feat: add ansible execution environment build pipeline (#6)

feat: include pre-commit setup, secret scanning, ansible-lint, EE build and a basic sanity test
StinkyBenji · Oct 23, 2023 · 52639b1 · 52639b1
1 parent fa6e709
commit 52639b1
Show file tree

Hide file tree

Showing 23 changed files with 2,593 additions and 21 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+*secret*
+node_modules/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,13 @@
 fail_fast: true
 
 repos:
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.5.0
+    hooks:
+      - id: commitlint
+        stages: [commit-msg]
+        additional_dependencies: ["@commitlint/config-conventional"]
+
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v2.3.0
     hooks:
@@ -24,11 +31,6 @@ repos:
           - mdformat-mkdocs
           - mdformat-admon
 
-  - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.33.0
-    hooks:
-      - id: markdownlint-fix
-
   - repo: https://github.com/pre-commit/mirrors-prettier
     rev: v3.0.3
     hooks:

diff --git a/.tekton/linter.yaml → .tekton/ansible-ee-pipeline.yaml b/.tekton/linter.yaml → .tekton/ansible-ee-pipeline.yaml
@@ -2,15 +2,19 @@
 apiVersion: tekton.dev/v1beta1
 kind: PipelineRun
 metadata:
-  name: linter
+  name: ansible-ee-pipeline
   annotations:
     pipelinesascode.tekton.dev/on-event: "[push, pull_request]"
     pipelinesascode.tekton.dev/on-target-branch: "[main]"
     pipelinesascode.tekton.dev/max-keep-runs: "5"
     pipelinesascode.tekton.dev/task: "[git-clone]"
     pipelinesascode.tekton.dev/task-1: "[.tekton/tasks/gitleaks.yaml]"
-    pipelinesascode.tekton.dev/task-2: "[.tekton/tasks/yaml-lint.yaml]"
-    pipelinesascode.tekton.dev/task-3: "[.tekton/tasks/ansible-lint.yaml]"
+    pipelinesascode.tekton.dev/task-2: "[.tekton/tasks/ansible-lint.yaml]"
+    pipelinesascode.tekton.dev/task-3: "[.tekton/tasks/ansible-builder-create.yaml]"
+    pipelinesascode.tekton.dev/task-4: "[.tekton/tasks/buildah.yaml]"
+    pipelinesascode.tekton.dev/task-5: "[.tekton/tasks/ansible-ee-sanity-test.yaml]"
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      event == "pull_request" && target_branch == "main" && "examples/ansible-ee/***".pathChanged()
 spec:
   params:
     - name: repo_url
@@ -23,6 +27,8 @@ spec:
       - name: revision
     workspaces:
       - name: source
+      - name: quay-credentials
+      - name: registry-credentials
     tasks:
       - name: fetch-repository
         taskRef:
@@ -52,30 +58,64 @@ spec:
           - name: report_output_path
             value: gitleaks-report.json
 
-      - name: yaml-lint
+      - name: ansible-lint
         runAfter:
-          - detect-secrets
+          - fetch-repository
         taskRef:
-          name: yaml-lint
+          name: ansible-lint
         workspaces:
           - name: source
             workspace: source
-        params:
-          - name: extra-args
-            value: "-c .yamllint ."
 
-      - name: ansible-lint
+      - name: ansible-builder-create
         runAfter:
-          - yaml-lint
+          - ansible-lint
         taskRef:
-          name: ansible-lint
+          name: ansible-builder-create
+          kind: Task
         workspaces:
           - name: source
             workspace: source
         params:
-          - name: manifests-path
+          - name: OUTPUT_FILENAME
+            value: Dockerfile
+          - name: PATH
             value: "examples/ansible-ee"
 
+      - name: build-image-tag
+        taskRef:
+          name: buildah
+        workspaces:
+          - name: source
+            workspace: source
+          - name: dockerconfig
+            workspace: registry-credentials
+        runAfter:
+          - ansible-builder-create
+        params:
+          - name: TLSVERIFY
+            value: "false"
+          - name: IMAGE
+            value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee
+          - name: TAG
+            value: v0.1.0
+          - name: CONTEXT
+            value: "examples/ansible-ee"
+
+      - name: ee-sanity-test
+        taskRef:
+          name: ansible-ee-sanity-test
+        workspaces:
+          - name: source
+            workspace: source
+        runAfter:
+          - build-image-tag
+        params:
+          - name: IMAGE
+            value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee
+          - name: TAG
+            value: v0.1.0
+
   workspaces:
     - name: source
       volumeClaimTemplate:
@@ -85,3 +125,9 @@ spec:
           resources:
             requests:
               storage: 5Gi
+    - name: quay-credentials
+      secret:
+        secretName: quay-credentials
+    - name: registry-credentials
+      secret:
+        secretName: registry-credentials
diff --git a/.tekton/buildah-rootless/kustomization.yaml b/.tekton/buildah-rootless/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+  - pipelines-unprivileged-sa.yaml
+  - pipelines-unprivileged-clusterrole.yaml
+  - pipelines-unprivileged-rb.yaml
+  - pipelines-unprivileged-scc.yaml
diff --git a/.tekton/buildah-rootless/pipelines-unprivileged-clusterrole.yaml b/.tekton/buildah-rootless/pipelines-unprivileged-clusterrole.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pipelines-scc-userid-1000-clusterrole
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - pipelines-scc-userid-1000
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
diff --git a/.tekton/buildah-rootless/pipelines-unprivileged-rb.yaml b/.tekton/buildah-rootless/pipelines-unprivileged-rb.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pipelines-scc-userid-1000-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pipelines-scc-userid-1000-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: pipelines-sa-userid-1000
diff --git a/.tekton/buildah-rootless/pipelines-unprivileged-sa.yaml b/.tekton/buildah-rootless/pipelines-unprivileged-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pipelines-sa-userid-1000
diff --git a/.tekton/buildah-rootless/pipelines-unprivileged-scc.yaml b/.tekton/buildah-rootless/pipelines-unprivileged-scc.yaml
@@ -0,0 +1,38 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: pipelines-scc-userid-1000
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+groups:
+  - system:cluster-admins
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - MKNOD
+  - KILL
+runAsUser:
+  type: MustRunAs
+  uid: 1000
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+  - pipelines-sa-userid-1000
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
diff --git a/.tekton/chains/tekton-chains-config.yaml b/.tekton/chains/tekton-chains-config.yaml
@@ -0,0 +1,17 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: chains-config
+  namespace: openshift-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-chains
+    operator.tekton.dev/operand-name: tektoncd-chains
+data:
+  artifacts.oci.repository: "image-registry.openshift-image-registry.svc:5000"
+  artifacts.oci.storage: "tekton,oci"
+  artifacts.pipelinerun.format: slsa/v1
+  artifacts.pipelinerun.storage: "tekton,oci"
+  artifacts.taskrun.format: slsa/v1
+  artifacts.taskrun.storage: "tekton,oci"
+  transparency.enabled: "true"
diff --git a/.tekton/pac/registry-credentials.example.yaml b/.tekton/pac/registry-credentials.example.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: registry-credentials
+  annotations:
+    tekton.dev/docker-0: quay.io
+    tekton.dev/docker-1: registry.redhat.io
+stringData:
+  config.json: |
+    {your-auth}
+type: kubernetes.io/dockerconfigjson
diff --git a/.tekton/tasks/ansible-builder-create.yaml b/.tekton/tasks/ansible-builder-create.yaml
@@ -0,0 +1,58 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: ansible-builder-create
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.37.4"
+    tekton.dev/displayName: ansible-builder
+    tekton.dev/categories: Build Tools
+    tekton.dev/tags: ansible, ansible-builder, build-tool, automation
+    tekton.dev/platforms: "linux/amd64"
+spec:
+  description: >-
+    Creates a build context (including a Containerfile) from an execution environment spec.
+    This build context is populated with dependencies including requirements files.
+  workspaces:
+    - name: source
+      description: The source workspace where the execution environment code is cloned.
+  params:
+    - description: Execution environment file definition.
+      name: FILENAME
+      type: string
+      default: execution-environment.yml
+    - description: Execution environment build context.
+      name: BUILD_CONTEXT
+      type: string
+      default: "."
+    - name: OUTPUT_FILENAME
+      description: Name of file to write image definition to. Either Dockerfile or Containerfile.
+      type: string
+      default: Containerfile
+    - description: ansible-builder output verbosity.
+      name: VERBOSITY
+      type: string
+      default: "2"
+    - name: BUILDER_IMAGE
+      description: The location of the ansible-builder image.
+      type: string
+      default: quay.io/ansible/ansible-builder:latest
+    - name: PATH
+      type: string
+      default: "."
+  steps:
+    - name: ansible-builder-create
+      workingDir: $(workspaces.source.path)/$(params.PATH)
+      image: $(params.BUILDER_IMAGE)
+      env:
+        - name: HOME
+          value: /tekton/home
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+      script: |
+        #!/bin/sh
+        set -eux -o
+
+        ansible-builder create -f "$(params.FILENAME)" -c "$(params.BUILD_CONTEXT)" --output-filename "$(params.OUTPUT_FILENAME)" -v "$(params.VERBOSITY)"
diff --git a/.tekton/tasks/ansible-ee-sanity-test.yaml b/.tekton/tasks/ansible-ee-sanity-test.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: ansible-ee-sanity-test
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.37.4"
+    tekton.dev/categories: Image Test
+    tekton.dev/tags: image-test
+spec:
+  description: A task for testing the built ansible execution environment.
+  params:
+    - name: IMAGE
+      type: string
+      description: The name of the image to be tested.
+    - name: TAG
+      type: string
+      description: Tag of the image tp be tested.
+    - name: CONTEXT
+      type: string
+      description: Path to the directory to use as context.
+      default: .
+    - name: EXTRA_ARGS
+      description: Extra parameters passed for the build command when building images.
+      default: ""
+  workspaces:
+    - name: source
+
+  steps:
+    - name: test-image
+      image: $(params.IMAGE):$(params.TAG)
+      workingDir: $(workspaces.source.path)
+      script: |
+        #!/usr/bin/env sh
+        cat /etc/os-release
+        cat /etc/hosts
+
+        pip3 list
+        rpm -qa
+        ansible-galaxy collection list
+
+        yamllint --version
+        ansible-lint --version
+        ansible-playbook --version