diff --git a/.github/workflows/build_util.yml b/.github/workflows/build_util.yml index 5daa3ce..3c5d51b 100644 --- a/.github/workflows/build_util.yml +++ b/.github/workflows/build_util.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0.34.0 with: format: "sarif" output: "trivy-results.sarif" diff --git a/tekton/pipeline.yaml b/tekton/pipeline.yaml new file mode 100644 index 0000000..bd110d1 --- /dev/null +++ b/tekton/pipeline.yaml @@ -0,0 +1,49 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: p-git-collin-test +spec: + description: | + prints the README.md from the selected repo & branch + params: + - name: repo-url + type: string + description: The git repository URL to clone from. + - name: branch-name + type: string + description: The git branch to clone. + workspaces: + - name: shared-data + description: | + This workspace will receive the cloned git repo and be passed + to the next Task for the repo's README.md file to be read. + - name: ssh-creds + description: | + This workspace will provide ssh credentials to the git-clone task. + tasks: + - name: fetch-repo + taskRef: + name: git-clone + workspaces: + - name: output + workspace: shared-data + - name: ssh-directory + workspace: ssh-creds + params: + - name: url + value: $(params.repo-url) + - name: revision + value: $(params.branch-name) +# - name: cat-readme +# runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme. +# workspaces: +# - name: source +# workspace: shared-data +# taskSpec: +# workspaces: +# - name: source +# steps: +# - image: zshusers/zsh:4.3.15 +# script: | +# #!/usr/bin/env zsh +# cat $(workspaces.source.path)/README.md diff --git a/tekton/run.yaml b/tekton/run.yaml new file mode 100644 index 0000000..6f7d134 --- /dev/null +++ b/tekton/run.yaml @@ -0,0 +1,35 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: git-clone-checking-out-a-branch- +spec: +# podTemplate: +# affinity: +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchExpressions: +# - key: "tekton.dev/pipelineRun" +# operator: In +# values: +# - git-clone-checking-out-a-branch +# topologyKey: kubernetes.io/hostname + pipelineRef: + name: p-git-collin-test + workspaces: + - name: shared-data + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + - name: ssh-creds + secret: + secretName: tkn-ssh-credentials + params: + - name: repo-url + value: git@github.com:gregnrobinson/envoytun.git + - name: branch-name + value: main \ No newline at end of file diff --git a/tekton/pipeline-build-deploy.yaml b/tekton/task.yaml similarity index 77% rename from tekton/pipeline-build-deploy.yaml rename to tekton/task.yaml index 92689ad..6637ff8 100644 --- a/tekton/pipeline-build-deploy.yaml +++ b/tekton/task.yaml @@ -1,90 +1,4 @@ apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: cat-branch-readme -spec: - description: | - prints the README.md from the selected repo & branch - params: - - name: repo-url - type: string - description: The git repository URL to clone from. - - name: branch-name - type: string - description: The git branch to clone. - workspaces: - - name: shared-data - description: | - This workspace will receive the cloned git repo and be passed - to the next Task for the repo's README.md file to be read. - - name: ssh-creds - description: | - This workspace will provide ssh credentials to the git-clone task. - tasks: - - name: fetch-repo - taskRef: - name: git-clone - workspaces: - - name: output - workspace: shared-data - - name: ssh-directory - workspace: ssh-creds - params: - - name: url - value: $(params.repo-url) - - name: revision - value: $(params.branch-name) - - name: cat-readme - runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme. - workspaces: - - name: source - workspace: shared-data - taskSpec: - workspaces: - - name: source - steps: - - image: zshusers/zsh:4.3.15 - script: | - #!/usr/bin/env zsh - cat $(workspaces.source.path)/README.md ---- -apiVersion: tekton.dev/v1beta1 -kind: PipelineRun -metadata: - name: git-clone-checking-out-a-branch -spec: - podTemplate: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: "tekton.dev/pipelineRun" - operator: In - values: - - git-clone-checking-out-a-branch - topologyKey: kubernetes.io/hostname - pipelineRef: - name: cat-branch-readme - workspaces: - - name: shared-data - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - name: ssh-creds - secret: - secretName: github-cmf-microservices - params: - - name: repo-url - value: git@github.com:my-private/private-repository.git - - name: branch-name - value: oc-dev ---- -apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: git-clone @@ -255,8 +169,8 @@ spec: chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* # the stock git-clone V0.4 doesn't seem to leverage the ssh-privatekey unless it's added to a keychain. # This has worked for me. It needs to be verified and once it has should be PRd upstream. - eval `ssh-agent -s` - ssh-add ${PARAM_USER_HOME}/.ssh/ssh-privatekey + #eval `ssh-agent -s` + #ssh-add ${PARAM_USER_HOME}/.ssh/ssh-privatekey fi CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" diff --git a/utility-pod/Dockerfile b/utility-pod/Dockerfile index d962e14..2ba2933 100644 --- a/utility-pod/Dockerfile +++ b/utility-pod/Dockerfile @@ -2,14 +2,14 @@ FROM public.ecr.aws/ubuntu/ubuntu:24.04_stable SHELL ["/bin/bash", "-c"] -RUN apt-get -y update && \ - apt-get -y upgrade - ARG DEBIAN_FRONTEND=noninteractive ARG TARGETPLATFORM -ARG GH_VERSION="2.82.1" +ARG GH_VERSION="2.89.0" +ARG MONGODB_VERSION="8.2" -RUN apt-get -y install \ +RUN apt-get -y update && \ + apt-get -y upgrade && \ + apt-get -y install \ build-essential \ curl \ dnsutils \ @@ -33,13 +33,14 @@ RUN apt-get -y install \ unzip \ vim \ wget \ - yq + yq && \ + rm -rf /var/lib/apt/lists/* RUN pip3 install --no-cache-dir --break-system-packages patroni[etcd] psycopg[binary] -RUN curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg --dearmor -RUN echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/8.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-8.0.list -RUN apt-get -y update && \ +RUN curl -fsSL https://pgp.mongodb.com/server-8.0.asc | gpg -o /usr/share/keyrings/mongodb-server-${MONGODB_VERSION}.gpg --dearmor && \ + echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-${MONGODB_VERSION}.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/${MONGODB_VERSION} multiverse" | tee /etc/apt/sources.list.d/mongodb-org-${MONGODB_VERSION}.list && \ + apt-get -y update && \ apt-get -y install \ mongodb-mongosh && \ rm -rf /var/lib/apt/lists/*