The StoneSoup Build System is composed of the following components:
- OpenShift Pipelines
- Tekton Chains
- Tekton Results
- Pipelines as Code
- Shared Resources
- App Studio Build Service
- HACBS JVM Build Service
- PVC Cleaner
This repository installs all the components and includes a set of example scripts that simplify usage and provide examples of a working system. There are no additional components needed to use the build system API, however some utilities and scripts are provided to demonstrate functionality.
Quickstart
To try out a pre-configured, follow these steps.
| Steps | |
|---|---|
| 1. Create project for your pipelines execution. This can be run as any non-admin user (or admin) and is needed to hold your execution pipelines. | oc new-project demo |
| 2. Run build-deploy example with a quarkus app. | MY_QUAY_USER=mkovarik ./hack/build/build-via-appstudio.sh https://github.com/devfile-samples/devfile-sample-code-with-quarkus |
| 3. View your build on the OpenShift Console under the pipelines page or view the logs via CLI. | tkn pipelinerun logs |
Tests via StoneSoup
To validate execution via StoneSoup you can run ./hack/build/build-via-appstudio.sh script which sets credentials and StoneSoup application and components. Without parameters it creates example components.
export MY_QUAY_USER=mkovarik
./hack/build/build-via-appstudio.sh https://github.com/devfile-samples/devfile-sample-java-springboot-basic
To enable PipelineAsCode integration you need to set PIPELINESASCODE env variable to 1 and also have to have set GitHub credentials in your ./hack/preview.env.
One may use GitHub PipelineAsCode application or webhook.
To use GitHub application set PAC_GITHUB_APP_PRIVATE_KEY and PAC_GITHUB_APP_ID in your ./hack/preview.env.
Alternatively, to use GitHub webhook set PAC_GITHUB_TOKEN with required permissions or make sure that MY_GITHUB_TOKEN set and has the required permissions.
Then run:
MY_QUAY_USER=mkovarik PIPELINESASCODE=1 ./hack/build/build-via-appstudio.sh https://github.com/Michkov/devfile-sample-go-basic
Change of default pipeline bundle
Pipeline bundles are generated by build-definitions.
By default the bundle is defined in build-templates namespace:
oc get configmap -n build-templates -o jsonpath='{ .data.default_build_bundle }' build-pipelines-defaults
It can be overridden by configmap in working namespace:
oc create configmap build-pipelines-defaults --from-literal default_build_bundle=$BUNDLE
HACBS enablement
HACBS workflow can be set by creation of configmap hacbs in the user namespace.
oc create configmap hacbs will:
- Always use Pipelines-as-Code
- Selects bundle from
hacbs_build_bundlekey in configmapbuild-pipelines-defaults
Stage Cluster integration prerequisites
Before creating component in Stage cluster it’s necessary install GitHub application AppStudio Staging CI into managed repository or into whole GitHub organization.
Tekton Results integration
Tekton Results is installed in the cluster. Helper script hack/build/set-tkn-results.sh is provided to set configuration of for tkn results command.
# ./hack/build/set-tkn-results.sh
Configuration written to /home/myuser/.config/tkn/results.yaml
Try it: tkn results list default
Shared Resources
Shared Secrets are provided to be used by projects, secrets is defined in one project but can be used by other projects.
Available secrets:
| Name | Source | Description | Access |
|---|---|---|---|
| test-team-snyk | test-teams-snyk secret in test-team namespace | Snyk token used by HACBS pipelines | users/serviceaccounts with edit role |
| redhat-appstudio-user-workload | redhat-appstudio-user-workload secret in build-templates namespace | Quay secret allowing to push into default AppStudio repository | users/serviceaccounts with edit role |
| redhat-appstudio-staginguser | redhat-appstudio-staginguser secret in build-templates namespace | Quay secret allowing to push into component repositories in redhat-appstudio org | pipeline service accounts defined in shared-resources-components.yaml |
Repository secrets
There are three ways to provide repository secret into PipelineRun.
By priority (1. is highest):
redhat-appstudio-registry-pull-secretsecret in the execution namespace- linked secret to
pipelineservice account in the execution namespace - shared secret
redhat-appstudio-user-workload
Use SharedSecret with Tekton Chains
During the build pipeline, it is possible to use the redhat-appstudio-user-workload
SharedSecret to specify the credentials
for pushing container images. If this is used, Tekton Chains must also be configured to use the
same SharedSecret. This is done by default. However, the Secret referred to by the
SharedSecret may not exist at bootstrap time. This is ok. The underlying Secret can be created
at a later time, and/or updated as needed. The changes should be reflected automatically within the
Tekton Chains Controller without requiring a Pod restart.