-
Notifications
You must be signed in to change notification settings - Fork 563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
task: Add M2M support for rhacs-image-check #1261
Conversation
|
Hi @dhaus67. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Diff between version and 4.0diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet). It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**: Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry. This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
- --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
- --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
- tasks:
- - name: image-check
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- runAfter:
- - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
- name: rhacs-image-check
- labels:
- app.kubernetes.io/version: "3.71"
- annotations:
- tekton.dev/tags: security
- tekton.dev/categories: Security
- tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
- tekton.dev/platforms: "linux/amd64"
- tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
- description: >-
- Policy check an image with Red Hat Advanced Cluster Security.
-
- This tasks allows you to check an image against build-time policies
- and apply enforcement to fail builds. It's a companion to the
- rhacs-image-scan task, which returns full vulnerability scan
- results for an image.
- params:
- - name: rox_central_endpoint
- type: string
- description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
- default: rox-central-endpoint
- - name: rox_api_token
- type: string
- description: Name of secret containing the RHACS StackRox API token with CI permissions.
- default: rox-api-token
- - name: rox_image
- description: Image providing the roxctl tool.
- default: quay.io/stackrox-io/roxctl:3.71.0
- - name: image
- type: string
- description: |
- Full name of image to check.
- Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
- default: '$(params.IMAGE)'
- - name: output_format
- description: Results output format (csv | json | junit | table)
- type: string
- default: "table"
- - name: insecure-skip-tls-verify
- type: string
- description: |
- Do not verify TLS certificates.
-
- When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
- default: "false"
- results:
- - name: check_output
- description: Output of `roxctl image check`
- steps:
- - name: rox-image-check
- image: $(params.rox_image)
- env:
- - name: HOME
- value: /tekton/home
- - name: IMAGE
- value: $(params.image)
- - name: INSECURE
- value: $(params.insecure-skip-tls-verify)
- - name: OUTPUT
- value: $(params.output_format)
- - name: ROX_API_TOKEN
- valueFrom:
- secretKeyRef:
- name: $(params.rox_api_token)
- key: rox_api_token
- - name: ROX_CENTRAL_ENDPOINT
- valueFrom:
- secretKeyRef:
- name: $(params.rox_central_endpoint)
- key: rox_central_endpoint
- args:
- - image
- - check
- - --endpoint=$(ROX_CENTRAL_ENDPOINT)
- - --insecure-skip-tls-verify=$(INSECURE)
- - --output=$(OUTPUT)
- - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
- name: rox-pipeline
-spec:
-
- workspaces:
- - name: shared-workspace
-
- params:
- - name: deployment-name
- type: string
- description: name of the deployment resource to be patched
- - name: deployment
- type: string
- description: filename of the deployment to be patched
- - name: git-url
- type: string
- description: url of the git repo for the code of deployment
- - name: git-revision
- type: string
- description: revision to be used from repo of the code for deployment
- default: main
- - name: IMAGE
- type: string
- description: image to be build from the code
-
- tasks:
- # checkout source code
- - name: fetch-repository
- taskRef:
- name: git-clone
- kind: ClusterTask
- workspaces:
- - name: output
- workspace: shared-workspace
- params:
- - name: url
- value: $(params.git-url)
- - name: subdirectory
- value: ""
- - name: deleteExisting
- value: "true"
- - name: revision
- value: $(params.git-revision)
-
- # validate deployment against defined RHACS policies
- - name: police-deployment
- taskRef:
- name: rhacs-deployment-check
- kind: Task
- workspaces:
- - name: source
- workspace: shared-workspace
- params:
- - name: deployment
- value: $(params.deployment)
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - fetch-repository
-
- - name: build-image
- taskRef:
- name: buildah
- kind: ClusterTask
- params:
- - name: IMAGE
- value: $(params.IMAGE)
- workspaces:
- - name: source
- workspace: shared-workspace
- runAfter:
- - fetch-repository
-
- # scan image for vulns using RHACS
- - name: scan-image
- taskRef:
- name: rhacs-image-scan
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true" # stackrox to OCP image registry x509 fail...
- runAfter:
- - build-image
-
- # validate image against RHACS policies
- - name: police-image
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
- rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
- # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
- # This must include the port number
- rox_api_token: "{{ rox_api_token }}"
- # StackRox API token with CI permissions
- # Refer to below
- # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
- name: roxsecrets
- namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
- name: rox-api-token
-data:
- rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
- rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
- name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
- name: rox-pipelinerun
-spec:
- pipelineRef:
- name: rox-pipeline
- params:
- - name: deployment-name
- value: pipelines-vote-api
- - name: deployment
- value: k8s/deployment.yaml
- - name: git-url
- value: https://github.com/openshift/pipelines-vote-api.git
- - name: git-revision
- value: pipelines-1.7
- - name: IMAGE
- value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
- - name: insecure-skip-tls-verify
- value: "true"
- workspaces:
- - name: shared-workspace
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml |
/kind feature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/verify-owners |
/assign vdemeester |
tekton.dev/categories: Security | ||
tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security" | ||
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,darwin/amd64,darwin/arm64,windows/amd64" | ||
tekton.dev/pipelines.minVersion: "0.43.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess tekton.dev/v1
was introduced in 0.50.0
can we set that version here? 😅
/test pull-catalog-catlin-lint |
@vinamra28: The specified target(s) for
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Diff between version and 4.0diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet). It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**: Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry. This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
- --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
- --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
- tasks:
- - name: image-check
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- runAfter:
- - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
- name: rhacs-image-check
- labels:
- app.kubernetes.io/version: "3.71"
- annotations:
- tekton.dev/tags: security
- tekton.dev/categories: Security
- tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
- tekton.dev/platforms: "linux/amd64"
- tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
- description: >-
- Policy check an image with Red Hat Advanced Cluster Security.
-
- This tasks allows you to check an image against build-time policies
- and apply enforcement to fail builds. It's a companion to the
- rhacs-image-scan task, which returns full vulnerability scan
- results for an image.
- params:
- - name: rox_central_endpoint
- type: string
- description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
- default: rox-central-endpoint
- - name: rox_api_token
- type: string
- description: Name of secret containing the RHACS StackRox API token with CI permissions.
- default: rox-api-token
- - name: rox_image
- description: Image providing the roxctl tool.
- default: quay.io/stackrox-io/roxctl:3.71.0
- - name: image
- type: string
- description: |
- Full name of image to check.
- Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
- default: '$(params.IMAGE)'
- - name: output_format
- description: Results output format (csv | json | junit | table)
- type: string
- default: "table"
- - name: insecure-skip-tls-verify
- type: string
- description: |
- Do not verify TLS certificates.
-
- When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
- default: "false"
- results:
- - name: check_output
- description: Output of `roxctl image check`
- steps:
- - name: rox-image-check
- image: $(params.rox_image)
- env:
- - name: HOME
- value: /tekton/home
- - name: IMAGE
- value: $(params.image)
- - name: INSECURE
- value: $(params.insecure-skip-tls-verify)
- - name: OUTPUT
- value: $(params.output_format)
- - name: ROX_API_TOKEN
- valueFrom:
- secretKeyRef:
- name: $(params.rox_api_token)
- key: rox_api_token
- - name: ROX_CENTRAL_ENDPOINT
- valueFrom:
- secretKeyRef:
- name: $(params.rox_central_endpoint)
- key: rox_central_endpoint
- args:
- - image
- - check
- - --endpoint=$(ROX_CENTRAL_ENDPOINT)
- - --insecure-skip-tls-verify=$(INSECURE)
- - --output=$(OUTPUT)
- - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
- name: rox-pipeline
-spec:
-
- workspaces:
- - name: shared-workspace
-
- params:
- - name: deployment-name
- type: string
- description: name of the deployment resource to be patched
- - name: deployment
- type: string
- description: filename of the deployment to be patched
- - name: git-url
- type: string
- description: url of the git repo for the code of deployment
- - name: git-revision
- type: string
- description: revision to be used from repo of the code for deployment
- default: main
- - name: IMAGE
- type: string
- description: image to be build from the code
-
- tasks:
- # checkout source code
- - name: fetch-repository
- taskRef:
- name: git-clone
- kind: ClusterTask
- workspaces:
- - name: output
- workspace: shared-workspace
- params:
- - name: url
- value: $(params.git-url)
- - name: subdirectory
- value: ""
- - name: deleteExisting
- value: "true"
- - name: revision
- value: $(params.git-revision)
-
- # validate deployment against defined RHACS policies
- - name: police-deployment
- taskRef:
- name: rhacs-deployment-check
- kind: Task
- workspaces:
- - name: source
- workspace: shared-workspace
- params:
- - name: deployment
- value: $(params.deployment)
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - fetch-repository
-
- - name: build-image
- taskRef:
- name: buildah
- kind: ClusterTask
- params:
- - name: IMAGE
- value: $(params.IMAGE)
- workspaces:
- - name: source
- workspace: shared-workspace
- runAfter:
- - fetch-repository
-
- # scan image for vulns using RHACS
- - name: scan-image
- taskRef:
- name: rhacs-image-scan
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true" # stackrox to OCP image registry x509 fail...
- runAfter:
- - build-image
-
- # validate image against RHACS policies
- - name: police-image
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
- rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
- # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
- # This must include the port number
- rox_api_token: "{{ rox_api_token }}"
- # StackRox API token with CI permissions
- # Refer to below
- # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
- name: roxsecrets
- namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
- name: rox-api-token
-data:
- rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
- rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
- name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
- name: rox-pipelinerun
-spec:
- pipelineRef:
- name: rox-pipeline
- params:
- - name: deployment-name
- value: pipelines-vote-api
- - name: deployment
- value: k8s/deployment.yaml
- - name: git-url
- value: https://github.com/openshift/pipelines-vote-api.git
- - name: git-revision
- value: pipelines-1.7
- - name: IMAGE
- value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
- - name: insecure-skip-tls-verify
- value: "true"
- workspaces:
- - name: shared-workspace
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml |
1 similar comment
Diff between version and 4.0diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet). It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**: Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry. This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
- --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
- --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
- tasks:
- - name: image-check
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- runAfter:
- - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
- name: rhacs-image-check
- labels:
- app.kubernetes.io/version: "3.71"
- annotations:
- tekton.dev/tags: security
- tekton.dev/categories: Security
- tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
- tekton.dev/platforms: "linux/amd64"
- tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
- description: >-
- Policy check an image with Red Hat Advanced Cluster Security.
-
- This tasks allows you to check an image against build-time policies
- and apply enforcement to fail builds. It's a companion to the
- rhacs-image-scan task, which returns full vulnerability scan
- results for an image.
- params:
- - name: rox_central_endpoint
- type: string
- description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
- default: rox-central-endpoint
- - name: rox_api_token
- type: string
- description: Name of secret containing the RHACS StackRox API token with CI permissions.
- default: rox-api-token
- - name: rox_image
- description: Image providing the roxctl tool.
- default: quay.io/stackrox-io/roxctl:3.71.0
- - name: image
- type: string
- description: |
- Full name of image to check.
- Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
- default: '$(params.IMAGE)'
- - name: output_format
- description: Results output format (csv | json | junit | table)
- type: string
- default: "table"
- - name: insecure-skip-tls-verify
- type: string
- description: |
- Do not verify TLS certificates.
-
- When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
- default: "false"
- results:
- - name: check_output
- description: Output of `roxctl image check`
- steps:
- - name: rox-image-check
- image: $(params.rox_image)
- env:
- - name: HOME
- value: /tekton/home
- - name: IMAGE
- value: $(params.image)
- - name: INSECURE
- value: $(params.insecure-skip-tls-verify)
- - name: OUTPUT
- value: $(params.output_format)
- - name: ROX_API_TOKEN
- valueFrom:
- secretKeyRef:
- name: $(params.rox_api_token)
- key: rox_api_token
- - name: ROX_CENTRAL_ENDPOINT
- valueFrom:
- secretKeyRef:
- name: $(params.rox_central_endpoint)
- key: rox_central_endpoint
- args:
- - image
- - check
- - --endpoint=$(ROX_CENTRAL_ENDPOINT)
- - --insecure-skip-tls-verify=$(INSECURE)
- - --output=$(OUTPUT)
- - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
- name: rox-pipeline
-spec:
-
- workspaces:
- - name: shared-workspace
-
- params:
- - name: deployment-name
- type: string
- description: name of the deployment resource to be patched
- - name: deployment
- type: string
- description: filename of the deployment to be patched
- - name: git-url
- type: string
- description: url of the git repo for the code of deployment
- - name: git-revision
- type: string
- description: revision to be used from repo of the code for deployment
- default: main
- - name: IMAGE
- type: string
- description: image to be build from the code
-
- tasks:
- # checkout source code
- - name: fetch-repository
- taskRef:
- name: git-clone
- kind: ClusterTask
- workspaces:
- - name: output
- workspace: shared-workspace
- params:
- - name: url
- value: $(params.git-url)
- - name: subdirectory
- value: ""
- - name: deleteExisting
- value: "true"
- - name: revision
- value: $(params.git-revision)
-
- # validate deployment against defined RHACS policies
- - name: police-deployment
- taskRef:
- name: rhacs-deployment-check
- kind: Task
- workspaces:
- - name: source
- workspace: shared-workspace
- params:
- - name: deployment
- value: $(params.deployment)
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - fetch-repository
-
- - name: build-image
- taskRef:
- name: buildah
- kind: ClusterTask
- params:
- - name: IMAGE
- value: $(params.IMAGE)
- workspaces:
- - name: source
- workspace: shared-workspace
- runAfter:
- - fetch-repository
-
- # scan image for vulns using RHACS
- - name: scan-image
- taskRef:
- name: rhacs-image-scan
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true" # stackrox to OCP image registry x509 fail...
- runAfter:
- - build-image
-
- # validate image against RHACS policies
- - name: police-image
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
- rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
- # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
- # This must include the port number
- rox_api_token: "{{ rox_api_token }}"
- # StackRox API token with CI permissions
- # Refer to below
- # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
- name: roxsecrets
- namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
- name: rox-api-token
-data:
- rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
- rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
- name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
- name: rox-pipelinerun
-spec:
- pipelineRef:
- name: rox-pipeline
- params:
- - name: deployment-name
- value: pipelines-vote-api
- - name: deployment
- value: k8s/deployment.yaml
- - name: git-url
- value: https://github.com/openshift/pipelines-vote-api.git
- - name: git-revision
- value: pipelines-1.7
- - name: IMAGE
- value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
- - name: insecure-skip-tls-verify
- value: "true"
- workspaces:
- - name: shared-workspace
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml |
Catlin Output
Catlin script lint Output
|
can you please squash the commits? will merge post that |
7ba2ecc
to
8202c59
Compare
Diff between version and 4.0diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet). It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**: Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry. This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
- --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
- --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
- tasks:
- - name: image-check
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- runAfter:
- - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
- name: rhacs-image-check
- labels:
- app.kubernetes.io/version: "3.71"
- annotations:
- tekton.dev/tags: security
- tekton.dev/categories: Security
- tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
- tekton.dev/platforms: "linux/amd64"
- tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
- description: >-
- Policy check an image with Red Hat Advanced Cluster Security.
-
- This tasks allows you to check an image against build-time policies
- and apply enforcement to fail builds. It's a companion to the
- rhacs-image-scan task, which returns full vulnerability scan
- results for an image.
- params:
- - name: rox_central_endpoint
- type: string
- description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
- default: rox-central-endpoint
- - name: rox_api_token
- type: string
- description: Name of secret containing the RHACS StackRox API token with CI permissions.
- default: rox-api-token
- - name: rox_image
- description: Image providing the roxctl tool.
- default: quay.io/stackrox-io/roxctl:3.71.0
- - name: image
- type: string
- description: |
- Full name of image to check.
- Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
- default: '$(params.IMAGE)'
- - name: output_format
- description: Results output format (csv | json | junit | table)
- type: string
- default: "table"
- - name: insecure-skip-tls-verify
- type: string
- description: |
- Do not verify TLS certificates.
-
- When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
- default: "false"
- results:
- - name: check_output
- description: Output of `roxctl image check`
- steps:
- - name: rox-image-check
- image: $(params.rox_image)
- env:
- - name: HOME
- value: /tekton/home
- - name: IMAGE
- value: $(params.image)
- - name: INSECURE
- value: $(params.insecure-skip-tls-verify)
- - name: OUTPUT
- value: $(params.output_format)
- - name: ROX_API_TOKEN
- valueFrom:
- secretKeyRef:
- name: $(params.rox_api_token)
- key: rox_api_token
- - name: ROX_CENTRAL_ENDPOINT
- valueFrom:
- secretKeyRef:
- name: $(params.rox_central_endpoint)
- key: rox_central_endpoint
- args:
- - image
- - check
- - --endpoint=$(ROX_CENTRAL_ENDPOINT)
- - --insecure-skip-tls-verify=$(INSECURE)
- - --output=$(OUTPUT)
- - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
- name: rox-pipeline
-spec:
-
- workspaces:
- - name: shared-workspace
-
- params:
- - name: deployment-name
- type: string
- description: name of the deployment resource to be patched
- - name: deployment
- type: string
- description: filename of the deployment to be patched
- - name: git-url
- type: string
- description: url of the git repo for the code of deployment
- - name: git-revision
- type: string
- description: revision to be used from repo of the code for deployment
- default: main
- - name: IMAGE
- type: string
- description: image to be build from the code
-
- tasks:
- # checkout source code
- - name: fetch-repository
- taskRef:
- name: git-clone
- kind: ClusterTask
- workspaces:
- - name: output
- workspace: shared-workspace
- params:
- - name: url
- value: $(params.git-url)
- - name: subdirectory
- value: ""
- - name: deleteExisting
- value: "true"
- - name: revision
- value: $(params.git-revision)
-
- # validate deployment against defined RHACS policies
- - name: police-deployment
- taskRef:
- name: rhacs-deployment-check
- kind: Task
- workspaces:
- - name: source
- workspace: shared-workspace
- params:
- - name: deployment
- value: $(params.deployment)
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - fetch-repository
-
- - name: build-image
- taskRef:
- name: buildah
- kind: ClusterTask
- params:
- - name: IMAGE
- value: $(params.IMAGE)
- workspaces:
- - name: source
- workspace: shared-workspace
- runAfter:
- - fetch-repository
-
- # scan image for vulns using RHACS
- - name: scan-image
- taskRef:
- name: rhacs-image-scan
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true" # stackrox to OCP image registry x509 fail...
- runAfter:
- - build-image
-
- # validate image against RHACS policies
- - name: police-image
- taskRef:
- name: rhacs-image-check
- kind: Task
- params:
- - name: image
- value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
- - name: insecure-skip-tls-verify
- value: "true"
- runAfter:
- - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
- rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
- # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
- # This must include the port number
- rox_api_token: "{{ rox_api_token }}"
- # StackRox API token with CI permissions
- # Refer to below
- # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
- name: roxsecrets
- namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
- name: rox-api-token
-data:
- rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
- rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
- name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
- name: rox-pipelinerun
-spec:
- pipelineRef:
- name: rox-pipeline
- params:
- - name: deployment-name
- value: pipelines-vote-api
- - name: deployment
- value: k8s/deployment.yaml
- - name: git-url
- value: https://github.com/openshift/pipelines-vote-api.git
- - name: git-revision
- value: pipelines-1.7
- - name: IMAGE
- value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
- - name: insecure-skip-tls-verify
- value: "true"
- workspaces:
- - name: shared-workspace
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml |
/lgtm |
Changes
Add a new version of the
rhacs-image-check
task that can be configured either with authorization using API tokens (similar configuration to 3.71 version of the task), or with authorization using short-lived tokens received from the new rhacs-m2m-authenticate task.Both configuration variants have a sample with the expected Secret, Pipeline and PipelineRun objects.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
contains
/kind <type>
. Valid types are bug, cleanup, design, documentation,feature, flake, misc, question, tep
File path follows
<kind>/<name>/<version>/name.yaml
Has
README.md
at<kind>/<name>/<version>/README.md
Has mandatory
metadata.labels
-app.kubernetes.io/version
the same as the<version>
of the resourceHas mandatory
metadata.annotations
tekton.dev/pipelines.minVersion
mandatory
spec.description
follows the conventionSee the contribution guide for more details.