feat(RELEASE-1614): ta in collect-marketpl..params

- Enable trusted artifacts in collect-marketplacesvm-params

Signed-off-by: Scott Hebert <[email protected]>

Author: scoheb

tasks/managed/collect-marketplacesvm-params/README.md

@@ -4,6 +4,15 @@ Tekton task that collects the secret for the cloud marketplaces from the data fi
 
 ## Parameters
 
-| Name         | Description                                                      | Optional | Default value |
-|--------------|------------------------------------------------------------------|----------|---------------|
-| dataPath     | Path to the merged data JSON file generated by collect-data task | No       | -             |
+| Name                    | Description                                                                                                                          | Optional | Default value |
+|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------|---------------|
+| dataPath                | Path to the merged data JSON file generated by collect-data task                                                                     | No       | -             |
+| ociStorage              | The OCI repository where the Trusted Artifacts are stored.                                                                           | No       | -             |
+| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.         | Yes      | ""            |
+| orasOptions             | oras options to pass to Trusted Artifacts calls                                                                                      | Yes      | ""            |
+| sourceDataArtifact      | The Trusted Artifact URI pointing to the artifact with the application snapshot spec and the release data                           | No       | -             |
+| dataDir                 | The location where data will be stored                                                                                               | No       | -             |
+| trustedArtifactsDebug   | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.                                             | Yes      | ""            |
+| taskGitUrl              | The url to the git repo where the release-service-catalog tasks to be used are stored                                                | No       | -             |
+| taskGitRevision         | The revision in the taskGitUrl repo to be used                                                                                       | No       | -             |
+

tasks/managed/collect-marketplacesvm-params/collect-marketplacesvm-params.yaml

@@ -13,6 +13,37 @@ spec:
     - name: dataPath
       type: string
       description: Path to the merged data JSON file generated by collect-data task
+    - name: ociStorage
+      type: string
+      description: The OCI repository where the Trusted Artifacts are stored.
+    - name: ociArtifactExpiresAfter
+      type: string
+      description: >
+        Expiration date for the trusted artifacts created in the OCI repository.
+        An empty string means the artifacts do not expire.
+        The format is YYYY-MM-DD.
+      default: ""
+    - name: orasOptions
+      type: string
+      description: oras options to pass to Trusted Artifacts calls
+      default: ""
+    - name: sourceDataArtifact
+      type: string
+      description: >
+        The Trusted Artifact URI pointing to the artifact with the application snapshot spec and the release data.
+    - name: dataDir
+      type: string
+      description: The location where data will be stored
+    - name: trustedArtifactsDebug
+      type: string
+      description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
+      default: ""
+    - name: taskGitUrl
+      type: string
+      description: The url to the git repo where the release-service-catalog tasks to be used are stored
+    - name: taskGitRevision
+      type: string
+      description: The revision in the taskGitUrl repo to be used
   workspaces:
     - name: data
       description: The workspace where the data json file resides
@@ -23,10 +54,59 @@ spec:
     - name: prePush
       type: string
       description: "Whether perform a pre-push (true) or not (false). When true it will not publish PROD."
+    - name: sourceDataArtifact
+      type: string
+      description: >
+        The Trusted Artifact URI pointing to the artifact with the application snapshot spec and the release data.
+  volumes:
+    - name: workdir
+      emptyDir: {}
+  stepTemplate:
+    volumeMounts:
+      - mountPath: /var/workdir
+        name: workdir
+    env:
+      - name: IMAGE_EXPIRES_AFTER
+        value: $(params.ociArtifactExpiresAfter)
+      - name: "ORAS_OPTIONS"
+        value: "$(params.orasOptions)"
+      - name: "DEBUG"
+        value: "$(params.trustedArtifactsDebug)"
   steps:
+    - name: skip-trusted-artifact-operations
+      ref:
+        resolver: git
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: stepactions/skip-trusted-artifact-operations/skip-trusted-artifact-operations.yaml
+      params:
+        - name: ociStorage
+          value: $(params.ociStorage)
+        - name: workDir
+          value: $(params.dataDir)
+    - name: use-trusted-artifact
+      ref:
+        resolver: git
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: stepactions/use-trusted-artifact/use-trusted-artifact.yaml
+      params:
+        - name: workDir
+          value: $(params.dataDir)
+        - name: sourceDataArtifact
+          value: $(params.sourceDataArtifact)
     - name: collect-marketplacesvm-params
       image:
         quay.io/konflux-ci/release-service-utils:6556e8a6b031c1aad4f0472703fd121a6e1cd45d
+      workingDir: $(params.dataDir)
       computeResources:
         limits:
           memory: 128Mi
@@ -37,7 +117,7 @@ spec:
         #!/usr/bin/env bash
         set -eux
 
-        DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
+        DATA_FILE="$(params.dataDir)/$(params.dataPath)"
         if [ ! -f "${DATA_FILE}" ] ; then
             echo "No valid data file was provided."
             exit 1
@@ -50,3 +130,35 @@ spec:
 
         jq -j '.mapping.cloudMarketplacesSecret' "$DATA_FILE" | tee "$(results.cloudMarketplacesSecret.path)"
         jq -j '.mapping.cloudMarketplacesPrePush // false' "$DATA_FILE" | tee > "$(results.prePush.path)"
+    - name: create-trusted-artifact
+      ref:
+        resolver: git
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: stepactions/create-trusted-artifact/create-trusted-artifact.yaml
+      params:
+        - name: ociStorage
+          value: $(params.ociStorage)
+        - name: workDir
+          value: $(params.dataDir)
+        - name: sourceDataArtifact
+          value: $(results.sourceDataArtifact.path)
+    - name: patch-source-data-artifact-result
+      ref:
+        resolver: git
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: stepactions/patch-source-data-artifact-result/patch-source-data-artifact-result.yaml
+      params:
+        - name: ociStorage
+          value: $(params.ociStorage)
+        - name: sourceDataArtifact
+          value: $(results.sourceDataArtifact.path)

tasks/managed/collect-marketplacesvm-params/tests/test-collect-marketplacesvm-params-fail-no-data.yaml

@@ -10,13 +10,108 @@ spec:
     Run the collect-marketplacesvm-params task with no data file and verify the taks fails as expected
   workspaces:
     - name: tests-workspace
+  params:
+    - name: ociStorage
+      description: The OCI repository where the Trusted Artifacts are stored.
+      type: string
+    - name: ociArtifactExpiresAfter
+      description: Expiration date for the trusted artifacts created in the
+        OCI repository. An empty string means the artifacts do not expire.
+      type: string
+      default: "1d"
+    - name: orasOptions
+      description: oras options to pass to Trusted Artifacts calls
+      type: string
+      default: "--insecure"
+    - name: trustedArtifactsDebug
+      description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
+      type: string
+      default: ""
+    - name: dataDir
+      description: The location where data will be stored
+      type: string
   tasks:
+    - name: setup
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskSpec:
+        results:
+          - name: sourceDataArtifact
+            type: string
+        workspaces:
+          - name: data
+        volumes:
+          - name: workdir
+            emptyDir: {}
+        stepTemplate:
+          volumeMounts:
+            - mountPath: /var/workdir
+              name: workdir
+          env:
+            - name: IMAGE_EXPIRES_AFTER
+              value: $(params.ociArtifactExpiresAfter)
+            - name: "ORAS_OPTIONS"
+              value: "$(params.orasOptions)"
+            - name: "DEBUG"
+              value: "$(params.trustedArtifactsDebug)"
+        steps:
+          - name: setup-values
+            image: quay.io/konflux-ci/release-service-utils:6556e8a6b031c1aad4f0472703fd121a6e1cd45d
+            script: |
+              #!/usr/bin/env sh
+              set -eux
+
+              mkdir -p "$(params.dataDir)/results"
+              # No data file created intentionally to test failure case
+          - name: skip-trusted-artifact-operations
+            ref:
+              name: skip-trusted-artifact-operations
+            params:
+              - name: ociStorage
+                value: $(params.ociStorage)
+              - name: workDir
+                value: $(params.dataDir)
+          - name: create-trusted-artifact
+            ref:
+              name: create-trusted-artifact
+            params:
+              - name: ociStorage
+                value: $(params.ociStorage)
+              - name: workDir
+                value: $(params.dataDir)
+              - name: sourceDataArtifact
+                value: $(results.sourceDataArtifact.path)
+          - name: patch-source-data-artifact-result
+            ref:
+              name: patch-source-data-artifact-result
+            params:
+              - name: ociStorage
+                value: $(params.ociStorage)
+              - name: sourceDataArtifact
+                value: $(results.sourceDataArtifact.path)
     - name: run-task
       taskRef:
         name: collect-marketplacesvm-params
       params:
         - name: dataPath
           value: data.json
+        - name: ociStorage
+          value: $(params.ociStorage)
+        - name: orasOptions
+          value: $(params.orasOptions)
+        - name: sourceDataArtifact
+          value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)"
+        - name: dataDir
+          value: $(params.dataDir)
+        - name: trustedArtifactsDebug
+          value: $(params.trustedArtifactsDebug)
+        - name: taskGitUrl
+          value: "http://localhost"
+        - name: taskGitRevision
+          value: "main"
       workspaces:
         - name: data
           workspace: tests-workspace
+      runAfter:
+        - setup

tasks/managed/collect-marketplacesvm-params/tests/test-collect-marketplacesvm-params-fail-no-secret.yaml

@@ -11,22 +11,60 @@ spec:
     verify the task fails as expected
   workspaces:
     - name: tests-workspace
+  params:
+    - name: ociStorage
+      description: The OCI repository where the Trusted Artifacts are stored.
+      type: string
+    - name: ociArtifactExpiresAfter
+      description: Expiration date for the trusted artifacts created in the
+        OCI repository. An empty string means the artifacts do not expire.
+      type: string
+      default: "1d"
+    - name: orasOptions
+      description: oras options to pass to Trusted Artifacts calls
+      type: string
+      default: "--insecure"
+    - name: trustedArtifactsDebug
+      description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
+      type: string
+      default: ""
+    - name: dataDir
+      description: The location where data will be stored
+      type: string
   tasks:
     - name: setup
       workspaces:
         - name: data
           workspace: tests-workspace
       taskSpec:
+        results:
+          - name: sourceDataArtifact
+            type: string
         workspaces:
           - name: data
+        volumes:
+          - name: workdir
+            emptyDir: {}
+        stepTemplate:
+          volumeMounts:
+            - mountPath: /var/workdir
+              name: workdir
+          env:
+            - name: IMAGE_EXPIRES_AFTER
+              value: $(params.ociArtifactExpiresAfter)
+            - name: "ORAS_OPTIONS"
+              value: "$(params.orasOptions)"
+            - name: "DEBUG"
+              value: "$(params.trustedArtifactsDebug)"
         steps:
           - name: setup-values
             image: quay.io/konflux-ci/release-service-utils:6556e8a6b031c1aad4f0472703fd121a6e1cd45d
             script: |
               #!/usr/bin/env sh
               set -eux
 
-              cat > "$(workspaces.data.path)/data.json" << EOF
+              mkdir -p "$(params.dataDir)/results"
+              cat > "$(params.dataDir)/data.json" << EOF
               {
                 "mapping": {
                   "components": [
@@ -40,12 +78,52 @@ spec:
                 }
               }
               EOF
+          - name: skip-trusted-artifact-operations
+            ref:
+              name: skip-trusted-artifact-operations
+            params:
+              - name: ociStorage
+                value: $(params.ociStorage)
+              - name: workDir
+                value: $(params.dataDir)
+          - name: create-trusted-artifact
+            ref:
+              name: create-trusted-artifact
+            params:
+              - name: ociStorage
+                value: $(params.ociStorage)
+              - name: workDir
+                value: $(params.dataDir)
+              - name: sourceDataArtifact
+                value: $(results.sourceDataArtifact.path)
+          - name: patch-source-data-artifact-result
+            ref:
+              name: patch-source-data-artifact-result
+            params:
+              - name: ociStorage
+                value: $(params.ociStorage)
+              - name: sourceDataArtifact
+                value: $(results.sourceDataArtifact.path)
     - name: run-task
       taskRef:
         name: collect-marketplacesvm-params
       params:
         - name: dataPath
           value: data.json
+        - name: ociStorage
+          value: $(params.ociStorage)
+        - name: orasOptions
+          value: $(params.orasOptions)
+        - name: sourceDataArtifact
+          value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)"
+        - name: dataDir
+          value: $(params.dataDir)
+        - name: trustedArtifactsDebug
+          value: $(params.trustedArtifactsDebug)
+        - name: taskGitUrl
+          value: "http://localhost"
+        - name: taskGitRevision
+          value: "main"
       workspaces:
         - name: data
           workspace: tests-workspace