From b5df878d8bf9edf309894d12921796fd842c0309 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Thu, 2 Nov 2023 17:42:30 -0500 Subject: [PATCH 01/12] More codespaces options Signed-off-by: Trevor Dolby --- .devcontainer/ace-toolkit-xvnc/devcontainer.json | 10 ++++++++++ .devcontainer/quay.io/devcontainer.json | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 .devcontainer/ace-toolkit-xvnc/devcontainer.json create mode 100644 .devcontainer/quay.io/devcontainer.json diff --git a/.devcontainer/ace-toolkit-xvnc/devcontainer.json b/.devcontainer/ace-toolkit-xvnc/devcontainer.json new file mode 100644 index 0000000..c6cf0e5 --- /dev/null +++ b/.devcontainer/ace-toolkit-xvnc/devcontainer.json @@ -0,0 +1,10 @@ +{ + "name": "ace-demo-pipeline-toolkit-xvnc-devcontainer", + "image": "tdolby/experimental:ace-devcontainer-xvnc-12.0.10.0", + "containerEnv": { + "LICENSE": "accept" + }, + "remoteEnv": { + "REMOTE_LICENSE": "accept" + } +} diff --git a/.devcontainer/quay.io/devcontainer.json b/.devcontainer/quay.io/devcontainer.json new file mode 100644 index 0000000..181fe46 --- /dev/null +++ b/.devcontainer/quay.io/devcontainer.json @@ -0,0 +1,10 @@ +{ + "name": "ace-demo-pipeline-devcontainer-quay-io", + "image": "quay.io/trevor_dolby/ace-minimal-devcontainer:12.0.10.0", + "containerEnv": { + "LICENSE": "accept" + }, + "remoteEnv": { + "REMOTE_LICENSE": "accept" + } +} From ab7659e83916cd6e71dd5bbfaf8b2d350405bb2d Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Thu, 2 Nov 2023 17:51:01 -0500 Subject: [PATCH 02/12] Add additional quay.io option Signed-off-by: Trevor Dolby --- .../quay.io-ace-toolkit-xvnc/devcontainer.json | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .devcontainer/quay.io-ace-toolkit-xvnc/devcontainer.json diff --git a/.devcontainer/quay.io-ace-toolkit-xvnc/devcontainer.json b/.devcontainer/quay.io-ace-toolkit-xvnc/devcontainer.json new file mode 100644 index 0000000..701f98e --- /dev/null +++ b/.devcontainer/quay.io-ace-toolkit-xvnc/devcontainer.json @@ -0,0 +1,10 @@ +{ + "name": "ace-demo-pipeline-quay.io-toolkit-xvnc-devcontainer", + "image": "quay.io/trevor_dolby/ace-devcontainer-xvnc:12.0.10.0", + "containerEnv": { + "LICENSE": "accept" + }, + "remoteEnv": { + "REMOTE_LICENSE": "accept" + } +} From ce726ebbc4755e64e6c5ce0a0c212f3997c368a8 Mon Sep 17 00:00:00 2001 From: Trevor Dolby <107267051+trevor-dolby-at-ibm-com@users.noreply.github.com> Date: Thu, 2 Nov 2023 18:24:57 -0500 Subject: [PATCH 03/12] Codespaces link --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 6bd5264..f08a2cb 100644 --- a/README.md +++ b/README.md @@ -17,20 +17,23 @@ being constructed to show pipeline-friendliness rather than being a "best practi - IBM Cloud Kubernetes cluster (free tier) for running the application container - DB2 on Cloud (free tier) for use by the application container; credentials stored in Kubernetes secrets - This repo can also be built using a GitHub action for CI enablement. It is also possible to run the - pipeline using OpenShift with RedHat OpenShift Pipelines instead of using the IBM Cloud Kubernetes - service, and the instructions contain OpenShift-specific sections for the needed changes. +This repo can also be built using a GitHub action for CI enablement. It is also possible to run the +pipeline using OpenShift with RedHat OpenShift Pipelines instead of using the IBM Cloud Kubernetes +service, and the instructions contain OpenShift-specific sections for the needed changes. - There is also a variant of the pipeline that uses the IBM Cloud Pak for Integration and creates - custom resources to deploy the application (amongst other changes). See the - [CP4i README](tekton/os/cp4i/README.md) for details and instructions. +There is also a variant of the pipeline that uses the IBM Cloud Pak for Integration and creates +custom resources to deploy the application (amongst other changes). See the +[CP4i README](tekton/os/cp4i/README.md) for details and instructions. - Jenkins can also be used to run the pipeline and deploy the application to an integration node. - See the [Jenkins README](demo-infrastructure/README-jenkins.md) for details and instructions. - - Note that the Tekton pipeline can also create temporary databases for use during pipeline runs; see - [temp-db2](tekton/temp-db2/README.md) for more details. +Jenkins can also be used to run the pipeline and deploy the application to an integration node. +See the [Jenkins README](demo-infrastructure/README-jenkins.md) for details and instructions. +Note that the Tekton pipeline can also create temporary databases for use during pipeline runs; see +[temp-db2](tekton/temp-db2/README.md) for more details. + +For online testing and development, see [README-codespaces](README-codespaces.md) for details on +using a github-hosted container. + ## The application The application used to demonstrate the pipeline consists of a REST API that accepts JSON and interacts From 0cdf75bc374ce23944d4317e7b858ace83c59c93 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Thu, 2 Nov 2023 18:27:01 -0500 Subject: [PATCH 04/12] More codespace options Signed-off-by: Trevor Dolby --- README-codespaces.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README-codespaces.md b/README-codespaces.md index f908407..946128b 100644 --- a/README-codespaces.md +++ b/README-codespaces.md @@ -22,10 +22,9 @@ The first Maven run will download lots of plugins, and subsequent runs will be f ## Use cases -As the ACE toolkit is not available (the web console is taken up with vscode and there is -no X-Windows display), codespaces are most useful for incremental coding and fixing issues. -Although it is possible to create message flows with a text editor, and this is supported -as long as the format is exactly right, the toolkit is a much more efficient way to do this! +The default container does not have the ACE toolkit available (the web console is taken +up with vscode and there is no X-Windows display) and so these codespaces are most useful +for incremental coding and fixing issues. For ESQL or Java coding, unit testing, or fixing CI build breaks, codespaces provide an easy-to-start environment that removes the need to install the product locally while still @@ -36,3 +35,11 @@ allowing building and testing with the actual product. Codespaces for this repo use the [ace-minimal devcontainer](https://github.com/ot4i/ace-docker/tree/main/experimental/devcontainers) which is built on the standard Ubuntu devcontainer with ACE and Maven installed. The container is pre-built for faster startup, but could also be run as a docker build during codespace startup. + +## Toolkit-enabled container + +This repo has a "toolkit-xvnc" option for codespaces which will use an ACE devcontainer that +can run the toolkit in a browser session; see https://github.com/trevor-dolby-at-ibm-com/ace-vnc-devcontainer +for details on how to access the toolkit. This option takes significantly longer to start than +the default devcontainer. + From 17feb8bf0b5718bbc47b27257aebeb67606823a8 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Thu, 23 Nov 2023 10:55:35 -0600 Subject: [PATCH 05/12] Changes for non-default namespace Signed-off-by: Trevor Dolby --- .../01-ace-minimal-image-build-and-push-task.yaml | 8 ++++++++ .../02-ace-minimal-build-image-build-and-push-task.yaml | 8 ++++++++ .../os/ace-minimal-build-image-pipeline-run.yaml | 2 +- .../os/ace-minimal-image-pipeline-run.yaml | 2 +- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml index fa0a66c..61f7f14 100644 --- a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml @@ -3,6 +3,14 @@ kind: Task metadata: name: ace-minimal-image-build-and-push spec: + # The security and environment settings are needed for OpenShift in a non-default + # namespace such as cp4i. Kaniko is expecting to be root in the container. + stepTemplate: + securityContext: + runAsUser: 0 + env: + - name: "HOME" + value: "/tekton/home" params: - name: dockerRegistry type: string diff --git a/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml b/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml index 12ed8d3..9acdc6e 100644 --- a/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml @@ -3,6 +3,14 @@ kind: Task metadata: name: ace-minimal-build-image-build-and-push spec: + # The security and environment settings are needed for OpenShift in a non-default + # namespace such as cp4i. Kaniko is expecting to be root in the container. + stepTemplate: + securityContext: + runAsUser: 0 + env: + - name: "HOME" + value: "/tekton/home" params: - name: dockerRegistry type: string diff --git a/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml b/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml index 4cd4ad8..d7fce0d 100644 --- a/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml +++ b/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml @@ -3,7 +3,7 @@ kind: PipelineRun metadata: name: ace-minimal-build-image-pipeline-run-1 spec: - serviceAccountName: ace-tekton-service-account + serviceAccountName: cp4i-tekton-service-account pipelineRef: name: ace-minimal-build-image-pipeline params: diff --git a/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml b/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml index f5493b5..ae90de7 100644 --- a/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml +++ b/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml @@ -3,7 +3,7 @@ kind: PipelineRun metadata: name: ace-minimal-image-pipeline-run-1 spec: - serviceAccountName: ace-tekton-service-account + serviceAccountName: cp4i-tekton-service-account pipelineRef: name: ace-minimal-image-pipeline params: From 0ccd0a76a4eee1d78a14da024fcccd5d1ac542fc Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Thu, 23 Nov 2023 12:13:15 -0600 Subject: [PATCH 06/12] Patch base image name Signed-off-by: Trevor Dolby --- .../01-ace-minimal-image-build-and-push-task.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml index 61f7f14..0eb6f4d 100644 --- a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml @@ -31,6 +31,7 @@ spec: #!/bin/sh cd /work git clone "https://github.com/trevor-dolby-at-ibm-com/ace-docker" + sed -i 's/alpine:3.18/quay.io\/trevor_dolby\/alpine:3.18/g' /work/ace-docker/experimental/ace-minimal/Dockerfile.alpine ls -l /work/ace-docker/experimental/ace-minimal volumeMounts: - mountPath: /work From 1fb8b2116374d0de8c3c1c2a3aa43ef4718187f5 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Fri, 24 Nov 2023 09:59:38 -0600 Subject: [PATCH 07/12] Use DaemonSet to force image pull Signed-off-by: Trevor Dolby --- tekton/os/cp4i/force-pull-cp4i.yaml | 44 ++++++++++++----------------- 1 file changed, 18 insertions(+), 26 deletions(-) diff --git a/tekton/os/cp4i/force-pull-cp4i.yaml b/tekton/os/cp4i/force-pull-cp4i.yaml index 933c016..c112487 100644 --- a/tekton/os/cp4i/force-pull-cp4i.yaml +++ b/tekton/os/cp4i/force-pull-cp4i.yaml @@ -1,30 +1,22 @@ -apiVersion: v1 -kind: Pod +apiVersion: apps/v1 +kind: DaemonSet metadata: name: force-pull-cp4i namespace: cp4i spec: - containers: - - name: force-pull-cp4i-base - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/tea-tekton-cp4i:latest - command: ["sleep"] - args: ["1"] - - name: force-pull-cp4i-ct - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/tea-tekton-cp4i-ct:latest - command: ["sleep"] - args: ["1"] - - name: force-pull-minimal - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-server-prod:12.0.10.0-r1 - command: ["sleep"] - args: ["1"] - - name: force-pull-minimal-build - imagePullPolicy: Always - image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-minimal-build:12.0.10.0-alpine - command: ["sleep"] - args: ["1"] - restartPolicy: Never - imagePullSecrets: - - name: 'regcred' + selector: + matchLabels: + name: force-pull-cp4i + template: + metadata: + labels: + name: force-pull-cp4i + spec: + containers: + - name: force-pull-minimal-build + imagePullPolicy: Always + image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-minimal-build:12.0.10.0-alpine + command: ["sleep"] + args: ["1000000"] + imagePullSecrets: + - name: 'regcred' From aac288225a9801a99ca4e337fda240884b79e497 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Fri, 24 Nov 2023 10:26:39 -0600 Subject: [PATCH 08/12] Add imagePullSecrets to service account Signed-off-by: Trevor Dolby --- tekton/os/cp4i/service-account-cp4i.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tekton/os/cp4i/service-account-cp4i.yaml b/tekton/os/cp4i/service-account-cp4i.yaml index 4887078..3c949b1 100644 --- a/tekton/os/cp4i/service-account-cp4i.yaml +++ b/tekton/os/cp4i/service-account-cp4i.yaml @@ -3,6 +3,9 @@ kind: ServiceAccount metadata: name: cp4i-tekton-service-account namespace: cp4i +imagePullSecrets: + - name: regcred + - name: ibm-entitlement-key secrets: - name: regcred - name: ibm-entitlement-key From 7f22f4c839ab0e02a8c16ce36a460b499bce022e Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Fri, 24 Nov 2023 10:33:21 -0600 Subject: [PATCH 09/12] Update kaniko version and fix image pull secrets Signed-off-by: Trevor Dolby --- tekton/10-maven-ace-build-task.yaml | 2 +- .../01-ace-minimal-image-build-and-push-task.yaml | 2 +- .../02-ace-minimal-build-image-build-and-push-task.yaml | 2 +- tekton/service-account.yaml | 2 ++ tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml | 2 +- 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tekton/10-maven-ace-build-task.yaml b/tekton/10-maven-ace-build-task.yaml index f0eb760..c63a502 100644 --- a/tekton/10-maven-ace-build-task.yaml +++ b/tekton/10-maven-ace-build-task.yaml @@ -74,7 +74,7 @@ spec: - mountPath: /work name: work - name: docker-build-and-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" diff --git a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml index 0eb6f4d..60491bf 100644 --- a/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/01-ace-minimal-image-build-and-push-task.yaml @@ -37,7 +37,7 @@ spec: - mountPath: /work name: work - name: ace-minimal-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" diff --git a/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml b/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml index 9acdc6e..031a6e2 100644 --- a/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml +++ b/tekton/minimal-image-build/02-ace-minimal-build-image-build-and-push-task.yaml @@ -33,7 +33,7 @@ spec: - mountPath: /work name: work - name: ace-minimal-build-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" diff --git a/tekton/service-account.yaml b/tekton/service-account.yaml index 700cef4..e812ece 100644 --- a/tekton/service-account.yaml +++ b/tekton/service-account.yaml @@ -2,6 +2,8 @@ apiVersion: v1 kind: ServiceAccount metadata: name: ace-tekton-service-account +imagePullSecrets: + - name: regcred secrets: - name: regcred diff --git a/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml b/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml index 203da72..9b228e5 100644 --- a/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml +++ b/tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml @@ -136,7 +136,7 @@ spec: - mountPath: /work name: work - name: docker-build-and-push - image: gcr.io/kaniko-project/executor:v0.16.0 + image: gcr.io/kaniko-project/executor:latest # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential env: - name: "DOCKER_CONFIG" From 87b2e8f862a53d54747b937c8c718d2188e38787 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Fri, 24 Nov 2023 11:41:26 -0600 Subject: [PATCH 10/12] Fix permissions Signed-off-by: Trevor Dolby --- tekton/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tekton/Dockerfile b/tekton/Dockerfile index 1e526e4..83977a9 100644 --- a/tekton/Dockerfile +++ b/tekton/Dockerfile @@ -33,6 +33,10 @@ RUN chown -R aceuser:mqbrkrs /tmp/* && \ # Kaniko seems to chmod this directory 755 by mistake sometimes, which causes trouble later RUN chmod 1777 /tmp +# This seems to be needed for OpenShift support due to random +# userids at runtime +RUN chmod -R 777 /home/aceuser/ace-server || /bin/true + USER aceuser # We're in an internal pipeline From 1270d6da2a20394ef82e243ef18666ddf4040dd5 Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Sun, 26 Nov 2023 21:03:00 -0600 Subject: [PATCH 11/12] Updates for permissions-related fixes Signed-off-by: Trevor Dolby --- tekton/10-maven-ace-build-task.yaml | 8 ++++++++ tekton/Dockerfile | 5 ++--- tekton/tea-tekton-deployment.yaml | 1 + 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/tekton/10-maven-ace-build-task.yaml b/tekton/10-maven-ace-build-task.yaml index c63a502..0d1ba6c 100644 --- a/tekton/10-maven-ace-build-task.yaml +++ b/tekton/10-maven-ace-build-task.yaml @@ -3,6 +3,14 @@ kind: Task metadata: name: maven-ace-build spec: + # The security and environment settings are needed for OpenShift in a non-default + # namespace such as cp4i. Kaniko is expecting to be root in the container. + stepTemplate: + securityContext: + runAsUser: 0 + env: + - name: "HOME" + value: "/tekton/home" params: - name: dockerRegistry type: string diff --git a/tekton/Dockerfile b/tekton/Dockerfile index 83977a9..d0d795d 100644 --- a/tekton/Dockerfile +++ b/tekton/Dockerfile @@ -33,9 +33,8 @@ RUN chown -R aceuser:mqbrkrs /tmp/* && \ # Kaniko seems to chmod this directory 755 by mistake sometimes, which causes trouble later RUN chmod 1777 /tmp -# This seems to be needed for OpenShift support due to random -# userids at runtime -RUN chmod -R 777 /home/aceuser/ace-server || /bin/true +# This seems to be needed for OpenShift support due to random userids at runtime +RUN chmod -R 777 /home/aceuser/ace-server /var/mqsi || /bin/true USER aceuser diff --git a/tekton/tea-tekton-deployment.yaml b/tekton/tea-tekton-deployment.yaml index d51fef5..248434c 100644 --- a/tekton/tea-tekton-deployment.yaml +++ b/tekton/tea-tekton-deployment.yaml @@ -25,6 +25,7 @@ spec: image: DOCKER_REGISTRY/tea-tekton:latest ports: - containerPort: 7800 + imagePullPolicy: Always volumeMounts: - name: secret-volume-2 mountPath: /var/run/secrets/jdbc From e2f074767c58f6403ad9a8bf62f20ad71f6bb15d Mon Sep 17 00:00:00 2001 From: Trevor Dolby Date: Mon, 27 Nov 2023 12:22:57 -0600 Subject: [PATCH 12/12] Non-default namespace changes Signed-off-by: Trevor Dolby --- serverless/knative-service-account.yaml | 1 - serverless/tea-tekton-knative-service.yaml | 3 +- .../ace-minimal-build-image-pipeline-run.yaml | 2 +- .../os/ace-minimal-image-pipeline-run.yaml | 2 +- tekton/os/ace-scc.yaml | 36 +++++++++++++++++++ tekton/os/service-account.yaml | 32 +++++++++++++++++ tekton/os/tea-tekton-route.yaml | 1 - tekton/service-account.yaml | 2 -- tekton/tea-tekton-deployment.yaml | 2 ++ 9 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 tekton/os/ace-scc.yaml create mode 100644 tekton/os/service-account.yaml diff --git a/serverless/knative-service-account.yaml b/serverless/knative-service-account.yaml index d4b6232..6497a4b 100644 --- a/serverless/knative-service-account.yaml +++ b/serverless/knative-service-account.yaml @@ -9,4 +9,3 @@ roleRef: subjects: - kind: ServiceAccount name: ace-tekton-service-account - namespace: default diff --git a/serverless/tea-tekton-knative-service.yaml b/serverless/tea-tekton-knative-service.yaml index c1feff8..5f1b5e4 100644 --- a/serverless/tea-tekton-knative-service.yaml +++ b/serverless/tea-tekton-knative-service.yaml @@ -2,7 +2,6 @@ apiVersion: serving.knative.dev/v1 kind: Service metadata: name: tea-tekton-knative - namespace: default spec: template: spec: @@ -10,6 +9,8 @@ spec: - name: secret-volume-2 secret: secretName: jdbc-secret + imagePullSecrets: + - name: regcred containers: - name: tea-tekton-knative image: DOCKER_REGISTRY/tea-tekton:latest diff --git a/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml b/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml index d7fce0d..4cd4ad8 100644 --- a/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml +++ b/tekton/minimal-image-build/os/ace-minimal-build-image-pipeline-run.yaml @@ -3,7 +3,7 @@ kind: PipelineRun metadata: name: ace-minimal-build-image-pipeline-run-1 spec: - serviceAccountName: cp4i-tekton-service-account + serviceAccountName: ace-tekton-service-account pipelineRef: name: ace-minimal-build-image-pipeline params: diff --git a/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml b/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml index ae90de7..f5493b5 100644 --- a/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml +++ b/tekton/minimal-image-build/os/ace-minimal-image-pipeline-run.yaml @@ -3,7 +3,7 @@ kind: PipelineRun metadata: name: ace-minimal-image-pipeline-run-1 spec: - serviceAccountName: cp4i-tekton-service-account + serviceAccountName: ace-tekton-service-account pipelineRef: name: ace-minimal-image-pipeline params: diff --git a/tekton/os/ace-scc.yaml b/tekton/os/ace-scc.yaml new file mode 100644 index 0000000..0638b6a --- /dev/null +++ b/tekton/os/ace-scc.yaml @@ -0,0 +1,36 @@ +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: ace-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - RunAsAny. + name: ace-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: ["CHOWN", "DAC_OVERRIDE","FOWNER","SETFCAP","SETGID","SETUID"] +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret \ No newline at end of file diff --git a/tekton/os/service-account.yaml b/tekton/os/service-account.yaml new file mode 100644 index 0000000..228daea --- /dev/null +++ b/tekton/os/service-account.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ace-tekton-service-account +imagePullSecrets: + - name: regcred +secrets: + - name: regcred +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pipeline-role +rules: +- apiGroups: ["extensions", "apps", "appconnect.ibm.com", "", "v1"] + resources: ["services", "deployments", "pods", "integrationservers", "pods/exec", "integrationruntimes"] + verbs: ["get", "create", "update", "patch", "list", "delete", "exec", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pipeline-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pipeline-role +subjects: +- kind: ServiceAccount + name: ace-tekton-service-account diff --git a/tekton/os/tea-tekton-route.yaml b/tekton/os/tea-tekton-route.yaml index a21d674..baf3679 100644 --- a/tekton/os/tea-tekton-route.yaml +++ b/tekton/os/tea-tekton-route.yaml @@ -2,7 +2,6 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: tea-route - namespace: default spec: host: tea-route-default.apps.openshift.mycompany.com to: diff --git a/tekton/service-account.yaml b/tekton/service-account.yaml index e812ece..497b8bb 100644 --- a/tekton/service-account.yaml +++ b/tekton/service-account.yaml @@ -12,7 +12,6 @@ secrets: kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: default name: pipeline-role rules: - apiGroups: ["extensions", "apps", ""] @@ -32,4 +31,3 @@ roleRef: subjects: - kind: ServiceAccount name: ace-tekton-service-account - namespace: default diff --git a/tekton/tea-tekton-deployment.yaml b/tekton/tea-tekton-deployment.yaml index 248434c..e101de7 100644 --- a/tekton/tea-tekton-deployment.yaml +++ b/tekton/tea-tekton-deployment.yaml @@ -20,6 +20,8 @@ spec: - name: secret-volume-2 secret: secretName: jdbc-secret + imagePullSecrets: + - name: regcred containers: - name: tea-tekton image: DOCKER_REGISTRY/tea-tekton:latest