Skip to content

introduce konflux #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bennyz merged 1 commit into from
Nov 16, 2025
Merged

introduce konflux #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 150 additions & 0 deletions .tekton/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# Tekton Pipeline Configurations

This directory contains Tekton pipeline configurations for Konflux CI/CD integration.

## Directory Structure

```
.tekton/
├── README.md # This file
├── automotive-dev-operator-pull-request.yaml # PR pipeline for operator
├── automotive-dev-operator-push.yaml # Push pipeline for operator (multi-arch)
├── aib-webui-pull-request.yaml # PR pipeline for WebUI
├── aib-webui-push.yaml # Push pipeline for WebUI (multi-arch)
├── bundle-pull-request.yaml # PR pipeline for OLM bundle
├── bundle-push.yaml # Push pipeline for OLM bundle
├── catalog-pull-request.yaml # PR pipeline for catalog
├── catalog-push.yaml # Push pipeline for catalog
├── release-pipeline.yaml # Release pipeline for all environments
├── update-csv-workflow.yaml # Workflow to update CSV with digests
├── tasks/
│ └── update-csv-digests.yaml # Task for updating CSV
└── integration-tests/
├── operator-deployment-test-pipeline.yaml # Operator deployment test
├── imagebuild-test-pipeline.yaml # ImageBuild CR test
└── webui-test-pipeline.yaml # WebUI accessibility test
```

## Pipeline Types

### Pull Request Pipelines

Triggered on pull requests to the main branch. These pipelines:
- Build container images for PR validation
- Run security scans (Clair, Snyk)
- Check for deprecated base images
- Validate bundle/catalog manifests
- Post results back to GitHub PR

Path filters ensure pipelines only run when relevant files change.

### Push Pipelines

Triggered on pushes to the main branch. These pipelines:
- Build multi-architecture images (amd64, arm64)
- Create image manifests combining architectures
- Run comprehensive security scans
- Generate SBOMs
- Sign images with Cosign
- Tag images with commit SHA and 'latest'

### Integration Test Pipelines

Run as part of the build process to validate:
- Operator deployment and health
- Custom resource functionality
- WebUI accessibility
- Multi-component integration

### Release Pipeline

Orchestrates releases to different environments:
- Verifies Enterprise Contract policies
- Pushes images with version tags
- Generates install manifests
- Creates GitHub releases (for production)
- Sends notifications

## Key Features

### Hermetic Builds

All builds use hermetic mode (`HERMETIC=true`) to:
- Isolate from host system changes
- Enable dependency prefetching
- Generate accurate SBOMs
- Ensure reproducibility

### Multi-Architecture Support

Push pipelines build for both:
- linux/amd64
- linux/arm64

Images are combined into multi-arch manifests for flexible deployment.

### Path Filters

Pipelines use CEL expressions to trigger only on relevant changes:

- **Operator**: `api/`, `internal/`, `cmd/`, `Dockerfile`, `go.mod`, `go.sum`
- **WebUI**: `webui/**`
- **Bundle**: `bundle/**`, `config/**`
- **Catalog**: `catalog/**`

### Security Scanning

All images undergo:
- Clair vulnerability scanning
- Snyk code analysis
- Deprecated base image checks
- SBOM validation

### Image Signing

Production images are signed with Cosign using:
- Keyless signing with OIDC
- Transparency log integration (Rekor)
- SLSA provenance attestation

## Task References

Pipelines use tasks from the Konflux task catalog:
- `git-clone`: Clone repository
- `buildah`: Build container images
- `build-image-manifest`: Create multi-arch manifests
- `clair-scan`: Vulnerability scanning
- `snyk-check`: Code security analysis
- `generate-sbom`: SBOM generation
- `cosign-sign`: Image signing
- `operator-sdk-bundle-validate`: OLM bundle validation
- `opm-validate`: Catalog validation

## Customization

To customize pipelines:

1. Edit the relevant YAML file
2. Test locally with `tkn pipeline start`
3. Commit changes to trigger updated pipelines

## Troubleshooting

View pipeline runs:
```sh
tkn pipelinerun list
tkn pipelinerun logs <pipelinerun-name> -f
```

View task logs:
```sh
tkn taskrun list
tkn taskrun logs <taskrun-name>
```

## Resources

- [Konflux Documentation](https://konflux-ci.dev/docs/)
- [Tekton Documentation](https://tekton.dev/docs/)
- [Pipelines as Code](https://pipelinesascode.com/)

140 changes: 140 additions & 0 deletions .tekton/aib-webui-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: aib-webui-on-pull-request
annotations:
pipelinesascode.tekton.dev/on-event: "[pull_request]"
pipelinesascode.tekton.dev/on-target-branch: "[main]"
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: |
event == "pull_request" && (
files.all.exists(f, f.matches("^webui/.*")) ||
files.all.exists(f, f.matches("^\\.tekton/aib-webui-.*\\.yaml$"))
)
spec:
params:
- name: git-url
value: "{{repo_url}}"
- name: revision
value: "{{revision}}"
- name: output-image
value: "quay.io/rh-sdv-cloud/aib-webui:pr-{{pull_request_number}}-{{revision_short}}"
- name: dockerfile
value: webui/Dockerfile
- name: path-context
value: webui
pipelineSpec:
params:
- name: git-url
- name: revision
- name: output-image
- name: dockerfile
- name: path-context
results:
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)
tasks:
- name: clone-repository
taskRef:
resolver: bundles
params:
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1
- name: name
value: git-clone
- name: kind
value: task
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.revision)
workspaces:
- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth

- name: build-container
runAfter:
- clone-repository
taskRef:
resolver: bundles
params:
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2
- name: name
value: buildah
- name: kind
value: task
params:
- name: IMAGE
value: $(params.output-image)
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: "true"
- name: PREFETCH_INPUT
value: "npm"
workspaces:
- name: source
workspace: workspace

- name: scan-clair
runAfter:
- build-container
taskRef:
resolver: bundles
params:
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1
- name: name
value: clair-scan
- name: kind
value: task
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)

- name: deprecated-image-check
runAfter:
- build-container
taskRef:
resolver: bundles
params:
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.1
- name: name
value: deprecated-image-check
- name: kind
value: task
params:
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)

workspaces:
- name: workspace
- name: git-auth
optional: true

workspaces:
- name: workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: git-auth
secret:
secretName: "{{ git_auth_secret }}"

Loading