diff --git a/tests/region-cosign-industrial-edge-factory.expected.yaml b/tests/region-cosign-industrial-edge-factory.expected.yaml index 62196e9e..b58f8712 100644 --- a/tests/region-cosign-industrial-edge-factory.expected.yaml +++ b/tests/region-cosign-industrial-edge-factory.expected.yaml @@ -1,4 +1,32 @@ --- +# Source: cosign/templates/rbac/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cosign-sa + namespace: openshift-pipelines + annotations: {} +--- +# Source: cosign/templates/cosign-cm-script.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-cosign-pubkey + namespace: openshift-pipelines +data: + cosign.sh: | + #!/bin/bash + # check for signing-secrets in openshift-pipelines + SECRET=$(oc get secret signing-secrets -n openshift-pipelines) + if [[ $? -ne 0 ]] + then + export COSIGN_PASSWORD=$(openssl rand -base64 32) + cosign generate-key-pair k8s://openshift-pipelines/signing-secrets --output-file /tmp/cosign.pub + oc create secret generic cosign-pubkey --from-file=/tmp/cosign.pub + else + echo "the signing-secrets secret exists in openshift-pipelines" + fi +--- # Source: cosign/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -19,6 +47,7 @@ rules: - patch - create - update + - delete --- # Source: cosign/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -31,7 +60,7 @@ metadata: argocd.argoproj.io/sync-wave: "-15" subjects: - kind: ServiceAccount - name: pipelines + name: cosign-sa namespace: openshift-pipelines apiGroup: "" roleRef: @@ -56,14 +85,21 @@ spec: - /bin/bash - -c - | - export COSIGN_PASSWORD=$(openssl rand -base64 32) - cosign key-generate k8s://openshift-pipelines/signing-secrets - oc create secret generic cosign-pubkey --from-file=cosign.pub + '/tmp/cosign.sh' name: create-cosign-pubkey + volumeMounts: + - mountPath: /tmp/cosign.sh + name: cosign + subPath: cosign.sh + volumes: + - name: cosign + configMap: + name: create-cosign-pubkey + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never - serviceAccount: pipeline - serviceAccountName: pipeline + serviceAccount: cosign-sa + serviceAccountName: cosign-sa terminationGracePeriodSeconds: 60 --- # Source: cosign/templates/buildconfig.yaml diff --git a/tests/region-cosign-industrial-edge-hub.expected.yaml b/tests/region-cosign-industrial-edge-hub.expected.yaml index 62196e9e..b58f8712 100644 --- a/tests/region-cosign-industrial-edge-hub.expected.yaml +++ b/tests/region-cosign-industrial-edge-hub.expected.yaml @@ -1,4 +1,32 @@ --- +# Source: cosign/templates/rbac/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cosign-sa + namespace: openshift-pipelines + annotations: {} +--- +# Source: cosign/templates/cosign-cm-script.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-cosign-pubkey + namespace: openshift-pipelines +data: + cosign.sh: | + #!/bin/bash + # check for signing-secrets in openshift-pipelines + SECRET=$(oc get secret signing-secrets -n openshift-pipelines) + if [[ $? -ne 0 ]] + then + export COSIGN_PASSWORD=$(openssl rand -base64 32) + cosign generate-key-pair k8s://openshift-pipelines/signing-secrets --output-file /tmp/cosign.pub + oc create secret generic cosign-pubkey --from-file=/tmp/cosign.pub + else + echo "the signing-secrets secret exists in openshift-pipelines" + fi +--- # Source: cosign/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -19,6 +47,7 @@ rules: - patch - create - update + - delete --- # Source: cosign/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -31,7 +60,7 @@ metadata: argocd.argoproj.io/sync-wave: "-15" subjects: - kind: ServiceAccount - name: pipelines + name: cosign-sa namespace: openshift-pipelines apiGroup: "" roleRef: @@ -56,14 +85,21 @@ spec: - /bin/bash - -c - | - export COSIGN_PASSWORD=$(openssl rand -base64 32) - cosign key-generate k8s://openshift-pipelines/signing-secrets - oc create secret generic cosign-pubkey --from-file=cosign.pub + '/tmp/cosign.sh' name: create-cosign-pubkey + volumeMounts: + - mountPath: /tmp/cosign.sh + name: cosign + subPath: cosign.sh + volumes: + - name: cosign + configMap: + name: create-cosign-pubkey + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never - serviceAccount: pipeline - serviceAccountName: pipeline + serviceAccount: cosign-sa + serviceAccountName: cosign-sa terminationGracePeriodSeconds: 60 --- # Source: cosign/templates/buildconfig.yaml diff --git a/tests/region-cosign-medical-diagnosis-hub.expected.yaml b/tests/region-cosign-medical-diagnosis-hub.expected.yaml index 62196e9e..b58f8712 100644 --- a/tests/region-cosign-medical-diagnosis-hub.expected.yaml +++ b/tests/region-cosign-medical-diagnosis-hub.expected.yaml @@ -1,4 +1,32 @@ --- +# Source: cosign/templates/rbac/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cosign-sa + namespace: openshift-pipelines + annotations: {} +--- +# Source: cosign/templates/cosign-cm-script.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-cosign-pubkey + namespace: openshift-pipelines +data: + cosign.sh: | + #!/bin/bash + # check for signing-secrets in openshift-pipelines + SECRET=$(oc get secret signing-secrets -n openshift-pipelines) + if [[ $? -ne 0 ]] + then + export COSIGN_PASSWORD=$(openssl rand -base64 32) + cosign generate-key-pair k8s://openshift-pipelines/signing-secrets --output-file /tmp/cosign.pub + oc create secret generic cosign-pubkey --from-file=/tmp/cosign.pub + else + echo "the signing-secrets secret exists in openshift-pipelines" + fi +--- # Source: cosign/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -19,6 +47,7 @@ rules: - patch - create - update + - delete --- # Source: cosign/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -31,7 +60,7 @@ metadata: argocd.argoproj.io/sync-wave: "-15" subjects: - kind: ServiceAccount - name: pipelines + name: cosign-sa namespace: openshift-pipelines apiGroup: "" roleRef: @@ -56,14 +85,21 @@ spec: - /bin/bash - -c - | - export COSIGN_PASSWORD=$(openssl rand -base64 32) - cosign key-generate k8s://openshift-pipelines/signing-secrets - oc create secret generic cosign-pubkey --from-file=cosign.pub + '/tmp/cosign.sh' name: create-cosign-pubkey + volumeMounts: + - mountPath: /tmp/cosign.sh + name: cosign + subPath: cosign.sh + volumes: + - name: cosign + configMap: + name: create-cosign-pubkey + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never - serviceAccount: pipeline - serviceAccountName: pipeline + serviceAccount: cosign-sa + serviceAccountName: cosign-sa terminationGracePeriodSeconds: 60 --- # Source: cosign/templates/buildconfig.yaml diff --git a/tests/region-cosign-naked.expected.yaml b/tests/region-cosign-naked.expected.yaml index 62196e9e..b58f8712 100644 --- a/tests/region-cosign-naked.expected.yaml +++ b/tests/region-cosign-naked.expected.yaml @@ -1,4 +1,32 @@ --- +# Source: cosign/templates/rbac/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cosign-sa + namespace: openshift-pipelines + annotations: {} +--- +# Source: cosign/templates/cosign-cm-script.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-cosign-pubkey + namespace: openshift-pipelines +data: + cosign.sh: | + #!/bin/bash + # check for signing-secrets in openshift-pipelines + SECRET=$(oc get secret signing-secrets -n openshift-pipelines) + if [[ $? -ne 0 ]] + then + export COSIGN_PASSWORD=$(openssl rand -base64 32) + cosign generate-key-pair k8s://openshift-pipelines/signing-secrets --output-file /tmp/cosign.pub + oc create secret generic cosign-pubkey --from-file=/tmp/cosign.pub + else + echo "the signing-secrets secret exists in openshift-pipelines" + fi +--- # Source: cosign/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -19,6 +47,7 @@ rules: - patch - create - update + - delete --- # Source: cosign/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -31,7 +60,7 @@ metadata: argocd.argoproj.io/sync-wave: "-15" subjects: - kind: ServiceAccount - name: pipelines + name: cosign-sa namespace: openshift-pipelines apiGroup: "" roleRef: @@ -56,14 +85,21 @@ spec: - /bin/bash - -c - | - export COSIGN_PASSWORD=$(openssl rand -base64 32) - cosign key-generate k8s://openshift-pipelines/signing-secrets - oc create secret generic cosign-pubkey --from-file=cosign.pub + '/tmp/cosign.sh' name: create-cosign-pubkey + volumeMounts: + - mountPath: /tmp/cosign.sh + name: cosign + subPath: cosign.sh + volumes: + - name: cosign + configMap: + name: create-cosign-pubkey + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never - serviceAccount: pipeline - serviceAccountName: pipeline + serviceAccount: cosign-sa + serviceAccountName: cosign-sa terminationGracePeriodSeconds: 60 --- # Source: cosign/templates/buildconfig.yaml diff --git a/tests/region-cosign-normal.expected.yaml b/tests/region-cosign-normal.expected.yaml index 62196e9e..b58f8712 100644 --- a/tests/region-cosign-normal.expected.yaml +++ b/tests/region-cosign-normal.expected.yaml @@ -1,4 +1,32 @@ --- +# Source: cosign/templates/rbac/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cosign-sa + namespace: openshift-pipelines + annotations: {} +--- +# Source: cosign/templates/cosign-cm-script.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-cosign-pubkey + namespace: openshift-pipelines +data: + cosign.sh: | + #!/bin/bash + # check for signing-secrets in openshift-pipelines + SECRET=$(oc get secret signing-secrets -n openshift-pipelines) + if [[ $? -ne 0 ]] + then + export COSIGN_PASSWORD=$(openssl rand -base64 32) + cosign generate-key-pair k8s://openshift-pipelines/signing-secrets --output-file /tmp/cosign.pub + oc create secret generic cosign-pubkey --from-file=/tmp/cosign.pub + else + echo "the signing-secrets secret exists in openshift-pipelines" + fi +--- # Source: cosign/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -19,6 +47,7 @@ rules: - patch - create - update + - delete --- # Source: cosign/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -31,7 +60,7 @@ metadata: argocd.argoproj.io/sync-wave: "-15" subjects: - kind: ServiceAccount - name: pipelines + name: cosign-sa namespace: openshift-pipelines apiGroup: "" roleRef: @@ -56,14 +85,21 @@ spec: - /bin/bash - -c - | - export COSIGN_PASSWORD=$(openssl rand -base64 32) - cosign key-generate k8s://openshift-pipelines/signing-secrets - oc create secret generic cosign-pubkey --from-file=cosign.pub + '/tmp/cosign.sh' name: create-cosign-pubkey + volumeMounts: + - mountPath: /tmp/cosign.sh + name: cosign + subPath: cosign.sh + volumes: + - name: cosign + configMap: + name: create-cosign-pubkey + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never - serviceAccount: pipeline - serviceAccountName: pipeline + serviceAccount: cosign-sa + serviceAccountName: cosign-sa terminationGracePeriodSeconds: 60 --- # Source: cosign/templates/buildconfig.yaml diff --git a/tests/region-pipelines-industrial-edge-factory.expected.yaml b/tests/region-pipelines-industrial-edge-factory.expected.yaml index 21a65aed..c5fab07f 100644 --- a/tests/region-pipelines-industrial-edge-factory.expected.yaml +++ b/tests/region-pipelines-industrial-edge-factory.expected.yaml @@ -71,6 +71,7 @@ metadata: namespace: openshift-pipelines annotations: argocd.argoproj.io/sync-options: PruneLast=true + argocd.argoproj.io/sync-options: ServerSideApply=true data: artifacts.oci.storage: 'oci' artifacts.taskrun.format: tekton diff --git a/tests/region-pipelines-industrial-edge-hub.expected.yaml b/tests/region-pipelines-industrial-edge-hub.expected.yaml index 21a65aed..c5fab07f 100644 --- a/tests/region-pipelines-industrial-edge-hub.expected.yaml +++ b/tests/region-pipelines-industrial-edge-hub.expected.yaml @@ -71,6 +71,7 @@ metadata: namespace: openshift-pipelines annotations: argocd.argoproj.io/sync-options: PruneLast=true + argocd.argoproj.io/sync-options: ServerSideApply=true data: artifacts.oci.storage: 'oci' artifacts.taskrun.format: tekton diff --git a/tests/region-pipelines-medical-diagnosis-hub.expected.yaml b/tests/region-pipelines-medical-diagnosis-hub.expected.yaml index 21a65aed..c5fab07f 100644 --- a/tests/region-pipelines-medical-diagnosis-hub.expected.yaml +++ b/tests/region-pipelines-medical-diagnosis-hub.expected.yaml @@ -71,6 +71,7 @@ metadata: namespace: openshift-pipelines annotations: argocd.argoproj.io/sync-options: PruneLast=true + argocd.argoproj.io/sync-options: ServerSideApply=true data: artifacts.oci.storage: 'oci' artifacts.taskrun.format: tekton diff --git a/tests/region-pipelines-naked.expected.yaml b/tests/region-pipelines-naked.expected.yaml index 4f47c84d..6b3101b2 100644 --- a/tests/region-pipelines-naked.expected.yaml +++ b/tests/region-pipelines-naked.expected.yaml @@ -71,6 +71,7 @@ metadata: namespace: openshift-pipelines annotations: argocd.argoproj.io/sync-options: PruneLast=true + argocd.argoproj.io/sync-options: ServerSideApply=true data: artifacts.oci.storage: 'oci' artifacts.taskrun.format: tekton diff --git a/tests/region-pipelines-normal.expected.yaml b/tests/region-pipelines-normal.expected.yaml index 21a65aed..c5fab07f 100644 --- a/tests/region-pipelines-normal.expected.yaml +++ b/tests/region-pipelines-normal.expected.yaml @@ -71,6 +71,7 @@ metadata: namespace: openshift-pipelines annotations: argocd.argoproj.io/sync-options: PruneLast=true + argocd.argoproj.io/sync-options: ServerSideApply=true data: artifacts.oci.storage: 'oci' artifacts.taskrun.format: tekton