}" + cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" + cat "${CHART_ROOT}/${CHART_NAME}/Chart.yaml" | \ + yq w - name "${APP_NAME}" | \ + yq w - version "${IMAGE_VERSION}" > "${CHART_ROOT}/${APP_NAME}/Chart.yaml" + else + echo "Chart name and image name match: ${APP_NAME}" + fi + + CHART_PATH="${CHART_ROOT}/${APP_NAME}" + + echo "" + echo "Chart ${CHART_PATH}" + cat ${CHART_PATH}/Chart.yaml + + RELEASE_NAME="${APP_NAME}" + echo "RELEASE_NAME: $RELEASE_NAME" + + echo $(helm version) + + PREFIX="" + if [[ -f "${CHART_PATH}/requirements.yaml" ]] || grep -Eq "^dependencies:" "${CHART_PATH}/Chart.yaml"; then + DEPENDENCY_FILE="${CHART_PATH}/Chart.yaml" + if [[ -f "${CHART_PATH}/requirements.yaml" ]]; then + DEPENDENCY_FILE="${CHART_PATH}/requirements.yaml" + fi + + PREFIX="$(yq r -j "${DEPENDENCY_FILE}" | jq -r '.dependencies | .[] | .alias // .name' | head -1)." + fi + + # Update helm chart with repository and tag values + cat ${CHART_PATH}/values.yaml | \ + yq w - "${PREFIX}nameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}fullnameOverride" "${APP_NAME}" | \ + yq w - "${PREFIX}vcsInfo.repoUrl" "${GIT_URL}" | \ + yq w - "${PREFIX}vcsInfo.branch" "${GIT_REVISION}" | \ + yq w - "${PREFIX}image.repository" "${IMAGE_URL}" | \ + yq w - "${PREFIX}image.tag" "${IMAGE_VERSION}" | \ + yq w - "${PREFIX}ingress.enabled" "${INGRESS_ENABLED}" | \ + yq w - "${PREFIX}route.enabled" "${ROUTE_ENABLED}" > ./values.yaml.tmp + cp ./values.yaml.tmp ${CHART_PATH}/values.yaml + cat ${CHART_PATH}/values.yaml + + echo "CHECKING CHART (lint)" + helm lint ${CHART_PATH} + + + echo "2. Publish Helm Chart" + + if [[ -z "${HELM_URL}" ]] && [[ -z "${HELM_USER}" ]]; then + if [[ -z "${ARTIFACTORY_URL}" ]]; then + echo "It looks like Artifactory has not been installed (ARTIFACTORY_URL from artifactory-acess secret is missing). Skipping step." + exit 0 + fi + + set +x + if [[ -z "${ARTIFACTORY_USER}" ]]; then + echo "Something's wrong... The Artifactory url is configured but the Artifactory credentials cannot be found. Check your artifactory-access secret." + exit 1 + fi + + if [[ -z "${ARTIFACTORY_ENCRYPT}" ]]; then + echo "It looks like your Artifactory installation is not complete. Please complete the steps found here - http://ibm.biz/complete-setup" + exit 1 + fi + + HELM_USER="${ARTIFACTORY_USER}" + set +x + HELM_PASSWORD="${ARTIFACTORY_ENCRYPT}" + set -x + + if [[ -z "${ARTIFACTORY_REPOSITORY_KEY}" ]]; then + ARTIFACTORY_REPOSITORY_KEY="generic-local" + fi + + if [[ -z "${HELM_URL}" ]]; then + HELM_URL="${ARTIFACTORY_URL}/artifactory/${ARTIFACTORY_REPOSITORY_KEY}" + fi + + fi + + export CHART_ROOT=$(find . -name chart) + echo "CHART_ROOT: $CHART_ROOT" + + export CHART_NAME="${APP_NAME}" + echo "CHART_NAME: $CHART_NAME" + + CHART_PATH="${CHART_ROOT}/${CHART_NAME}" + + helm dep update "${CHART_PATH}" + + # Package Helm Chart + helm package --version ${IMAGE_VERSION} ${CHART_PATH} + + # Get the index and re index it with current Helm Chart + set +x + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -O ${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -O "${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + set -x + + apiVersion=$(grep apiVersion ./index.yaml | sed -E "s/apiVersion: (.*)/\1/g") + if [[ $(cat index.yaml | jq '.errors[0].status') != "404" ]] && [[ -n "${apiVersion}" ]]; then + # Merge the chart index with the current index.yaml held in Artifactory + echo "Merging Chart into index.yaml for Chart Repository" + helm repo index . --url ${HELM_URL}/${IMAGE_NAMESPACE} --merge index.yaml + else + # Dont Merge this is first time one is being created + echo "Creating a new index.yaml for Chart Repository" + rm index.yaml + helm repo index . --url ${HELM_URL}/${IMAGE_NAMESPACE} + fi; + + # Persist the Helm Chart in Helm repo for us by ArgoCD + set +x + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -s -T ${CHART_NAME}-${IMAGE_VERSION}.tgz ${HELM_URL}/${IMAGE_NAMESPACE}/${CHART_NAME}-${IMAGE_VERSION}.tgz" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -s -T ${CHART_NAME}-${IMAGE_VERSION}.tgz "${HELM_URL}/${IMAGE_NAMESPACE}/${CHART_NAME}-${IMAGE_VERSION}.tgz" + + # Persist the Helm Index in the helm repo for us by ArgoCD + echo "curl ${CURL_FLAGS} -u${HELM_USER}:xxxx -s -T index.yaml ${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + curl ${CURL_FLAGS} -u${HELM_USER}:${HELM_PASSWORD} -s -T index.yaml "${HELM_URL}/${IMAGE_NAMESPACE}/index.yaml" + + echo -n "${HELM_URL}/${IMAGE_NAMESPACE}" | tee $(results.helm-url.path) + + + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-operator-gitops-v2-6-13 + annotations: + description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: app-name + default: "" + - name: version + default: "" + - name: source-dir + default: /source + - name: subdir + default: "" + - name: parentdir + default: "" + - name: image-url + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: gitops + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME_CD + valueFrom: + secretKeyRef: + name: olm-catalog-secret + key: username + optional: true + - name: GIT_PASSWORD_CD + valueFrom: + secretKeyRef: + name: olm-catalog-secret + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: parentdir + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: olm-catalog-repo + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAME="$(params.app-name)" + + if [[ -n "$(params.parentdir)" ]]; then + PARENT_DIR="$(params.parentdir)" + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR}" + else + PARENT_DIR="." + fi + + if [[ -n "$(params.subdir)" ]]; then + SUBDIR="${PARENT_DIR}/$(params.subdir)" + else + SUBDIR="${PARENT_DIR}" + fi + + + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + VERSION="$(params.version)" + BUNDLE_URL="$(params.image-url)" + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + + set +x + if [[ -n "${GIT_USERNAME_CD}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME_CD}" + GIT_AUTH_PWD="${GIT_PASSWORD_CD}" + elif [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} gitops_cd + set -x + cd gitops_cd + + BUNDLE_METADATA="bundles.txt" + if [[ -n "${SUBDIR}" ]]; then + # create directory + mkdir -p "${SUBDIR}" + fi + if [[ -d "${SUBDIR}" ]]; then + BUNDLE_METADATA="${SUBDIR}/${BUNDLE_METADATA}" + fi + + touch ${BUNDLE_METADATA} + if ! grep -qE "${BUNDLE_URL}:${VERSION}$" ${BUNDLE_METADATA}; then + echo "${BUNDLE_URL}:${VERSION}" >> ${BUNDLE_METADATA} + fi + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + git add ${BUNDLE_METADATA} + git commit -m "Updates ${APP_NAME} to ${VERSION}" + git push -v + +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-img-scan-v2-6-13 + annotations: + description: Runs an image scan with Trivy or IBM VA and fails the build if issues are found. + app.openshift.io/description: Runs an image scan with Trivy or IBM VA and fails the build if issues are found. + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: image-url + description: "The location of image to scan on IBM Container Registry //:" + - name: scan-trivy + description: Flag indicating that a scan should be performed with Trivy + default: "false" + - name: scan-ibm + description: Flag indicating that a scan should be performed with IBM VA + default: "false" + - name: SKOPEO_IMAGE + default: quay.io/containers/skopeo:v1.1.0 + - name: IMAGE_FROM_TLS_VERIFY + default: "false" + - name: TRIVY_IMAGE + default: quay.io/ibmgaragecloud/aquasec-trivy + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: oci-image + emptyDir: {} + steps: + - name: trivy-pull + image: $(params.SKOPEO_IMAGE) + env: + - name: REGISTRY_USER + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_USER + optional: true + - name: REGISTRY_PASSWORD + valueFrom: + secretKeyRef: + name: registry-access + key: REGISTRY_PASSWORD + optional: true + volumeMounts: + - mountPath: /var/oci + name: oci-image + securityContext: + privileged: true + script: | + set -ex + PERFORM_SCAN="$(params.scan-trivy)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + IMAGE_FROM=$(params.image-url) + REGISTRY_SERVER_FROM=$(echo "${IMAGE_FROM}" | awk -F / '{print $1}') + IMAGE_TO="oci:/var/oci/image" + IMAGE_FROM_TLS_VERIFY=$(params.IMAGE_FROM_TLS_VERIFY) + echo "Tagging ${IMAGE_FROM} as ${IMAGE_TO}" + set +x + if [[ -n "${REGISTRY_USER}" ]] && [[ -n "${REGISTRY_PASSWORD}" ]] && [[ "${REGISTRY_SERVER_FROM}" != "image-registry.openshift-image-registry.svc:5000" ]]; then + IMAGE_FROM_CREDS="--src-creds ${REGISTRY_USER}:${REGISTRY_PASSWORD}" + fi + set -x + if [ "${REGISTRY_SERVER_FROM}" =~ ":" ]; then + IMAGE_FROM_TLS_VERIFY="false" + fi + echo "skopeo copy --src-creds=xxxx --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO}" + set +x + skopeo copy ${IMAGE_FROM_CREDS} --src-tls-verify=${IMAGE_FROM_TLS_VERIFY} docker://${IMAGE_FROM} ${IMAGE_TO} + - name: trivy-scan + image: $(params.TRIVY_IMAGE) + volumeMounts: + - mountPath: /var/oci + name: oci-image + script: | + set -ex + PERFORM_SCAN="$(params.scan-trivy)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Trivy scan." + exit 0 + fi + PATH_TO_IMAGE="/var/oci/image" + echo -e "Trivy Security Scan image in registry" + trivy image --exit-code 0 --input ${PATH_TO_IMAGE} + trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE} + my_exit_code=$? + echo "Scan exit code :--- $my_exit_code" + if [ ${my_exit_code} == 1 ]; then + echo "Trivy scanning completed. CRITICAL Vulnerabilities found." + exit 1 + else + echo "Trivy scanning completed. CRITICAL vulnerabilities not found." + fi + - name: ibm-scan + image: $(params.tools-image) + env: + - name: HOME + value: /home/devops + - name: IBM_CLOUD_APIKEY + valueFrom: + secretKeyRef: + key: APIKEY + name: ibmcloud-apikey + optional: true + - name: IBM_CLOUD_REGION + valueFrom: + configMapKeyRef: + name: ibmcloud-config + key: REGION + optional: true + script: | + #!/usr/bin/env bash + set -ex + PERFORM_SCAN="$(params.scan-ibm)" + if [[ "${PERFORM_SCAN}" == "false" ]] || [[ -z "${PERFORM_SCAN}" ]]; then + echo "User selected to skip scanning. Skipping Vulnerability Advisor validation." + exit 0 + fi + + IMAGE_URL=$(params.image-url) + REGISTRY_SERVER=$(echo $(params.image-url) | awk -F / '{print $1}') + + + + if [[ ! "${REGISTRY_SERVER}" =~ icr.io ]]; then + echo "The image is not stored in the IBM Cloud Image Registry. Skipping Vulnerability Advisor validation" + exit 0 + fi + + + echo -e "VA Security Scan image in registry" + + echo "Registry URL: ${REGISTRY_SERVER}" + + set +x + ibmcloud login --apikey ${IBM_CLOUD_APIKEY} -r ${IBM_CLOUD_REGION} + ibmcloud target -r ${IBM_CLOUD_REGION} + set -x + ibmcloud cr namespace-list + + echo "Getting the VA status of ${IMAGE_URL}" + + set +e + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + while [ $retry -eq 0 ]; do + sleep 30 + echo "Trying again to see if scan is done" + ibmcloud cr va ${IMAGE_URL} --output json | grep -i "Try again later" + retry=$? + done + set -e + ibmcloud cr va ${IMAGE_URL} --output json + echo "Saving results to va-result.json" + ibmcloud cr va ${IMAGE_URL} --output json > va-result.json + VA_STATUS=$(cat va-result.json | jq -r '.[].status') + + echo "VA scan status: ${VA_STATUS}" + + if [[ "${VA_STATUS}" == "OK" ]]; then + echo "VA - No Issues in the image" + exit 0 + elif [[ $(cat va-result.json | jq -r '.[].vulnerabilities | length') -gt 0 ]]; then + echo "VA Failure: $(cat va-result.json | jq -r '.[].vulnerabilities | length') vulnerabilities found in the image" + cat va-result.json | jq -r '.[].vulnerabilities' + exit 1 + elif [[ $(cat va-result.json | jq -r '.[].configuration_issues | length') -gt 0 ]]; then + echo "VA Warning - $(cat va-result.json | jq -r '.[].configuration_issues | length') configuration issues found in the image" + cat va-result.json | jq -r '.[].configuration_issues' + exit 0 + else + echo "VA Warning: non-OK status from Vulnerability Advisor ${VA_STATUS}" + cat va-result.json | jq -r '.[]' + fi +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: ibm-gitops-v2-6-13 + annotations: + description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/description: Publishes the helm chart configuration to the provided gitops repo to trigger downstream deployments + app.openshift.io/vcs-uri: https://github.com/IBM/ibm-garage-tekton-tasks + app.openshift.io/vcs-ref: master + labels: + version: 2.6.13 +spec: + params: + - name: app-name + default: "" + - name: version + default: "" + - name: source-dir + default: /source + - name: subdir + default: "" + - name: parentdir + default: "" + - name: yaml + default: "requirements.yaml" + - name: helm-url + default: "" + - name: tools-image + default: quay.io/ibmgaragecloud/ibmcloud-dev:v2.0.4 + volumes: + - name: source + emptyDir: {} + stepTemplate: + volumeMounts: + - name: source + mountPath: $(params.source-dir) + steps: + - name: gitops + image: $(params.tools-image) + workingDir: $(params.source-dir) + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOME + value: /home/devops + - name: GIT_USERNAME + valueFrom: + secretKeyRef: + name: git-credentials + key: username + optional: true + - name: GIT_PASSWORD + valueFrom: + secretKeyRef: + name: git-credentials + key: password + optional: true + - name: GIT_USERNAME_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: username + optional: true + - name: GIT_PASSWORD_CD + valueFrom: + secretKeyRef: + name: gitops-cd-secret + key: password + optional: true + - name: GIT_PARENT_DIR + valueFrom: + configMapKeyRef: + name: gitops-repo + key: parentdir + optional: true + - name: GIT_PARENT_DIR_SERVICES + valueFrom: + configMapKeyRef: + name: gitops-repo + key: parentdir-services + optional: true + - name: GIT_PROTOCOL + valueFrom: + configMapKeyRef: + name: gitops-repo + key: protocol + optional: true + - name: GIT_HOST + valueFrom: + configMapKeyRef: + name: gitops-repo + key: host + optional: true + - name: GIT_ORG + valueFrom: + configMapKeyRef: + name: gitops-repo + key: org + optional: true + - name: GIT_REPO + valueFrom: + configMapKeyRef: + name: gitops-repo + key: repo + optional: true + - name: GIT_BRANCH + valueFrom: + configMapKeyRef: + name: gitops-repo + key: branch + optional: true + script: | + #!/usr/bin/env bash + set -ex + + APP_NAME="$(params.app-name)" + SUBDIR="$(params.subdir)" + if [[ -z "${SUBDIR}" ]]; then + SUBDIR="${APP_NAME}" + fi + if [[ -n "$(params.parentdir)" ]]; then + PARENT_DIR="$(params.parentdir)" + elif [[ -n "${GIT_PARENT_DIR_SERVICES}" ]] && [[ "${GIT_PARENT_DIR_SERVICES}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR_SERVICES | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR_SERVICES}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR_SERVICES}" + elif [[ -n "${GIT_PARENT_DIR}" ]] && [[ "${GIT_PARENT_DIR}" = "bash -c"* ]]; then + PARENT_DIR=$(eval $GIT_PARENT_DIR | tail -n 1) + elif [[ -n "${GIT_PARENT_DIR}" ]]; then + PARENT_DIR="${GIT_PARENT_DIR}" + else + PARENT_DIR="." + fi + SUBDIR="${PARENT_DIR}/${SUBDIR}" + + PROTOCOL="${GIT_PROTOCOL}" + if [[ -z "${PROTOCOL}" ]]; then + PROTOCOL="https" + fi + + YAML_FILE="$(params.yaml)" + VERSION="$(params.version)" + HELM_URL="$(params.helm-url)" + + if [[ -z "${GIT_HOST}" ]] || [[ -z "${GIT_ORG}" ]] || [[ -z "${GIT_REPO}" ]]; then + echo "GitOps repo has not been configured with confimap gitops-repo. Skipping trigger step" + exit 0 + fi + + set +x + if [[ -n "${GIT_USERNAME_CD}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME_CD}" + GIT_AUTH_PWD="${GIT_PASSWORD_CD}" + elif [[ -n "${GIT_USERNAME}" ]]; then + GIT_AUTH_USER="${GIT_USERNAME}" + GIT_AUTH_PWD="${GIT_PASSWORD}" + else + echo "Credentials for GitOps repo not set in secret gitops-cd-secret or git-credentials" + exit 1 + fi + set -x + + BRANCH_CMD="" + if [[ -n "${GIT_BRANCH}" ]]; then + BRANCH_CMD="-b ${GIT_BRANCH}" + fi + + git config --global user.email "gitops@cloudnativetoolkit.dev" + git config --global user.name "Cloud Native Toolkit Pipeline" + echo "git clone ${BRANCH_CMD} ${PROTOCOL}://${GIT_AUTH_USER}:xxxx@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + set +x + GIT_URL="${PROTOCOL}://${GIT_AUTH_USER}:${GIT_AUTH_PWD}@${GIT_HOST}/${GIT_ORG}/${GIT_REPO}" + git clone ${BRANCH_CMD} ${GIT_URL} gitops_cd + set -x + cd gitops_cd + + + if [[ -f "${SUBDIR}/${YAML_FILE}" ]]; then + echo "Requirements before update" + cat "${SUBDIR}/${YAML_FILE}" + + yq r "${SUBDIR}/${YAML_FILE}" -j | \ + jq --arg APP_NAME "${APP_NAME}" --arg VERSION "${VERSION}" --arg REPO "${HELM_URL}" '.dependencies |= map((select(.name == $APP_NAME) | .version = $VERSION | .repository = $REPO) // .)' | \ + yq r --prettyPrint - > "${SUBDIR}/${YAML_FILE}.new" + + rm "${SUBDIR}/${YAML_FILE}" + mv "${SUBDIR}/${YAML_FILE}.new" "${SUBDIR}/${YAML_FILE}" + + echo "Requirements after update" + cat "${SUBDIR}/${YAML_FILE}" + + elif [[ -n "${HELM_URL}" ]]; then + echo "Creating first time chart using ${SUBDIR}" + # create directory + mkdir -p "${SUBDIR}" + + # WARNING: Do not indent the cat commands below + + cat <"${SUBDIR}/Chart.yaml" + apiVersion: v2 + version: 0.1.0 + name: ${APP_NAME} + description: Chart to configure ArgoCD with the ${APP_NAME} project and its applications + EOF + + cat <"${SUBDIR}/${YAML_FILE}" + dependencies: + - name: ${APP_NAME} + version: ${VERSION} + repository: >- + ${HELM_URL} + EOF + + cat <"${SUBDIR}/values.yaml" + global: {} + ${APP_NAME}: + replicaCount: 1 + EOF + + + else + echo "GitOps repo configured but unable to update application config" + exit 1 + fi + + if [[ $(git status -s | wc -l) -eq 0 ]]; then + echo "No changes" + exit 0 + fi + + git add "${SUBDIR}/" + git commit -m "Updates ${APP_NAME} to ${VERSION}" + git push -v + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-ace-bar + annotations: + app.openshift.io/runtime: ace + app.openshift.io/builder: bar +spec: + params: + - description: The url for the git repository + name: git-url + type: string + - default: main + description: The git revision (branch, tag, or sha) that should be built + name: git-revision + type: string + - default: "true" + description: Enable the pipeline to scan the image for vulnerabilities + name: scan-image + type: string + - name: health-endpoint + default: "/health" + description: Endpoint to check health after deployment, liberty uses / not /health + - name: ace-project + description: Name of the ACE Toolkit project + default: "" + tasks: + - name: setup + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: health-endpoint + value: $(params.health-endpoint) + - name: health-protocol + value: "http" + - name: ace-project + value: $(params.ace-project) + taskRef: + kind: Task + name: ibm-setup + - name: build + params: + - name: git-url + value: $(tasks.setup.results.git-url) + - name: git-revision + value: $(tasks.setup.results.git-revision) + - name: source-dir + value: $(tasks.setup.results.source-dir) + - name: image-server + value: $(tasks.setup.results.image-server) + - name: image-namespace + value: $(tasks.setup.results.image-namespace) + - name: image-repository + value: $(tasks.setup.results.image-repository) + - name: image-tag + value: $(tasks.setup.results.image-tag) + - name: app-name + value: $(tasks.setup.results.app-name) + - name: ace-project + value: $(tasks.setup.results.ace-project) + runAfter: + - setup + taskRef: + kind: Task + name: ibm-build-tag-push-ace-bar + - name: deploy + params: + - name: git-url + value: $(tasks.setup.results.git-url) + - name: git-revision + value: $(tasks.setup.results.git-revision) + - name: source-dir + value: $(tasks.setup.results.source-dir) + - name: image-server + value: $(tasks.setup.results.image-server) + - name: image-namespace + value: $(tasks.setup.results.image-namespace) + - name: image-repository + value: $(tasks.setup.results.image-repository) + - name: image-tag + value: $(tasks.setup.results.image-tag) + - name: app-namespace + value: $(tasks.setup.results.app-namespace) + - name: app-name + value: $(tasks.setup.results.app-name) + - name: deploy-ingress-type + value: $(tasks.setup.results.deploy-ingress-type) + - name: tools-image + value: $(tasks.setup.results.tools-image) + runAfter: + - build + taskRef: + kind: Task + name: ibm-deploy + - name: health + params: + - name: app-namespace + value: $(tasks.setup.results.app-namespace) + - name: app-name + value: $(tasks.setup.results.app-name) + - name: deploy-ingress-type + value: $(tasks.setup.results.deploy-ingress-type) + - name: health-protocol + value: $(tasks.setup.results.health-protocol) + - name: health-endpoint + value: $(tasks.setup.results.health-endpoint) + - name: health-url + value: $(tasks.setup.results.health-url) + - name: health-curl + value: $(tasks.setup.results.health-curl) + - name: tools-image + value: $(tasks.setup.results.tools-image) + - name: resource-type + value: $(tasks.deploy.results.resource-type) + runAfter: + - deploy + taskRef: + kind: Task + name: ibm-health-check + - name: tag-release + params: + - name: git-url + value: $(tasks.setup.results.git-url) + - name: git-revision + value: $(tasks.setup.results.git-revision) + - name: source-dir + value: $(tasks.setup.results.source-dir) + - name: js-image + value: $(tasks.setup.results.js-image) + runAfter: + - health + taskRef: + kind: Task + name: ibm-tag-release + - name: img-release + params: + - name: image-from + value: $(tasks.setup.results.image-url) + - name: image-to + value: $(tasks.setup.results.image-release):$(tasks.tag-release.results.tag) + runAfter: + - tag-release + taskRef: + kind: Task + name: ibm-img-release + - name: img-scan + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + runAfter: + - img-release + taskRef: + kind: Task + name: ibm-img-scan + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + params: + - name: app-name + value: $(tasks.setup.results.app-name) + - name: version + value: $(tasks.tag-release.results.tag) + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: $(tasks.setup.results.tools-image) + runAfter: + - helm-release + taskRef: + kind: Task + name: ibm-gitops + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-mq + annotations: + app.openshift.io/runtime: mq +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: smoke-tests-mq + taskRef: + name: ibm-smoke-tests-mq-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - smoke-tests-mq + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-golang-edge + annotations: + app.openshift.io/runtime: golang +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: test + taskRef: + name: ibm-golang-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: edge-cd + taskRef: + name: ibm-gitops-edge-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-appmod-liberty + annotations: + app.openshift.io/runtime: openjdk + app.openshift.io/builder: maven +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: health-endpoint + description: Endpoint to check health after deployment, liberty uses / not /health + default: "/" + - name: java-bin-path + description: The path to the java binaries. The default value is "target" + default: target + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: health-endpoint + value: $(params.health-endpoint) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: test + taskRef: + name: ibm-java-maven-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: sonarqube-java-bin-path + value: "$(params.java-bin-path)" + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-nodejs + annotations: + app.openshift.io/runtime: nodejs +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: test + taskRef: + name: ibm-nodejs-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: app-name + value: $(tasks.setup.results.app-name) + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-general + annotations: +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + - name: health-endpoint + description: Endpoint to check health after deployment, defaults / + default: "/" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: health-endpoint + value: $(params.health-endpoint) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: code-lint + taskRef: + name: ibm-sonar-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: $(tasks.setup.results.app-name) + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - code-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-golang + annotations: + app.openshift.io/runtime: golang +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: test + taskRef: + name: ibm-golang-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-java-gradle + annotations: + app.openshift.io/runtime: openjdk + app.openshift.io/builder: gradle +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: health-endpoint + default: "/health" + description: Endpoint to check health after deployment, liberty uses / not /health + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: health-endpoint + value: $(params.health-endpoint) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: test + taskRef: + name: ibm-java-gradle-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: pact-verify + taskRef: + name: ibm-gradle-pact-verify-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: service-host + value: "$(tasks.setup.results.app-name)" + - name: service-port + value: "$(tasks.deploy.results.service-port)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - pact-verify + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-operator-catalog + annotations: + app.openshift.io/runtime: operator +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "false" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: build + taskRef: + name: ibm-operator-catalog-build-v2-6-13 + runAfter: + - tag-release + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: gitops + taskRef: + name: ibm-operator-catalog-gitops-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: image-url + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-operator + annotations: + app.openshift.io/runtime: operator +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: operator-bundle + taskRef: + name: ibm-operator-bundle-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.setup.results.image-release)" + - name: image-tag + value: "$(tasks.tag-release.results.tag)" + - name: gitops + taskRef: + name: ibm-operator-gitops-v2-6-13 + runAfter: + - operator-bundle + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: image-url + value: "$(tasks.operator-bundle.results.bundle-image-url)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: ibm-java-maven + annotations: + app.openshift.io/runtime: openjdk + app.openshift.io/builder: maven +spec: + params: + - name: git-url + description: The url for the git repository + - name: git-revision + description: The git revision (branch, tag, or sha) that should be built + default: master + - name: scan-image + description: Enable the pipeline to scan the image for vulnerabilities + default: "true" + - name: lint-dockerfile + description: Enable the pipeline to lint the Dockerfile for best practices + default: "true" + tasks: + - name: setup + taskRef: + name: ibm-setup-v2-6-13 + params: + - name: git-url + value: $(params.git-url) + - name: git-revision + value: $(params.git-revision) + - name: scan-image + value: $(params.scan-image) + - name: lint-dockerfile + value: $(params.lint-dockerfile) + - name: test + taskRef: + name: ibm-java-maven-test-v2-6-13 + runAfter: + - setup + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + + - name: dockerfile-lint + taskRef: + name: ibm-dockerfile-lint-v2-6-13 + runAfter: + - test + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: lint-dockerfile + value: "$(tasks.setup.results.dockerfile-lint)" + + - name: build + taskRef: + name: ibm-build-tag-push-v2-6-13 + runAfter: + - dockerfile-lint + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: deploy + taskRef: + name: ibm-deploy-v2-6-13 + runAfter: + - build + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-server + value: "$(tasks.setup.results.image-server)" + - name: image-namespace + value: "$(tasks.setup.results.image-namespace)" + - name: image-repository + value: "$(tasks.setup.results.image-repository)" + - name: image-tag + value: "$(tasks.setup.results.image-tag)" + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: health + taskRef: + name: ibm-health-check-v2-6-13 + runAfter: + - deploy + params: + - name: app-namespace + value: "$(tasks.setup.results.app-namespace)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: health-protocol + value: "$(tasks.setup.results.health-protocol)" + - name: health-endpoint + value: "$(tasks.setup.results.health-endpoint)" + - name: health-url + value: "$(tasks.setup.results.health-url)" + - name: health-curl + value: "$(tasks.setup.results.health-curl)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: tag-release + taskRef: + name: ibm-tag-release-v2-6-13 + runAfter: + - health + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: js-image + value: "$(tasks.setup.results.js-image)" + - name: img-release + taskRef: + name: ibm-img-release-v2-6-13 + runAfter: + - tag-release + params: + - name: image-from + value: "$(tasks.setup.results.image-url)" + - name: image-to + value: "$(tasks.setup.results.image-release):$(tasks.tag-release.results.tag)" + - name: img-scan + taskRef: + name: ibm-img-scan-v2-6-13 + runAfter: + - img-release + params: + - name: image-url + value: $(tasks.img-release.results.image-url) + - name: scan-trivy + value: $(tasks.setup.results.scan-trivy) + - name: scan-ibm + value: $(tasks.setup.results.scan-ibm) + - name: helm-release + taskRef: + name: ibm-helm-release-v2-6-13 + runAfter: + - img-scan + params: + - name: git-url + value: "$(tasks.setup.results.git-url)" + - name: git-revision + value: "$(tasks.setup.results.git-revision)" + - name: source-dir + value: "$(tasks.setup.results.source-dir)" + - name: image-url + value: "$(tasks.img-release.results.image-url)" + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: deploy-ingress-type + value: "$(tasks.setup.results.deploy-ingress-type)" + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + - name: gitops + taskRef: + name: ibm-gitops-v2-6-13 + runAfter: + - helm-release + params: + - name: app-name + value: "$(tasks.setup.results.app-name)" + - name: version + value: "$(tasks.tag-release.results.tag)" + - name: helm-url + value: $(tasks.helm-release.results.helm-url) + - name: tools-image + value: "$(tasks.setup.results.tools-image)" + +--- diff --git a/shared/config/tools/secrets/ibm-entitled-key-secret.sh b/shared/config/tools/secrets/ibm-entitled-key-secret.sh new file mode 100755 index 0000000..8059b85 --- /dev/null +++ b/shared/config/tools/secrets/ibm-entitled-key-secret.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Set variables +IBM_ENTITLEMENT_KEY= +NAMESPACE=tools +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +oc create secret docker-registry ibm-entitlement-key \ +--docker-username=cp \ +--docker-server=cp.icr.io \ +--docker-password=${IBM_ENTITLEMENT_KEY} \ +--namespace=${NAMESPACE} \ +--dry-run=true -o yaml > delete-ibm-entitled-key-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ${NAMESPACE} --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-entitled-key-secret.yaml > ibm-entitled-key-secret.yaml + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-entitled-key-secret.yaml \ No newline at end of file diff --git a/shared/config/tools/secrets/ibm-entitled-key-secret.yaml b/shared/config/tools/secrets/ibm-entitled-key-secret.yaml new file mode 100644 index 0000000..07d36e2 --- /dev/null +++ b/shared/config/tools/secrets/ibm-entitled-key-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ibm-entitlement-key + namespace: tools +spec: + encryptedData: + .dockerconfigjson: AgAevmVwguLX3/3RHg3LIXKtDiM1LQYKJj1ariQ0ZFGwwHlMTtt37aXm9vvQ3MZMsuZTxWHU21IuGRxSyntd2Cy4QuKjFIRYXRAr8nhVKOxPhfaGMs7342xRSe1sOfEykeUFjPfjrkIdd9VT379k1RuQazG+ewoIqMzbqQ3XaeY6uLHVPRWTkl9oT3OF1YpLewWo68M6avcIke+t07I5cLh3+04tDluq1zeQoI5vbUPM+vjrXwKK0TaZzH1Tcg7MWwXqaIuWQ2Vz9fnc5vnlK+ktjtHEltLaq1edrpjBdUzh+QWp2+OUIsAmuzfJIfINdGPvQ9K63wmBQ2ls+4y4jB2DDJwXr0UMLa60r1AYcAHDaXg/sBNS5SiNHHmoExY3aPXAGztPwmzgPjwd4mfOs/aIFqccH29ZCK3YKJ7dRqNuih2UTfpxjgth2Srp4Cqf88M/e4eiUv0WWZA+aLM2Mw1lvA7pMYr4xkUG+4m+DugX9fDm60WsM412s8rQc0gwrPmD1MT1KckNfWlZKOZ5Iq2w/BQUkR5EGwakZ8tld3VPc+BwXhGhEXMT8OrNpd41Isf3yXENl4lt6eJJtdQwNRNKVcVa4XXFKgfxgsWIogR6swU9VHvPXhAZx8B2jYvkbzS+OuTGxhIuACHjrHI5LBoKej5YhOVHg2FCxYu0Jm1/kDQMSOACtU9XnUOwRKum46dWt02c+DUsWEyy6HaY0gdxDr21u/6JALHQEx0lswRbM+7L4SkJMHsb0mFWSgJBMX8hnEOTtZ493dB6TQ8LAGcgC69stq7vhJ/TUimwPcOG0IWFx1X3A9RQrBl9m5FgFEbX/EUex+PrP+51+2GtcfhpxkZbU3KMA+TjHFsc6r/Ji8eGTfrT2J2Rk2qYW/DOhHbT+Z/YBwavc8Bv5vRfS6mi4NY9O03+6J+6vDGjqoJ2gBNGDDoNOvKixQ3TGTpHF50QczrjkLBoxFlAik6JTWz+gvqHNOwiGwz/vIlHo1h5RZ00WugzFHUyOa4Tp9guO7y81jnW9PtBp8DpGpovHjq6P00+e13y1Go4/feZzGvCgQMni1vapdvFMgr/QPkgJl//zxoiJocX8c/hl2mI9LYwzEyGFoaXKGhl57J8ZK43RDmuDl6qg9QoMK6kFBcnVUQsHXF6TZ8eegDYzGeZ2fz3NMVumHQNaxvXT8v3RrXO+wMufa7E+NVimawe6U8PBC1yroJOJlq3s36CSTvh1zrml0Q61jTS3wDlVhqTCP8+t/mcvP+1SwoLkrlk4u7BQlh/y47uNp8D1tgSo7Ep3Mgbx1zdxjgQhpk+Qc7x5OrJ/S6BEkRuFtPELahLzl2ycE/n + template: + metadata: + creationTimestamp: null + name: ibm-entitlement-key + namespace: tools + type: kubernetes.io/dockerconfigjson + diff --git a/slack-notifications/Chart.yaml b/slack-notifications/Chart.yaml new file mode 100644 index 0000000..cbe47d3 --- /dev/null +++ b/slack-notifications/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: slack-notifications +version: 0.1.7 +appVersion: 1.16.0 +description: Slack Notifications +dependencies: + - name: slack-notifications + version: 0.1.7 + repository: https://cloud-native-toolkit.github.io/toolkit-charts/ \ No newline at end of file diff --git a/slack-notifications/slack-sealed-secret.yaml b/slack-notifications/slack-sealed-secret.yaml new file mode 100644 index 0000000..64fabf4 --- /dev/null +++ b/slack-notifications/slack-sealed-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: slack-secret + namespace: slack-notifications +spec: + encryptedData: + SLACK_URL: AgB/IMAnDtIcnR1L+CvP+r5/Zx/qrQQG9LLCrp0GSCDgxb7c4n5bDgJq6JHOmI0pJd6LUWe+1mRhMPMPLxKDgFSzpnG0M4ZU5c4CQ2Lf39uleByh23OuuINZsaOXrFhmrM7R69l++PUU+lkNWp/7WKs6JzOrilyrwqYfjU6swptlb6QK3PW2AKONJl6+IiXU8zS1b5/sXvwW/b2CDBq3Friv0GHI6atOwIVMx9S0UzC2sejzP6NxZjHd5ATrJQuxwFVCegZZa0vlXZE5bIaDFzR7l0jxuYNM4qabXgyb1pnNiRigse4cwv18RAz70HUyb74C0UVKM+eTxBspd1ZUDqX+DrVIkV/g28NEidZdG4RK+ls1zoAlzxmxfdbQqcbaJBshkGu7PX491zlT9fo+Dbf057t+b1xO5232lNhd7VAeXmg/DB9i4xLQAX0ZSNBAORBZ6nLQ83ycbkdGq1M+IvNIfllZ6v8r7hNMTYS7tpd0/fdTwPgcouvsKjDfkfPNX5ANZV833vNO+iX6pPekYcQwovBEkdcaqbEw3tYIX9gQN5mwHbGIvwu8mMVCUfXZwjbRku5stRJ95OjKZNj7OKwrj0tEH5byrlyrCJvGwtReqR+4LTJPZ5GYoO1A+fPJS08vCHe+hxykgaqsOtvqQXxll/cl6pCqX0VHIdAT7Fu9x71F11rnJpQRXe+fbijPGnEOq6RPojupfeKwFHgHgtTLqzEmX7huQWwssPGVDanKAkwKkcdeU30/p6uBccouE2VQonuTI0a3ryxi5L8dLKkF9fSbci5IOIp6ei80pON3e + template: + data: null + metadata: + creationTimestamp: null + name: slack-secret + namespace: slack-notifications + diff --git a/slack-notifications/values.yaml b/slack-notifications/values.yaml new file mode 100644 index 0000000..68bc845 --- /dev/null +++ b/slack-notifications/values.yaml @@ -0,0 +1,40 @@ +slack-notifications: + replicaCount: 1 + + image: + # source code for image can be found at https://github.com/cloud-native-toolkit/slack-notifications + repository: quay.io/ibmgaragecloud/slack-notifications + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: latest + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + podAnnotations: {} + + container: + port: 8080 + + service: + port: 80 + + broker: + name: default + + secret: + # provide name of the secret that contains slack url + name: slack-secret + # provide key of the secret that contains slack url + key: SLACK_URL + + triggers: + - name: taskrun-success-trigger + type: dev.tekton.event.taskrun.successful.v1 + - name: taskrun-fail-trigger + type: dev.tekton.event.taskrun.failed.v1 + - name: pipelinerun-success-trigger + type: dev.tekton.event.pipelinerun.successful.v1 + - name: pipelinerun-fail-trigger + type: dev.tekton.event.pipelinerun.failed.v1 \ No newline at end of file diff --git a/soapserver/config/argocd/soapserver/prod-app-soapserver.yaml b/soapserver/config/argocd/soapserver/prod-app-soapserver.yaml new file mode 100644 index 0000000..6deef15 --- /dev/null +++ b/soapserver/config/argocd/soapserver/prod-app-soapserver.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prod-app-soapserver + annotations: + argocd.argoproj.io/sync-wave: "300" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: tools + server: https://kubernetes.default.svc + project: applications + source: + path: soapserver/environments/soapserver + repoURL: https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-apps.git + targetRevision: master + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/soapserver/environments/soapserver/deployments/soapserver-deployment.yaml b/soapserver/environments/soapserver/deployments/soapserver-deployment.yaml new file mode 100644 index 0000000..8acdc36 --- /dev/null +++ b/soapserver/environments/soapserver/deployments/soapserver-deployment.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: soapserver +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: soapserver + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: soapserver + spec: + containers: + - env: + - name: SPRING_PROFILES_ACTIVE + value: secure + - name: CLIENT_SSL_KEY_STORE + value: /certs/ibm-soap-server.jks + - name: CLIENT_SSL_TRUST_STORE + value: /certs/ibm-ca.jks + envFrom: + - secretRef: + name: ibm-passwords + image: quay.io/hollisc/soapserver:v1 + imagePullPolicy: Always + name: soapserver + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: ibm-jks diff --git a/soapserver/environments/soapserver/deployments/soapserver-nonsecure-deployment.yaml b/soapserver/environments/soapserver/deployments/soapserver-nonsecure-deployment.yaml new file mode 100644 index 0000000..100a5b9 --- /dev/null +++ b/soapserver/environments/soapserver/deployments/soapserver-nonsecure-deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: soapserver-nonsecure +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: soapserver-nonsecure + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: soapserver-nonsecure + spec: + containers: + - image: quay.io/hollisc/soapserver:v1 + imagePullPolicy: Always + name: soapserver-nonsecure + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 \ No newline at end of file diff --git a/soapserver/environments/soapserver/kustomization.yaml b/soapserver/environments/soapserver/kustomization.yaml new file mode 100644 index 0000000..018d23c --- /dev/null +++ b/soapserver/environments/soapserver/kustomization.yaml @@ -0,0 +1,9 @@ +resources: +- deployments/soapserver-deployment.yaml +- deployments/soapserver-nonsecure-deployment.yaml +- routes/soapserver-route.yaml +- routes/soapserver-nonsecure-route.yaml +- secrets/ibm-jks-secret.yaml +- secrets/ibm-passwords-secret.yaml +- services/soapserver-svc.yaml +- services/soapserver-nonsecure-svc.yaml diff --git a/soapserver/environments/soapserver/routes/soapserver-nonsecure-route.yaml b/soapserver/environments/soapserver/routes/soapserver-nonsecure-route.yaml new file mode 100644 index 0000000..a041253 --- /dev/null +++ b/soapserver/environments/soapserver/routes/soapserver-nonsecure-route.yaml @@ -0,0 +1,12 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: soapserver-nonsecure +spec: + port: + targetPort: web + to: + kind: Service + name: soapserver-nonsecure + weight: 100 + wildcardPolicy: None diff --git a/soapserver/environments/soapserver/routes/soapserver-route.yaml b/soapserver/environments/soapserver/routes/soapserver-route.yaml new file mode 100644 index 0000000..f100704 --- /dev/null +++ b/soapserver/environments/soapserver/routes/soapserver-route.yaml @@ -0,0 +1,14 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: soapserver +spec: + port: + targetPort: web + tls: + termination: passthrough + to: + kind: Service + name: soapserver + weight: 100 + wildcardPolicy: None diff --git a/soapserver/environments/soapserver/secrets/ibm-jks-ibm-passwords-secret.sh b/soapserver/environments/soapserver/secrets/ibm-jks-ibm-passwords-secret.sh new file mode 100755 index 0000000..4e7ead7 --- /dev/null +++ b/soapserver/environments/soapserver/secrets/ibm-jks-ibm-passwords-secret.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +# Set variables +NAMESPACE=tools +SEALEDSECRET_NAMESPACE=sealed-secrets + +# Create Kubernetes Secret yaml +# TO BE UDPATED +oc create secret generic ibm-passwords \ +--from-literal=CLIENT_SSL_KEY_STORE_PASSWORD=passw0rd \ +--from-literal=CLIENT_SSL_TRUST_STORE_PASSWORD=passw0rd \ +--type Opaque \ +--namespace=tools \ +--dry-run=true -o yaml > delete-ibm-passwords-secret.yaml + + +oc create secret generic ibm-jks \ +--from-file=ibm-ca.jks=/Users/Ritu.Patel@ibm.com/Desktop/ace-prod/github-ace/ace-rest-ws/certs/ibm-ca.jks \ +--from-file=ibm-soap-server.jks=/Users/Ritu.Patel@ibm.com/Desktop/ace-prod/github-ace/ace-rest-ws/certs/ibm-soap-server.jks \ +--type Opaque \ +--namespace=tools \ +--dry-run=true -o yaml > delete-ibm-jks-secret.yaml + +# Encrypt the secret using kubeseal and private key from the cluster +kubeseal -n ${NAMESPACE} --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-jks-secret.yaml > ibm-jks-secret.yaml +kubeseal -n ${NAMESPACE} --controller-name=sealedsecretcontroller-sealed-secrets --controller-namespace=${SEALEDSECRET_NAMESPACE} -o yaml < delete-ibm-passwords-secret.yaml > ibm-passwords-secret.yaml + + +# NOTE, do not check delete-ibm-entitled-key-secret.yaml into git! +rm delete-ibm-jks-secret.yaml +rm delete-ibm-passwords-secret.yaml diff --git a/soapserver/environments/soapserver/secrets/ibm-jks-secret.yaml b/soapserver/environments/soapserver/secrets/ibm-jks-secret.yaml new file mode 100644 index 0000000..03037eb --- /dev/null +++ b/soapserver/environments/soapserver/secrets/ibm-jks-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ibm-jks + namespace: tools +spec: + encryptedData: + ibm-ca.jks: AgBiYEfY7ahJoONN1aho+C9z8oHD/uqcSgnoNPzRNLPebAr7AalMiTeHhlblN7B2xsqyOPB1yE4XFD4SbkIbVcz1J8u/Ua2ImKmchbrOnaQbA3cBR977UOBpLnVPQrFXTmadv3/VSG7qwVhvWMbDo3IPHQg2qaquI5ED0o/KS2mtSsS6sfdBKYjYMqLDe0xE2OPl4DnNwYYQSz4Dzjd0DMrWHDCutWgKQjH/gUCh5Nwc6cb0uroXuKVaVj5C5BUFuL5FEdihfKrpkD15psJlEOKWBcOUWUtCgcHSdx86NCQylqV4qEypwiQTgme5rae7DEvshgoBd+Y9MrnkU+ckITG+kSYGUtrr8+VNP2Tub/2TxQW0WMV9ZR2qsALmSOn0mlKvNoq0csJbreUyJWrEoyUyJ0W48C1IaONEsOUDt5j+ozcYoi6CguxcCrF3n/LL6sAminTsXwh8XQSFqUryb0IucluWWhmserv06iWpTyKo0I4qwQvTyGq+Ol2QLTgO01cCxYWfX3LgbOByiqbeGZ7Vhj3vSGAL4wvidrthsjM0JFU+QBkLYOxgiY/pzsJC1rrWwJisqCOn/LOqvp6ffFW8jt5OrnE2Haa+AuRBltyDrE+J6Jz+YQuE7PDCovdqwdc7PI2pUXHwnKM0Wc3mULTMGb9U7+97uoXif7vkGAOG2BHWbxkmmnU5B1rMTKUW1+f3sIaFtR7JLWU6Mzwcsk2bTocSfT+FXp9mWQmsaZxr2kmMs2TG13sk8Z1x/1pCwRE7/uX5xQt2wYMVdKGfbnhsbqR6fqDHunymk5Kw6WxkTeEgH2HdF6ZJkPpIyMkaWnFL2anlKzM6vvwN/z0uy60PKttJsHdsVu5RAomT6DjEH19PX9bmphNxQQCabSgFIILlBJiVvm5Z9f1c481OLn/LZSewk5hw1SxnEY/I0zRP6AB2ZjEUubVvT5QsQxW3uQW6v5wFHyRv9zpRdraOeM1uXXGX0hFgdz7kHSNrSqjT/4JRGnX/nUY0bqnLd4E2Fq7D7whP6sXMZ8ur1K1qerVHmZcUBd9hU4iGAWFeeQ5KgNUSgPQLGRR6qIu1hEpP88/D/+/DfQ12kfzf7H7cdgAwS1hPReavT32sTr/O7FUcBvwupdCXg1RLfV4/jz4HQ5buKB43SflC6urUbAcgrCTzj6qRGBf3tDg7zuvcBonqWJGDeBj7UVv5h/x5d899EVLY2RG+BYdRfbTeMzbZxero02J1uxBHXx0ZE+3teONGnQaOeGnzc6OkMVNs+RSmScmHqzuiN2puR9NqkhsB/2jfT4EfpK+n2sdTFGDYyC8thr/XnXthoHWABHMfBmJb75vmi/pFKjJmz5kPQm+pe1hDVuo2ki4PuDwpLMo1mUN9+a0lhN1SxSEsRhGN8CvxMfR1ViZIRdxCN9eOc1bPkFuhAmlhX2oqADVb97yDoOM5yJSaaPPbI4baSRtq/ciuT3KjJTu9rhV3L7rOrqdAcqzK0YlPffMmrT7C7MZ7VBSr/wCu8sjt/P8/7UwjPX4SZom3SX7zcPVrOe0bTTGB5R0/ePXgWZEmDYPsRdPSAGsIUjACWmNOqz7+L3NnWuH7S+JqxbLVtCM0JX0lYDkipajI99WpdGtpIDONLsJUuWJMNWv2w87O7tElyKLvAsGlJiRA8AWOdX/8YHGUxuI7AJVROz9Kzap+tgzd7CircGc4BhTsTkjwl1Tv9/Q8BhEq5LjjPpKOgcyyYQ+7J/M2oHcNNpmu3YdHjxmgBtJEUpEBgzLAZKzAqcBH9WsVKTNydBE0uFp55srqdZ3nrmJBty7ieOAGil6eQsazvriWhc3AaIX5wYbyJZn8DC1ODC7/RSRMHU6W2UUNHfXgb3QD+sC1YKGYSdDQV07OMAOxxSSL1icL085A6VDXNd++q5nUYeLTqNDYkfiTFzGos0bIw/aMUH5QBdyOwYLD0dUYQbjLmpNI+6FZLQz4ImxGzKiMNGJi8DnASKvaeTfEuQhbSVyhoffKKT8L/8XsZSsyv6aqpck9d92W4stGOKP44AqfRBiv/TuM8SUIFec1yUkjWMGTOKOStM2NY5UIGLk6sRcWhsj1l71ye8X7vH/3pY7TBRLTJJXE/Yh3TXcJJLNQYr0AshdN2GZYGPsb9WoGdByuobTu/25cj7b5RiJW7jFfFRa+WNgwernzHN6h85/LPzPLxGDqZPrNM9gBdfQSwCNBgz2xtpxp4ylXYkwj2uV2euVs0/0QFe9JwI74zeG3VGQiT8uhbmwZ109aZvTNtztohJ69Yp6293CbASFL8KMT3M48mI9ctlzrThUNYHGD+lRD5vWG4IukuUjBs7Q/trWhooK1qHIZ6pLQ98E1l3moD6artT8Mxs6avcMy1MYnUIEsfWK7ah5uMc0HLv2LN4b931sDxnyaU+UDXRB32W43XSPqmrCYseqocMKni+W8Br5fBc6HY2KSRwCpl8KpuTV73gX+1A/bVPPAJHhB03eOnz2OEcH6BMRTJGBT2lZqmujmEqwcTY2TM1FQ/7+88H0BFflA33b6M+Ch6aQPeucqa25s9eEtqMrYJELUsFKtOYLrb0bM5X3nW2mp+5uAXQIadJIOB/VUk1hLLzMLgMGLSOj1we4Qvs3g+2LSVwrvyXVEN1/U/34NLWOjLfHceDa3bAFZhPGl9+stRPg0wYQRSP44tn0wC3xT7J3tG/08p5snZg74N5f+N2jgtOWqHcaZbVHMOVWBs9nxiA2wz73c0+s= + ibm-soap-server.jks: AgAQgrGxzZeNqcmx4edxDT7M4psH95gGtRJHTIfvw3PuccugSFomvF4DD6PMfP1ONOe+pvz4Uc/x1kwC8r67CFcysdrfWDrAjjQJ5OGHXck/kFu9OYHVZxBtLoXHg8mOpsDoq5qlZEMBR7hW/0uskN8gBneCrTmawLdZej79EW2OkbVr3bcvmLThktd4BrSxAvm+G3xf6DY+gWiVSwl8cfUvO8v4KkMq00MfTgBSGs1oeBWsHsouGh4RiVVEHGbb8HLMCo0viEdAjfZEjLE23wKbhW4kUBx4YpJNGY4MM7hg91Gu6N+x/mEwxv6QyJ4GcUsx89AtNyQ6pcKu0uS4C8cJUZkSmJZ2naXGXv8shBywbbhxCAiIDSC+h2vT6qlg8iRLwv1+lq1bnbBzkCss8BQ5M/R7RI4Qol15LCXfOhRqNNR2TgQdlgPJBGuYkHa05fppTWic1ykdkq5VtoYYuGStyOwfOuocdc3KbK2eZXkZ8UXnW5iuI98yemkOOekSxXuMPdwCqELWS2Ics7ZqT2HlAHlTR3Bd6zXEB8IBjFJIQxsreI4ltOd9522R4pOqXGMeIcQzDHNFzDYv+wMuAeGauJiMfMS+i3nhqNIyj7MnV4+y8iU0ohgFr5MEat8j101sVib2cQ8+PRvvjjVNpvKeT48aew/hH2bt/i+ljTWAve+dRQTbl+Lhxslo1Opt+EGZiUyxi2kjIQoIVN5lQ3+GaWipjfCeaQYuE5S56n2TlO+Q5y30DsEGxSs2BlULRCZ/Eoo4F5zkvQ1U/p35RaMLfEOi/8dYvZdXO+WTJMX2fFpxyA8wxfYxA1grfUllfp08Zrpn4xNKrT+PHfbRkz8r2nF097mRvdAEt4eWSmIubxKWvr6sqCeBEI9QqIxDtTiN/jiIxeOPMknvpYx/COK+nBPbPWiE1nKK1Do6vXjeqbwCv/oLDP99pq/Dfy07PMz2f0qgcz/9ryQD4keyW71ov+KiOJA2yVSDEY8Yo0QFid67Sfh8gKw4hBH6SuUEAFTtwUKJTWhL0Lfq7KqpJKTlSIPaV6lRXmBXDHsYXNiq1jwEynkGEg+keELH+WTYDo0U7mGV9B7gMEBgMf51W/lmasFySFkuRSWIhwIr6VQ481zCzKYTMtS/SF2ySM1fwhpGChb96YW8qeAZKo7Y6+E/15/NvCIVzvDdlAO/V+fVICYO7c4r5Hk9TrBhbu11qt5CE9aDpQSCuef9Hd96mhO3qANzs+6PiLylN77V+1cUcHl5xvcZLuDidAHKbfWSA3gBfbAUIHaf6+goN1Jq/phkXl+hVRoVLx7dk7ED8C3al3FThssg+tJ/4fssCPybemXa7u6azYDaG3rbW7dSDTg8W8HUH8MrlfPiWZ4sq0rJUUCUHL7j9lO4JLd1ZAjyn/Ej/aca2OGYZEzMZR9P7bC//IpfxUd3+hoJeWPJU5eY0n4z2AkcxJ2PLKtZkmgh4735btvAw5LWQzbwLzHIlqSZ9Eth63E2f9hZyFxQ7hFaMPZ3zxjjywoxcv8ncQUGB7RdYQTbQMwUMlqk1uF0+HKVZLorJmwZdR6+dBwIxtBI0cl4F+46RPPl4YeOyJHI+zJsGxaTo3YWYpw0fWaGHWa+2XOPlEjn6PC2CIglzEEicVioimF+FcHg6+uA1tdtI4+y6lDC4CC95BhG5OZQX5p+ULxtGanhWM8sbqqZJSb89+RfrlItKgtz4lbhw2LiKY0GJ99j4HeVx8NbEEupoS7kEfSW77zWftWcl9RtfxfjYE0is4rkeS/egPW/taGIJ8g4vhTSW3KatiPY8s7BuOcLLbcKMQhX2loDPncrhdHzXYaNCtoGU3luT04RDuCXYEoHN9FYQXf1bdTbzBBmH3MjaqWpB9NjAnuKRLg0pJX8BQ3bklodSenD8K0ey2dHHmC4a0E4Q/pZgoffb1p89bTbD82L4L+uIBTeKInWUR2PZIwBX8FOPys+whM9VjS/OYns78hISMi2AnI1wM36cTorZIhGQVLzcunp3soozSQRxLverb7FlPEr4rj4hZem558HS+KEJjcAPoV0tWtKZEiXVv1GVG5ysBukmTn9jE2YYajMFqdVt4oEdJEE2bRuSYEvwWaymzWpIhDS+gaIgEVSpoEKw7QG5N8H+z+CPYCiYMvNqNc6VP10cx8+o6onBzpuee/6IScqo0CIkVy5TLcvocvfzNHyI6VzI57nmUecIgMbxpeh4CWTHwpCX0Qh/ksgcJHTxAiXa8z6sNU3hUTBOsEyR9RS2NGXFf6lolKZplZKAE0mdKdWlulsbtwrGtx5s2tlf26BygZQSoFsmU2JEshDRgJ/NjozODbMmHI2wbxeOyjGzfRcS6O/MOZ9Ymu9bWClb0CRQUPe57jW82o9UL1NlBQBk/sYN8cle8+jIfOddV4MKdS9u9I44+mHlbK1n41kDWSAlRZqFLYhTrhRICQ6UI7xb4vI4En2LbZ3HIArOzJYhSz8JBxhbeksiPEry/0WLuaoIdfxMDkDimejyqNGfFpHq/HTzHHV0sWY5kK2IZvZdN0aV3xh6tfHB5xWTvAJwFXSF2MKBinh4Ty+h3AnRSghmeR7nDrs5ViF0q2NB86hbPug/JK7r0MHgQJZvXp1nSwCGbpcS6VtPRWpfQPQIEcbi0Pt4wUd+FlVukXk6w4p7gMQhJGllnZyRoIHwzKylYNrbIet/qWqJK04W2cjjEyQ6t1UgFAcNcPfS1/HrhLjIAFTZMu9aWpNwoIwhLq1l79pi6Xw0mdC7PYybqjezTj4Qk95wmMgka9540AK1X5aaDhdwBxm1cuDlsf6baemtAlSVhO7HZMVHnRTHw8tAaqoCr/aE7XD/ehFwu/20hlxWWrwN7Fi1yMdiZn7XZFFu5ucHCf/wNrvyLu0pKvFSJGqPEZEHdrJeu2Ya27b7HW0VTYc81LymAT0hFO9J1GTgA172X3Q/gIeWzqJTa8TQppwNr7ZzWx9gD5NGqAYzkzSvLNH5VzZq2+U3FPhiH21N8UXVGeqjAhkJmrdTgjci2GXk2YuK8cJLZWLdf5L974PIbVGPulktWhfINzZKP/jYVFHulyYzmgK+vxvPKQNQDvS0uKfs1MA6kZ6jHWazMdACBVLU6GY36l+g4o0QBVX5oIgZWrd4TfVX7YkROLBGTz0yN90OfjCj6mVTnkBmBl1MqEXS2vyXmXL02DnZzHZKHOSOFtZctOjTkXF6Xv/T4lSVSW9UbnkU5/6atv1GrUTHU7YZqWAddJawicqsnqOuYvcarLKBUD/o5cR7L132+sfLiodNJH5ZVHrXl6TaR8jlA0V6TjDx6gkvdM9hAdo800uVXUmqkw384tHnjHHtNkvPyDF1+3RQoFMLIkbThH/iO8/gSQBv1OkKsP+QZeqq9tsrgQGzUlS4CweBulRIx/N8pv4TuOmMGc7IHN+gQdlBisICm28z++JdEFavIVp0lShQoD0ccghcM0BzW3vYJxnIVaLOetgRM6HF5wLyOO3uKrHgMLfozBu5ibHIf0VmooyjuZKcIiRtw9gohTIvF6e3rxv4tCOvBdc1ZZRpFCe7+7qpwECoh1sJPbgqpoKBRVGaGp3fKp3FN3Wx2UPZLCfH+8K1gYVUGRnAU2ib/3JKvjEx9rtdQgPknVcgVHhqcNXJXbkhdmqfO+mtovVNe4u2ll7cQ2gHd4b9H8TOYxtLOdEn79+4EonBNAPQt5coLqd9hKnXfvJTcztgf1RfinAW4udofTtPbg75uKDvh2u+bVjhTNSxp4Uky9fl7ubDDb0GeFrRhPGkDOGetnzj1j0l4WqNmOe8gDUv45MpgSp1nwqkYNwFq1XtgSYDFXThQllOKrckMLIZk7PjWfgXNGxq0isG4HataLuvkDO6fEmKWd0PlAp1J4DNo7j2DZSlyMKI+BbNs9ZE2A+GMhAvX9cpQ88ERuMDxScO8sCOVaorgL+zDXC8s468+GnfHFFGPczzVXlChCwedZi0UbA05UsiPHIKZjqDjuDS24SJuKgcSJeqONMJ7M2M/iqT4bK3imryNFVkv95QK8qPRcm0VVtHfJJgQpLnFz3VDAGuvgYIy3gTT4f3bPwHhqf65Hn7Xrj1E40k3TRzfjUtV3hW7Sm74WWQ8UfUczboQL2bFwY8XN75FMmT8SlIr8Em0TlR31nNl01pfgQdEMQ1JiKC4qGjnIlYonlGbj3 + template: + data: null + metadata: + creationTimestamp: null + name: ibm-jks + namespace: tools + type: Opaque + diff --git a/soapserver/environments/soapserver/secrets/ibm-passwords-secret.yaml b/soapserver/environments/soapserver/secrets/ibm-passwords-secret.yaml new file mode 100644 index 0000000..b315d6f --- /dev/null +++ b/soapserver/environments/soapserver/secrets/ibm-passwords-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ibm-passwords + namespace: tools +spec: + encryptedData: + CLIENT_SSL_KEY_STORE_PASSWORD: AgADnDD81F+Y6YgD+8EFteNuSkj3wlzHsWnDX6Zm+zY0BxotCJ3hk2Mj9vGcBxcrIG/viQvIpKkvai9ORcZb+HXkGlA1o2AewKxD4ZOsQJOBzs8hJ/Zs/RftTDDf9XpldTkZE1KcevVcZJLks3GAZlYgh7jsijzyPWBlqB4nLwAhT+VOpzVNTT8xganceFa2L1DlOMixQ2fYWHL8dxieSVMXvjQI0xJer5R9MwPVLOIqbzeGskSDWMPbgBYHZPzkFhDvlGsCwi2BOr/bJ6vLDNGPaFfQ4Hst97jkoqn9Q7Nzjdxmr0Z1yq8sEQwZvJMxmggT0Vl96XNNfCFYmCTqmRvkcfv7oq7Nj5h0IKOXTdMI2cJxQwkwPajt0646+58QX0b9SPJaRgVfUwuNnn2tTmOBAerbtDhA/JoJBl/FUqGPhj3X4bpe+yxvoMhnau9tMgMBJqtBPe90IYmQkKZbeM9p7UTmN5tDWAuyDof1f2NaZulYnAnxz/KvKocGqCOYJThH+2p+Dbnf2/liCS6t85Z5SUW10rcT+lHV5gus6gQNy/ucVsnNaMQboRPnUBQl7yaASBknTvB9ixXwLG2XeeeWu/t7MdkYmv1baJrRU7JIZRCW5Q60uHT6aH422/47pBgY3NUw122lryopzgp5Qlb4cq3y3IsMyJmoFHT3zGNP5phzhjeXAISWJ5lS4wvtklFA2/FtIq+blg== + CLIENT_SSL_TRUST_STORE_PASSWORD: AgBn+AGZplcZTg5Wec+J09VqnIEH8QJqAAOQIBb66n+lO4x1autyFY1eFwULqN7Kkx13ve41XeXfc0FTpbXn8HFz03ZdwP9cqnQybKVdqKoq1ozNyEcopcpWdTEEYqznZ/zXK+thyi+q1AmW6AYdXGkv2LrwLrUDFglam7zwueH5CQ6wQhwOTA6yqdxlMeEqwCbo/TgtR8hamoklCmN9aqUEQ70ZDUWzHkOShnR0tv+WI9hxCXImLwqEiOd8yFmYq9bnRkRr/bqOjd0YN70hYEBZjtwc85t8Y/14v3tZvFgx6TKrgDUA4zAYxhuJ4W+r3+VWfArt9PALZxFNSSk8w9oyPgvjg7uVSKknEzfqv9e/A1Fk6TqqKkkc7Njea0PDl6DLczImzGrE3S/1X53rUQCco9ADhydmq9MU9jHnTKr/Pr8BDs4pQjwk94qOBiQhoDlj1JZJmjGYBVdPY2tH01ZL/EopbeqXAUdzi5uRERaLTtFW3jce6Ombi3m2q1FBG75zUWUctjFF3I2+Bk3ZThdzEiUg16OvYi0ESRxi0DArksycDAMc/PKk6E62gP5CxQsduTPZbABamf3mCMLv+8UtlS8yYVcqgk+cnaeEXh12SGT2VmFLc4Zv2kCbgkuDLkmFnvjRe/JlV9xL4c+giXd0fRC1d8RgEvkhlIQTJTUwpNmjR0C/PlNI9GIK/4Y6fF+2VhjdsnFniw== + template: + data: null + metadata: + creationTimestamp: null + name: ibm-passwords + namespace: tools + type: Opaque + diff --git a/soapserver/environments/soapserver/services/soapserver-nonsecure-svc.yaml b/soapserver/environments/soapserver/services/soapserver-nonsecure-svc.yaml new file mode 100644 index 0000000..f414fdf --- /dev/null +++ b/soapserver/environments/soapserver/services/soapserver-nonsecure-svc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: soapserver-nonsecure +spec: + ports: + - name: web + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: soapserver-nonsecure + sessionAffinity: None + type: ClusterIP diff --git a/soapserver/environments/soapserver/services/soapserver-svc.yaml b/soapserver/environments/soapserver/services/soapserver-svc.yaml new file mode 100644 index 0000000..12a4c52 --- /dev/null +++ b/soapserver/environments/soapserver/services/soapserver-svc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: soapserver +spec: + ports: + - name: web + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app: soapserver + sessionAffinity: None + type: ClusterIP