/code-engine-toolchain-20211005202808738-tekton-catalog

Created for toolchain: https://cloud.ibm.com/devops/toolchains/fe0b46e4-1ffb-499b-9519-9a8a5f67881d?env_id=ibm:yp:us-south

Primary LanguageShellApache License 2.0Apache-2.0

Open-Toolchain Tekton Catalog

Catalog of Tekton Tasks usable in Continuous Delivery Tekton Pipelines

Notes:

Tasks

Cloud Foundry related tasks

  • cf-deploy-app: This task allows to perform a deployment of a Cloud Foundry application using ibmcloud cf commands.

IBM Cloud Container Registry related tasks

IBM Cloud Code Risk Analyzer scanners related tasks

  • cra-discovery: This task accesses various source artifacts from the repository and performs deep discovery to identify all dependencies (including transitive dependencies).
  • cra-bom: This task creates a Bill-of-Material (BoM) for a given repository that captures pedigree of all the dependencies and is collected at different granularities.
  • cra-cis-check: This task runs configuration checks on kubernetes deployment manifests.
  • cra-vulnerability-remediation: This task finds out vulnerabilities for all application package dependencies, container base images and os packages.
  • cra-comm-editor: This task creates comments on Pull Requests and opens issues regarding bill of material and discovered vunerabilities.
  • cra-terraform-scan: ## This task scans ibm-terraform-provider files for compliance issues.

IBM Cloud Devops Insights related tasks

Git related tasks

IBM Cloud Kubernetes Service related tasks

Linter related tasks

Signing - Docker Content Trust related tasks

Slack related tasks

Tester related tasks

Open-Toolchain related tasks

Breaking Changes

when moving from tag "tekton_pipeline0.10.1"

  • These tasks are using kebab-case style for EVERY parameters names. So parameter pathToContext (in previous versions of the tasks) has been renamed as path-to-context, parameter clusterName has been renamed to cluster-name and so on...

  • communication folder has been renamed to slack folder

  • Some tasks has been renamed to match the following name format <category alias>-<task> where category alias is depending on the folder containing the tasks:

    Folder/Category Category alias
    cloudfoundry cf
    container-registry icr
    devops-insights doi
    git git
    kubernetes-service iks
    slack slack
    toolchain toolchain

    The task new names are listed in the following table:

    Folder Old task name New task name
    container-registry containerize-task icr-containerize
    container-registry cr-build-task icr-cr-build
    container-registry execute-in-dind-task icr-execute-in-dind
    container-registry execute-in-dind-cluster-task icr-execute-in-dind-cluster
    container-registry vulnerability-advisor-task icr-check-va-scan
    git clone-repo-task git-clone-repo
    git set-commit-status git-set-commit-status
    kubernetes-service fetch-iks-cluster-config iks-fetch-config
    kubernetes-service kubernetes-contextual-execution iks-contextual-execution
    slack post-slack slack-post-message
  • Tasks that use workspace(s) may have changed the expected workspace name. Here is the list of the breaking changes for the expected workspace name

    Folder Task Old workspace name New workspace name Description
    container-registry icr-containerize workspace source A workspace containing the source (Dockerfile, Docker context) to create the image
    container-registry icr-cr-build workspace source A workspace containing the source (Dockerfile, Docker context) to create the image
    container-registry icr-execute-in-dind workspace source A workspace containing the source (Dockerfile, Docker context) to create the image
    container-registry icr-execute-in-dind-cluster workspace source A workspace containing the source (Dockerfile, Docker context) to create the image
    container-registry icr-check-va-scan workspace artifacts Workspace that may contain image information and will have the va report from the VA scan after this task exection
    git git-clone-repo workspace output Workspace where the git repository will be cloned into
    git git-set-commit-status workspace artifacts Workspace that may contain git repository information (ie build.properties). Should be marked as optional when Tekton will permit it
    kubernetes-service iks-fetch-config workspace cluster-configuration A workspace where the kubernetes cluster config is exported
    kubernetes-service iks-contextual-execution workspace cluster-configuration A workspace that contain the kubectl cluster config to be used

when moving from tag "tekton_pipeline0.10.1" and/or branch "tkn_v1beta1"

  • Tasks that are expecting a secret to retrieve apikey and/or secret values have been updated to use the default secret secure-properties injected by Continuous Delivery Tekton Pipeline support. The updated tasks are:

    • icr-check-va-scan
    • icr-containerize
    • icr-cr-build
    • icr-execute-in-dind
    • icr-execute-in-dind-cluster
    • git-clone-repo
    • git-set-commit-status
    • iks-fetch-config

    Note: As a reminder, in previous version (before secure-properties injection by CD tekton support), the default was set to cd-secret

Criteria for Code Submission

To ensure code quality, protected branches will be enabled soon, and every PR that is to be merged to master will run CI tasks for code quality. These could (and should) be set up for local development environments as well.

Code quality checks currently enabled:

  • yaml lint - using yamllint-rules.yaml as configuration file: yamllint --config-file yamllint-rules.yaml .
  • tekton task lint: tekton-lint '**/*.yaml'
  • Tasks definition validation: check_tasks.sh)