forked from konflux-ci/build-definitions
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
coverity-availability-check: remove workspace
It was required but not used for anything. Also the parameters set in the build template were not used by the coverity-availability-check task. Related: konflux-ci#1653
- Loading branch information
Showing
3 changed files
with
115 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # coverity-availability-check task | ||
|
|
||
| ## Description: | ||
|
|
||
| This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. | ||
|
|
||
| The characteristics of these tasks are: | ||
|
|
||
| - It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled. | ||
| - It will check for a secret called "cov-license" where the Coverity license is stored. | ||
|
|
||
| > NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license. | ||
| ## Params: | ||
|
|
||
| | name | description | default value | required | | ||
| |-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------| | ||
| | AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | yes | | ||
| | COV_LICENSE | Name of secret which contains the Coverity license | cov-license | yes | | ||
|
|
||
| ## Results: | ||
|
|
||
| | name | description | | ||
| |-------------|-----------------------------------------------------------------------------------| | ||
| | STATUS | Tekton task simple status to be later checked by the sast-coverity-check task | | ||
| | TEST_OUTPUT | Tekton task test output. | |
88 changes: 88 additions & 0 deletions
88
task/coverity-availability-check/0.2/coverity-availability-check.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| apiVersion: tekton.dev/v1 | ||
| kind: Task | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/version: "0.1" | ||
| annotations: | ||
| tekton.dev/pipelines.minVersion: "0.12.1" | ||
| tekton.dev/tags: "konflux" | ||
| name: coverity-availability-check | ||
| spec: | ||
| description: >- | ||
| This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. | ||
| results: | ||
| - description: Tekton task result output. | ||
| name: TEST_OUTPUT | ||
| - description: Tekton task simple status to be later checked | ||
| name: STATUS | ||
| params: | ||
| - name: COV_LICENSE | ||
| description: Name of secret which contains the Coverity license | ||
| default: cov-license | ||
| - name: AUTH_TOKEN_COVERITY_IMAGE | ||
| description: Name of secret which contains the authentication token for pulling the Coverity image. | ||
| default: "auth-token-coverity-image" | ||
| volumes: | ||
| - name: cov-license | ||
| secret: | ||
| secretName: $(params.COV_LICENSE) | ||
| optional: true | ||
| - name: auth-token-coverity-image | ||
| secret: | ||
| secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) | ||
| optional: true | ||
| steps: | ||
| - name: coverity-availability-check | ||
| image: quay.io/konflux-ci/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 | ||
| # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
| # the cluster will set imagePullPolicy to IfNotPresent | ||
| volumeMounts: | ||
| - name: cov-license | ||
| mountPath: "/etc/secrets/cov" | ||
| readOnly: true | ||
| - name: auth-token-coverity-image | ||
| mountPath: "/etc/secrets/auth/config.json" | ||
| subPath: .dockerconfigjson | ||
| env: | ||
| - name: COV_LICENSE | ||
| value: $(params.COV_LICENSE) | ||
| - name: AUTH_TOKEN_COVERITY_IMAGE | ||
| value: $(params.AUTH_TOKEN_COVERITY_IMAGE) | ||
| script: | | ||
| #!/usr/bin/env bash | ||
| set -eo pipefail | ||
| # shellcheck source=/dev/null | ||
| . /utils.sh | ||
| trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT | ||
| # Checking Coverity license | ||
| COV_LICENSE_PATH=/etc/secrets/cov/cov-license | ||
| if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then | ||
| echo "Coverity license detected!" | ||
| else | ||
| echo 'No license file for Coverity was detected. Coverity scan will not be executed...' | ||
| echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license' | ||
| note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license" | ||
| TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") | ||
| echo -n "failed" | tee "$(results.STATUS.path)" | ||
| exit 0 | ||
| fi | ||
| # Checking authentication token for downloading coverity image | ||
| AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json | ||
| if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then | ||
| echo "Authentication token detected!" | ||
| else | ||
| echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...' | ||
| echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image' | ||
| note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image" | ||
| TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") | ||
| echo -n "failed" | tee "$(results.STATUS.path)" | ||
| exit 0 | ||
| fi | ||
| note="Task $(context.task.name) completed: Coverity availability checks finished succesfully." | ||
| # shellcheck disable=SC2034 | ||
| TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note") | ||
| echo -n "success" | tee "$(results.STATUS.path)" | ||
| echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" |