Skip to content

feat(RELEASE-1614): enable trusted artifacts in collect-marketplacesvm-params #1136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 7, 2025
Merged

feat(RELEASE-1614): enable trusted artifacts in collect-marketplacesvm-params #1136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions tasks/managed/collect-marketplacesvm-params/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ Tekton task that collects the secret for the cloud marketplaces from the data fi

## Parameters

| Name | Description | Optional | Default value |
|--------------|------------------------------------------------------------------|----------|---------------|
| dataPath | Path to the merged data JSON file generated by collect-data task | No | - |
| Name | Description | Optional | Default value |
|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------|---------------|
| dataPath | Path to the merged data JSON file generated by collect-data task | No | - |
| ociStorage | The OCI repository where the Trusted Artifacts are stored. | No | - |
| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. The format is YYYY-MM-DD | Yes | "" |
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
| sourceDataArtifact | The Trusted Artifact URI pointing to the artifact with the application snapshot spec and the release data | No | - |
| dataDir | The location where data will be stored | No | - |
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable. | Yes | "" |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | No | - |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

138 changes: 137 additions & 1 deletion tasks/managed/collect-marketplacesvm-params/collect-marketplacesvm-params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,37 @@ spec:
- name: dataPath
type: string
description: Path to the merged data JSON file generated by collect-data task
- name: ociStorage
type: string
description: The OCI repository where the Trusted Artifacts are stored
- name: ociArtifactExpiresAfter
type: string
description: >
Expiration date for the trusted artifacts created in the OCI repository
An empty string means the artifacts do not expire
The format is YYYY-MM-DD
default: ""
- name: orasOptions
type: string
description: oras options to pass to Trusted Artifacts calls
default: ""
- name: sourceDataArtifact
type: string
description: >
The Trusted Artifact URI pointing to the artifact with the application snapshot spec and the release data
- name: dataDir
type: string
description: The location where data will be stored
- name: trustedArtifactsDebug
type: string
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable
default: ""
- name: taskGitUrl
type: string
description: The url to the git repo where the release-service-catalog tasks to be used are stored
- name: taskGitRevision
type: string
description: The revision in the taskGitUrl repo to be used
workspaces:
- name: data
description: The workspace where the data json file resides
Expand All @@ -23,10 +54,71 @@ spec:
- name: prePush
type: string
description: "Whether perform a pre-push (true) or not (false). When true it will not publish PROD."
- name: sourceDataArtifact
type: string
description: >
The Trusted Artifact URI pointing to the artifact with the application snapshot spec and the release data
volumes:
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /var/workdir
name: workdir
env:
- name: IMAGE_EXPIRES_AFTER
value: $(params.ociArtifactExpiresAfter)
- name: "ORAS_OPTIONS"
value: "$(params.orasOptions)"
- name: "DEBUG"
value: "$(params.trustedArtifactsDebug)"
steps:
- name: skip-trusted-artifact-operations
computeResources:
limits:
memory: 32Mi
requests:
memory: 32Mi
cpu: 20m
ref:
resolver: git
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: stepactions/skip-trusted-artifact-operations/skip-trusted-artifact-operations.yaml
params:
- name: ociStorage
value: $(params.ociStorage)
- name: workDir
value: $(params.dataDir)
- name: use-trusted-artifact
computeResources:
limits:
memory: 64Mi
requests:
memory: 64Mi
cpu: 30m
ref:
resolver: git
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: stepactions/use-trusted-artifact/use-trusted-artifact.yaml
params:
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(params.sourceDataArtifact)
- name: collect-marketplacesvm-params
image:
quay.io/konflux-ci/release-service-utils:6556e8a6b031c1aad4f0472703fd121a6e1cd45d
workingDir: $(params.dataDir)
computeResources:
limits:
memory: 128Mi
Expand All @@ -37,7 +129,7 @@ spec:
#!/usr/bin/env bash
set -eux

DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
DATA_FILE="$(params.dataDir)/$(params.dataPath)"
if [ ! -f "${DATA_FILE}" ] ; then
echo "No valid data file was provided."
exit 1
Expand All @@ -50,3 +142,47 @@ spec:

jq -j '.mapping.cloudMarketplacesSecret' "$DATA_FILE" | tee "$(results.cloudMarketplacesSecret.path)"
jq -j '.mapping.cloudMarketplacesPrePush // false' "$DATA_FILE" | tee > "$(results.prePush.path)"
- name: create-trusted-artifact
computeResources:
limits:
memory: 128Mi
requests:
memory: 128Mi
cpu: 250m
ref:
resolver: git
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: stepactions/create-trusted-artifact/create-trusted-artifact.yaml
params:
- name: ociStorage
value: $(params.ociStorage)
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(results.sourceDataArtifact.path)
- name: patch-source-data-artifact-result
computeResources:
limits:
memory: 32Mi
requests:
memory: 32Mi
cpu: 20m
ref:
resolver: git
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: stepactions/patch-source-data-artifact-result/patch-source-data-artifact-result.yaml
params:
- name: ociStorage
value: $(params.ociStorage)
- name: sourceDataArtifact
value: $(results.sourceDataArtifact.path)
95 changes: 95 additions & 0 deletions .../collect-marketplacesvm-params/tests/test-collect-marketplacesvm-params-fail-no-data.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,108 @@ spec:
Run the collect-marketplacesvm-params task with no data file and verify the taks fails as expected
workspaces:
- name: tests-workspace
params:
- name: ociStorage
description: The OCI repository where the Trusted Artifacts are stored.
type: string
- name: ociArtifactExpiresAfter
description: Expiration date for the trusted artifacts created in the
OCI repository. An empty string means the artifacts do not expire.
type: string
default: "1d"
- name: orasOptions
description: oras options to pass to Trusted Artifacts calls
type: string
default: "--insecure"
- name: trustedArtifactsDebug
description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.
type: string
default: ""
- name: dataDir
description: The location where data will be stored
type: string
tasks:
- name: setup
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
results:
- name: sourceDataArtifact
type: string
workspaces:
- name: data
volumes:
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /var/workdir
name: workdir
env:
- name: IMAGE_EXPIRES_AFTER
value: $(params.ociArtifactExpiresAfter)
- name: "ORAS_OPTIONS"
value: "$(params.orasOptions)"
- name: "DEBUG"
value: "$(params.trustedArtifactsDebug)"
steps:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:6556e8a6b031c1aad4f0472703fd121a6e1cd45d
script: |
#!/usr/bin/env sh
set -eux

mkdir -p "$(params.dataDir)/results"
# No data file created intentionally to test failure case
- name: skip-trusted-artifact-operations
ref:
name: skip-trusted-artifact-operations
params:
- name: ociStorage
value: $(params.ociStorage)
- name: workDir
value: $(params.dataDir)
- name: create-trusted-artifact
ref:
name: create-trusted-artifact
params:
- name: ociStorage
value: $(params.ociStorage)
- name: workDir
value: $(params.dataDir)
- name: sourceDataArtifact
value: $(results.sourceDataArtifact.path)
- name: patch-source-data-artifact-result
ref:
name: patch-source-data-artifact-result
params:
- name: ociStorage
value: $(params.ociStorage)
- name: sourceDataArtifact
value: $(results.sourceDataArtifact.path)
- name: run-task
taskRef:
name: collect-marketplacesvm-params
params:
- name: dataPath
value: data.json
- name: ociStorage
value: $(params.ociStorage)
- name: orasOptions
value: $(params.orasOptions)
- name: sourceDataArtifact
value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)"
- name: dataDir
value: $(params.dataDir)
- name: trustedArtifactsDebug
value: $(params.trustedArtifactsDebug)
- name: taskGitUrl
value: "http://localhost"
- name: taskGitRevision
value: "main"
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- setup
Loading