Merge pull request #2138 from lcarva/release-pipeline

Add Konflux release Pipelines

Makefile

@@ -83,6 +83,11 @@ build-for-test: dist/ec_$(BUILD_IMG_ARCH)
 clean: ## Delete build output
 	@rm -f dist/*
 
+.PHONY: generate-pipelines
+generate-pipelines: ## Generate release pipelines
+	kustomize build ./release/src/cli --output ./release/cli.yaml
+	kustomize build ./release/src/tekton-task --output ./release/tekton-task.yaml
+
 ##@ Testing
 
 # Declutter the output by grepping out the files where there are no

.ec/policy.yaml → policies/cli/policy.yaml

@@ -1,3 +1,19 @@
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
 #
 # If we need to diverge from the "official" policy for pre-merge EC checks,
 # the EC integration test scenario POLICY_CONFIGURATION param can be set to

policies/tekton-task/policy.yaml

@@ -0,0 +1,32 @@
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# The bundle for the Tekton Task requires a different policy as it is not a traditional container
+# image.
+#
+description: 'Custom pre-merge policy for ec-cli'
+publicKey: 'k8s://openshift-pipelines/public-key'
+sources:
+  - name: Release Policies
+    data:
+      - github.com/release-engineering/rhtap-ec-policy//data
+      - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+    policy:
+      - oci::quay.io/enterprise-contract/ec-release-policy:latest
+    config:
+      include:
+        - '@slsa3'

release/README.md

@@ -0,0 +1,14 @@
+# Release Pipelines
+
+This directory contains the Tekton Pipelines used to release EC from the main branch. These
+Pipelines execute in [Konflux](https://konflux-ci.dev/).
+
+The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src` directory. To
+make changes to the Pipelines, update the corresponding files in that directory and run the
+`make generate-pipelines` command (requires `kustomize`).
+
+## Why are there two Pipelines?
+
+Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline
+parameter. Because the CLI and the Tekton Task require different EC policies, the only way to
+achieve this is by using different Pipelines with different default values for the EC policy.

release/cli.yaml

@@ -0,0 +1,218 @@
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: release-cli
+spec:
+  description: Tekton pipeline to release Snapshots to a registry.
+  finally:
+  - name: cleanup
+    params:
+    - name: subdirectory
+      value: $(context.pipelineRun.uid)
+    - name: delay
+      value: "0"
+    taskRef:
+      params:
+      - name: url
+        value: https://github.com/konflux-ci/release-service-catalog.git
+      - name: revision
+        value: production
+      - name: pathInRepo
+        value: tasks/cleanup-workspace/cleanup-workspace.yaml
+      resolver: git
+    workspaces:
+    - name: input
+      workspace: release-workspace
+  params:
+  - description: The namespaced name (namespace/name) of the Release custom resource
+      initiating this pipeline execution
+    name: release
+    type: string
+  - description: The namespaced name (namespace/name) of the releasePlan
+    name: releasePlan
+    type: string
+  - description: The namespaced name (namespace/name) of the snapshot
+    name: snapshot
+    type: string
+  - default: github.com/enterprise-contract/ec-cli//policies/cli
+    description: JSON representation of the EnterpriseContractPolicy
+    name: enterpriseContractPolicy
+    type: string
+  - default: pipeline_intention=release
+    description: |
+      Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax
+      "key1=value1,key2=value2..."
+    name: enterpriseContractExtraRuleData
+    type: string
+  - default: 40m0s
+    description: Timeout setting for `ec validate`
+    name: enterpriseContractTimeout
+    type: string
+  tasks:
+  - name: verify-access-to-resources
+    params:
+    - name: release
+      value: $(params.release)
+    - name: releasePlan
+      value: $(params.releasePlan)
+    - name: snapshot
+      value: $(params.snapshot)
+    - name: requireInternalServices
+      value: "false"
+    taskRef:
+      params:
+      - name: url
+        value: https://github.com/lcarva/release-service-bundles.git
+      - name: revision
+        value: support-tenant-releases
+      - name: pathInRepo
+        value: tasks/verify-access-to-resources/verify-access-to-resources.yaml
+      resolver: git
+  - name: collect-data
+    params:
+    - name: release
+      value: $(params.release)
+    - name: releasePlan
+      value: $(params.releasePlan)
+    - name: snapshot
+      value: $(params.snapshot)
+    - name: subdirectory
+      value: $(context.pipelineRun.uid)
+    runAfter:
+    - verify-access-to-resources
+    taskRef:
+      params:
+      - name: url
+        value: https://github.com/lcarva/release-service-bundles.git
+      - name: revision
+        value: support-tenant-releases
+      - name: pathInRepo
+        value: tasks/collect-data/collect-data.yaml
+      resolver: git
+    workspaces:
+    - name: data
+      workspace: release-workspace
+  - name: reduce-snapshot
+    params:
+    - name: SNAPSHOT
+      value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)
+    - name: SINGLE_COMPONENT
+      value: $(tasks.collect-data.results.singleComponentMode)
+    - name: SINGLE_COMPONENT_CUSTOM_RESOURCE
+      value: snapshot/$(tasks.collect-data.results.snapshotName)
+    - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS
+      value: $(tasks.collect-data.results.snapshotNamespace)
+    - name: SNAPSHOT_PATH
+      value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)
+    runAfter:
+    - collect-data
+    taskRef:
+      params:
+      - name: url
+        value: https://github.com/konflux-ci/release-service-catalog.git
+      - name: revision
+        value: production
+      - name: pathInRepo
+        value: tasks/reduce-snapshot/reduce-snapshot.yaml
+      resolver: git
+    workspaces:
+    - name: data
+      workspace: release-workspace
+  - name: apply-mapping
+    params:
+    - name: failOnEmptyResult
+      value: "true"
+    - name: dataPath
+      value: $(tasks.collect-data.results.data)
+    - name: snapshotPath
+      value: $(tasks.collect-data.results.snapshotSpec)
+    runAfter:
+    - reduce-snapshot
+    taskRef:
+      params:
+      - name: url
+        value: https://github.com/konflux-ci/release-service-catalog.git
+      - name: revision
+        value: development
+      - name: pathInRepo
+        value: tasks/apply-mapping/apply-mapping.yaml
+      resolver: git
+    workspaces:
+    - name: config
+      workspace: release-workspace
+  - name: verify-enterprise-contract
+    params:
+    - name: IMAGES
+      value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec)
+    - name: SSL_CERT_DIR
+      value: /var/run/secrets/kubernetes.io/serviceaccount
+    - name: POLICY_CONFIGURATION
+      value: $(params.enterpriseContractPolicy)
+    - name: STRICT
+      value: "1"
+    - name: IGNORE_REKOR
+      value: "true"
+    - name: EXTRA_RULE_DATA
+      value: $(params.enterpriseContractExtraRuleData)
+    - name: TIMEOUT
+      value: $(params.enterpriseContractTimeout)
+    runAfter:
+    - apply-mapping
+    taskRef:
+      params:
+      - name: bundle
+        value: quay.io/enterprise-contract/ec-task-bundle:snapshot
+      - name: kind
+        value: task
+      - name: name
+        value: verify-enterprise-contract
+      resolver: bundles
+    workspaces:
+    - name: data
+      workspace: release-workspace
+  - name: push-snapshot
+    params:
+    - name: snapshotPath
+      value: $(tasks.collect-data.results.snapshotSpec)
+    - name: dataPath
+      value: $(tasks.collect-data.results.data)
+    - name: resultsDirPath
+      value: $(tasks.collect-data.results.resultsDir)
+    retries: 5
+    runAfter:
+    - verify-enterprise-contract
+    taskRef:
+      params:
+      - name: url
+        value: https://github.com/lcarva/release-service-bundles.git
+      - name: revision
+        value: KFLUXBUGS-1741
+      - name: pathInRepo
+        value: tasks/push-snapshot/push-snapshot.yaml
+      resolver: git
+    when:
+    - input: $(tasks.apply-mapping.results.mapped)
+      operator: in
+      values:
+      - "true"
+    workspaces:
+    - name: data
+      workspace: release-workspace
+  workspaces:
+  - name: release-workspace

release/src/base/kustomization.yaml

@@ -0,0 +1,34 @@
+---
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - release.yaml
+patches:
+  - path: tasks/verify-access-to-resources.yaml
+    target:
+      kind: Pipeline
+  - path: tasks/collect-data.yaml
+    target:
+      kind: Pipeline
+  - path: tasks/apply-mapping.yaml
+    target:
+      kind: Pipeline
+  - path: tasks/push-snapshot.yaml
+    target:
+      kind: Pipeline