Skip to content

Commit 30433b1

Browse files
clubandersonclubanderson
committed
implementing vuln scanner and h100 cluster deployment
1 parent 1abf660 commit 30433b1

File tree

2 files changed

+142
-40
lines changed

2 files changed

+142
-40
lines changed

.tekton/pipelinerun.yaml

Lines changed: 140 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,27 @@ spec:
6767
name: read-cluster-name
6868
runAfter:
6969
- fix-permissions
70-
70+
71+
# - name: debug-user
72+
# taskSpec:
73+
# workspaces:
74+
# - name: source
75+
# workspace: source
76+
# steps:
77+
# - name: show-user-info
78+
# image: busybox
79+
# script: |
80+
# #!/bin/sh
81+
# echo "Current UID:"
82+
# id -u
83+
# echo "Current GID:"
84+
# id -g
85+
# echo "Permissions on /workspace/source:"
86+
# ls -ld /workspace/source
87+
# workspaces:
88+
# - name: source
89+
# workspace: source
90+
7191
- name: which-branch
7292
taskRef:
7393
name: print-branch-task
@@ -276,7 +296,7 @@ spec:
276296
runAfter:
277297
- extract-version-and-registry
278298
workspaces:
279-
- name: registry
299+
- name: registry-secret
280300
workspace: registry-secret
281301

282302
- name: buildah-build
@@ -332,68 +352,97 @@ spec:
332352
- name: output
333353
workspace: output
334354

335-
- name: sync-after-promote-or-build
355+
- name: tag-version-after-promotion
336356
when:
357+
- input: "$(params.source_branch)"
358+
operator: in
359+
values: ["main"]
337360
- input: "$(tasks.read-cluster-name.results.cluster-name)"
338361
operator: in
339362
values: ["cluster-platform-eval"]
363+
taskRef:
364+
name: tag-version-task
365+
params:
366+
- name: source-branch
367+
value: "$(params.source_branch)"
368+
- name: prod-version
369+
value: "$(tasks.extract-version-and-registry.results.prod-version)"
370+
- name: dev-version
371+
value: "$(tasks.extract-version-and-registry.results.dev-version)"
340372
runAfter:
341373
- promote-to-prod
342-
- vulnerability-scan
343-
taskRef:
344-
name: noop-task
374+
workspaces:
375+
- name: source
376+
workspace: source
377+
- name: git-auth
378+
workspace: git-auth
345379

346-
# - name: update-submodule
347-
# when:
348-
# - input: "$(params.source_branch)"
349-
# operator: in
350-
# values: ["main"]
351-
# taskRef:
352-
# name: update-submodule-task
353-
# runAfter:
354-
# - promote-to-prod
355-
# workspaces:
356-
# - name: source
357-
# workspace: source
358-
# - name: git-auth
359-
# workspace: git-auth
380+
- name: tag-version-after-scan
381+
when:
382+
- input: "$(params.source_branch)"
383+
operator: in
384+
values: ["dev"]
385+
- input: "$(tasks.read-cluster-name.results.cluster-name)"
386+
operator: in
387+
values: ["cluster-platform-eval"]
388+
taskRef:
389+
name: tag-version-task
390+
params:
391+
- name: source-branch
392+
value: "$(params.source_branch)"
393+
- name: prod-version
394+
value: "$(tasks.extract-version-and-registry.results.prod-version)"
395+
- name: dev-version
396+
value: "$(tasks.extract-version-and-registry.results.dev-version)"
397+
runAfter:
398+
- vulnerability-scan
399+
workspaces:
400+
- name: source
401+
workspace: source
402+
- name: git-auth
403+
workspace: git-auth
360404

361-
- name: tag-version
405+
- name: openshift-redeploy-after-promotion
362406
when:
363407
- input: "$(params.runOptional)"
364408
operator: in
365409
values: ["true"]
366410
- input: "$(params.source_branch)"
367411
operator: in
368-
values: ["main", "dev"]
412+
values: ["main"]
369413
- input: "$(tasks.read-cluster-name.results.cluster-name)"
370414
operator: in
371415
values: ["cluster-platform-eval"]
372416
taskRef:
373-
name: tag-version-task
417+
name: openshift-redeploy-task
374418
params:
375419
- name: source-branch
376420
value: "$(params.source_branch)"
377421
- name: prod-version
378422
value: "$(tasks.extract-version-and-registry.results.prod-version)"
379423
- name: dev-version
380424
value: "$(tasks.extract-version-and-registry.results.dev-version)"
425+
- name: prod_image_tag_base
426+
value: "$(tasks.extract-version-and-registry.results.prod-image-tag-base)"
427+
- name: dev_image_tag_base
428+
value: "$(tasks.extract-version-and-registry.results.dev-image-tag-base)"
381429
runAfter:
382-
- sync-after-promote-or-build
430+
- tag-version-after-promotion
383431
workspaces:
384432
- name: source
385433
workspace: source
386-
- name: git-auth
387-
workspace: git-auth
388434

389-
- name: openshift-redeploy
435+
- name: openshift-redeploy-after-scan
390436
when:
391437
- input: "$(params.runOptional)"
392438
operator: in
393439
values: ["true"]
394440
- input: "$(params.source_branch)"
395441
operator: in
396-
values: ["dev", "main"]
442+
values: ["dev"]
443+
- input: "$(tasks.read-cluster-name.results.cluster-name)"
444+
operator: in
445+
values: ["cluster-platform-eval"]
397446
taskRef:
398447
name: openshift-redeploy-task
399448
params:
@@ -408,19 +457,22 @@ spec:
408457
- name: dev_image_tag_base
409458
value: "$(tasks.extract-version-and-registry.results.dev-image-tag-base)"
410459
runAfter:
411-
- tag-version
460+
- tag-version-after-scan
412461
workspaces:
413462
- name: source
414463
workspace: source
415464

416-
- name: go-test-post-deploy
465+
- name: go-test-post-deploy-after-promotion
417466
when:
418467
- input: "$(params.runOptional)"
419468
operator: in
420469
values: ["true"]
421470
- input: "$(params.source_branch)"
422471
operator: in
423-
values: ["dev", "main"]
472+
values: ["main"]
473+
- input: "$(tasks.read-cluster-name.results.cluster-name)"
474+
operator: in
475+
values: ["cluster-platform-eval"]
424476
taskRef:
425477
name: go-test-post-deploy-task
426478
params:
@@ -435,19 +487,49 @@ spec:
435487
- name: dev_image_tag_base
436488
value: "$(tasks.extract-version-and-registry.results.dev-image-tag-base)"
437489
runAfter:
438-
- openshift-redeploy
490+
- openshift-redeploy-after-promotion
439491
workspaces:
440492
- name: source
441493
workspace: source
442494

443-
- name: benchmark
495+
- name: go-test-post-deploy-after-scan
444496
when:
497+
- input: "$(params.runOptional)"
498+
operator: in
499+
values: ["true"]
445500
- input: "$(params.source_branch)"
446501
operator: in
447502
values: ["dev"]
448503
- input: "$(tasks.read-cluster-name.results.cluster-name)"
449504
operator: in
450505
values: ["cluster-platform-eval"]
506+
taskRef:
507+
name: go-test-post-deploy-task
508+
params:
509+
- name: source-branch
510+
value: "$(params.source_branch)"
511+
- name: prod-version
512+
value: "$(tasks.extract-version-and-registry.results.prod-version)"
513+
- name: dev-version
514+
value: "$(tasks.extract-version-and-registry.results.dev-version)"
515+
- name: prod_image_tag_base
516+
value: "$(tasks.extract-version-and-registry.results.prod-image-tag-base)"
517+
- name: dev_image_tag_base
518+
value: "$(tasks.extract-version-and-registry.results.dev-image-tag-base)"
519+
runAfter:
520+
- openshift-redeploy-after-scan
521+
workspaces:
522+
- name: source
523+
workspace: source
524+
525+
- name: benchmark-after-promotion
526+
when:
527+
- input: "$(params.source_branch)"
528+
operator: in
529+
values: ["main"]
530+
- input: "$(tasks.read-cluster-name.results.cluster-name)"
531+
operator: in
532+
values: ["cluster-platform-eval"]
451533
continueOn:
452534
errors: true
453535
params:
@@ -458,9 +540,29 @@ spec:
458540
taskRef:
459541
name: benchmark-task
460542
runAfter:
461-
- go-test-post-deploy
543+
- go-test-post-deploy-after-promotion
462544

463-
- name: increment-versions
545+
- name: benchmark-after-scan
546+
when:
547+
- input: "$(params.source_branch)"
548+
operator: in
549+
values: ["dev"]
550+
- input: "$(tasks.read-cluster-name.results.cluster-name)"
551+
operator: in
552+
values: ["cluster-platform-eval"]
553+
continueOn:
554+
errors: true
555+
params:
556+
- name: openshift_host
557+
value: "https://api.fmaas-platform-eval.fmaas.res.ibm.com:6443"
558+
- name: openshift_namespace
559+
value: "hc4ai-operator-dev"
560+
taskRef:
561+
name: benchmark-task
562+
runAfter:
563+
- go-test-post-deploy-after-scan
564+
565+
- name: increment-versions-after-promotion
464566
when:
465567
- input: "$(params.source_branch)"
466568
operator: in
@@ -476,7 +578,7 @@ spec:
476578
taskRef:
477579
name: increment-versions-task
478580
runAfter:
479-
- openshift-redeploy
581+
- benchmark-after-promotion
480582
workspaces:
481583
- name: source
482584
workspace: source
@@ -489,7 +591,7 @@ spec:
489591
operator: in
490592
values: ["main"]
491593
runAfter:
492-
- increment-versions
594+
- increment-versions-after-promotion
493595
taskRef:
494596
name: noop-task
495597

@@ -499,7 +601,7 @@ spec:
499601
operator: in
500602
values: ["dev"]
501603
runAfter:
502-
- benchmark
604+
- benchmark-after-scan
503605
taskRef:
504606
name: noop-task
505607

.tekton/promote-to-prod.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,13 @@ spec:
1313
- name: dev_image_tag_base
1414
description: "Development image tag base"
1515
workspaces:
16-
- name: registry
16+
- name: registry-secret
1717
description: "Registry secret workspace (must include .dockerconfigjson)"
1818
steps:
1919
- name: promote
2020
image: quay.io/skopeo/stable:latest
2121
imagePullPolicy: IfNotPresent
22-
workingDir: /workspace/registry
22+
workingDir: /workspace/registry-secret
2323
script: |
2424
#!/bin/sh
2525
set -e

0 commit comments

Comments
 (0)