diff --git a/serverless/knative-service-account.yaml b/serverless/knative-service-account.yaml index d4b6232..6497a4b 100644 --- a/serverless/knative-service-account.yaml +++ b/serverless/knative-service-account.yaml @@ -9,4 +9,3 @@ roleRef: subjects: - kind: ServiceAccount name: ace-tekton-service-account - namespace: default diff --git a/serverless/tea-tekton-knative-service.yaml b/serverless/tea-tekton-knative-service.yaml index c1feff8..5f1b5e4 100644 --- a/serverless/tea-tekton-knative-service.yaml +++ b/serverless/tea-tekton-knative-service.yaml @@ -2,7 +2,6 @@ apiVersion: serving.knative.dev/v1 kind: Service metadata: name: tea-tekton-knative - namespace: default spec: template: spec: @@ -10,6 +9,8 @@ spec: - name: secret-volume-2 secret: secretName: jdbc-secret + imagePullSecrets: + - name: regcred containers: - name: tea-tekton-knative image: DOCKER_REGISTRY/tea-tekton:latest diff --git a/tekton/10-maven-ace-build-task.yaml b/tekton/10-maven-ace-build-task.yaml index f0eb760..0d1ba6c 100644 --- a/tekton/10-maven-ace-build-task.yaml +++ b/tekton/10-maven-ace-build-task.yaml @@ -3,6 +3,14 @@ kind: Task metadata: name: maven-ace-build spec: + # The security and environment settings are needed for OpenShift in a non-default + # namespace such as cp4i. Kaniko is expecting to be root in the container. + stepTemplate: + securityContext: + runAsUser: 0 + env: + - name: "HOME" + value: "/tekton/home" params: - name: dockerRegistry type: string @@ -74,7 +82,7 @@ spec: - mountPath: /work name: work - name: docker-build-and-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" diff --git a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml index fa0a66c..60491bf 100644 --- a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml @@ -3,6 +3,14 @@ kind: Task metadata: name: ace-minimal-image-build-and-push spec: + # The security and environment settings are needed for OpenShift in a non-default + # namespace such as cp4i. Kaniko is expecting to be root in the container. + stepTemplate: + securityContext: + runAsUser: 0 + env: + - name: "HOME" + value: "/tekton/home" params: - name: dockerRegistry type: string @@ -23,12 +31,13 @@ spec: #!/bin/sh cd /work git clone "https://github.com/trevor-dolby-at-ibm-com/ace-docker" + sed -i 's/alpine:3.18/quay.io\/trevor_dolby\/alpine:3.18/g' /work/ace-docker/experimental/ace-minimal/Dockerfile.alpine ls -l /work/ace-docker/experimental/ace-minimal volumeMounts: - mountPath: /work name: work - name: ace-minimal-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" diff --git a/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml b/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml index 12ed8d3..031a6e2 100644 --- a/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml @@ -3,6 +3,14 @@ kind: Task metadata: name: ace-minimal-build-image-build-and-push spec: + # The security and environment settings are needed for OpenShift in a non-default + # namespace such as cp4i. Kaniko is expecting to be root in the container. + stepTemplate: + securityContext: + runAsUser: 0 + env: + - name: "HOME" + value: "/tekton/home" params: - name: dockerRegistry type: string @@ -25,7 +33,7 @@ spec: - mountPath: /work name: work - name: ace-minimal-build-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" diff --git a/tekton/os/ace-scc.yaml b/tekton/os/ace-scc.yaml new file mode 100644 index 0000000..0638b6a --- /dev/null +++ b/tekton/os/ace-scc.yaml @@ -0,0 +1,36 @@ +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: ace-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - RunAsAny. + name: ace-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: ["CHOWN", "DAC_OVERRIDE","FOWNER","SETFCAP","SETGID","SETUID"] +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret \ No newline at end of file diff --git a/tekton/os/cp4i/force-pull-cp4i.yaml b/tekton/os/cp4i/force-pull-cp4i.yaml index 933c016..c112487 100644 --- a/tekton/os/cp4i/force-pull-cp4i.yaml +++ b/tekton/os/cp4i/force-pull-cp4i.yaml @@ -1,30 +1,22 @@ -apiVersion: v1 -kind: Pod +apiVersion: apps/v1 +kind: DaemonSet metadata: name: force-pull-cp4i namespace: cp4i spec: - containers: - - name: force-pull-cp4i-base - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/tea-tekton-cp4i:latest - command: ["sleep"] - args: ["1"] - - name: force-pull-cp4i-ct - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/tea-tekton-cp4i-ct:latest - command: ["sleep"] - args: ["1"] - - name: force-pull-minimal - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-server-prod:12.0.10.0-r1 - command: ["sleep"] - args: ["1"] - - name: force-pull-minimal-build - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-minimal-build:12.0.10.0-alpine - command: ["sleep"] - args: ["1"] - restartPolicy: Never - imagePullSecrets: - - name: 'regcred' + selector: + matchLabels: + name: force-pull-cp4i + template: + metadata: + labels: + name: force-pull-cp4i + spec: + containers: + - name: force-pull-minimal-build + imagePullPolicy: Always + image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-minimal-build:12.0.10.0-alpine + command: ["sleep"] + args: ["1000000"] + imagePullSecrets: + - name: 'regcred' diff --git a/tekton/os/cp4i/service-account-cp4i.yaml b/tekton/os/cp4i/service-account-cp4i.yaml index 4887078..3c949b1 100644 --- a/tekton/os/cp4i/service-account-cp4i.yaml +++ b/tekton/os/cp4i/service-account-cp4i.yaml @@ -3,6 +3,9 @@ kind: ServiceAccount metadata: name: cp4i-tekton-service-account namespace: cp4i +imagePullSecrets: + - name: regcred + - name: ibm-entitlement-key secrets: - name: regcred - name: ibm-entitlement-key diff --git a/tekton/os/service-account.yaml b/tekton/os/service-account.yaml new file mode 100644 index 0000000..228daea --- /dev/null +++ b/tekton/os/service-account.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ace-tekton-service-account +imagePullSecrets: + - name: regcred +secrets: + - name: regcred +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pipeline-role +rules: +- apiGroups: ["extensions", "apps", "appconnect.ibm.com", "", "v1"] + resources: ["services", "deployments", "pods", "integrationservers", "pods/exec", "integrationruntimes"] + verbs: ["get", "create", "update", "patch", "list", "delete", "exec", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pipeline-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pipeline-role +subjects: +- kind: ServiceAccount + name: ace-tekton-service-account diff --git a/tekton/os/tea-tekton-route.yaml b/tekton/os/tea-tekton-route.yaml index a21d674..baf3679 100644 --- a/tekton/os/tea-tekton-route.yaml +++ b/tekton/os/tea-tekton-route.yaml @@ -2,7 +2,6 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: tea-route - namespace: default spec: host: tea-route-default.apps.openshift.mycompany.com to: diff --git a/tekton/service-account.yaml b/tekton/service-account.yaml index 700cef4..497b8bb 100644 --- a/tekton/service-account.yaml +++ b/tekton/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 kind: ServiceAccount metadata: name: ace-tekton-service-account +imagePullSecrets: + - name: regcred secrets: - name: regcred @@ -10,7 +12,6 @@ secrets: kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: default name: pipeline-role rules: - apiGroups: ["extensions", "apps", ""] @@ -30,4 +31,3 @@ roleRef: subjects: - kind: ServiceAccount name: ace-tekton-service-account - namespace: default diff --git a/tekton/tea-tekton-deployment.yaml b/tekton/tea-tekton-deployment.yaml index 248434c..e101de7 100644 --- a/tekton/tea-tekton-deployment.yaml +++ b/tekton/tea-tekton-deployment.yaml @@ -20,6 +20,8 @@ spec: - name: secret-volume-2 secret: secretName: jdbc-secret + imagePullSecrets: + - name: regcred containers: - name: tea-tekton image: DOCKER_REGISTRY/tea-tekton:latest diff --git a/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml b/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml index 203da72..9b228e5 100644 --- a/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml +++ b/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml @@ -136,7 +136,7 @@ spec: - mountPath: /work name: work - name: docker-build-and-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG"