converted scm pipeline run to task run with 1 pod instead of 3, fixed generateName issue in brew scan, made config adjustments

k8s/stage/osh-client-tekton/task/osh-scan-scm-task.yaml

@@ -0,0 +1,103 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: osh-scan-scm-task
+spec:
+  stepTemplate:
+    env:
+      - name: "HOME"
+        value: "/tekton/home"
+  
+  params:
+  - name: repo-url
+    type: string
+    description: The SCMURL
+
+  - name: revision
+    type: string
+    description: The revision or tag
+
+  - name: mock-build-params
+    type: string
+    description: Parameters pushed to mock build
+    default: "-p snyk-only-unstable --tarball-build-script=:"
+
+  - name: archive-name
+    type: string
+    description: The name of the git archive file
+    default: $(context.taskRun.uid).tar.gz
+
+  - name: tarball-storage-dir
+    type: string
+    description: What directory the scan tar gz will be put into
+    default: /workspace/source-tars/$(context.taskRun.name)
+
+  - name: working-dir
+    type: string
+    description: Working directory for the task
+    default: /home/covscan
+
+  workspaces:
+    - name: source-tars
+      description: This workspace contains our source tar gzips for covscan and is semi-persistant
+    - name: ssl-ca-directory
+      description: Location of CA bundle for ssl verification with internal services
+
+
+  volumes:
+    - name: osh-client-kerb-vol
+      secret:
+        defaultMode: 384
+        optional: false
+        secretName: kerberos-keytab-osh
+
+    - name: osh-client-kerb-config-vol
+      configMap:
+        name: kerberos-config-osh-client
+        items:
+          - key: linux-krb5.conf
+            path: linux-krb5.conf
+        defaultMode: 384
+        optional: false
+
+    - name: osh-client-config-vol
+      configMap:
+        name: osh-client-config
+        items:
+          - key: client.conf
+            path: client.conf
+        optional: false
+
+  steps:
+    - name: perform-osh-scm-scan
+      image: quay.io/pct-security/osh-wrapper-client:latest
+      workingDir: $(params.working-dir)
+
+      volumeMounts:
+        - name: osh-client-kerb-vol
+          mountPath: /kerberos
+          readOnly: true
+
+        - name: osh-client-config-vol
+          mountPath: /etc/osh/client.conf
+          readOnly: true
+          subPath: client.conf
+
+        - name: osh-client-kerb-config-vol
+          mountPath: /etc/krb5.conf
+          readOnly: true
+          subPath: linux-krb5.conf
+
+      script: |
+        #!/bin/bash
+        echo $(params.working-dir)
+        echo $(params.repo-url)
+        echo $(params.revision)
+        echo $(params.mock-build-params)
+        echo $(params.archive-name)
+        git clone -v $(params.repo-url) -b $(params.revision)
+        git --git-dir=$(basename $(params.repo-url) .git)/.git archive --format=tar.gz HEAD -o $(params.working-dir)/$(params.archive-name)
+        mkdir $(params.tarball-storage-dir)
+        cp $(params.working-dir)/$(params.archive-name) $(params.tarball-storage-dir)/
+        
+        covscan mock-build $(params.mock-build-params) $(params.working-dir)/$(params.archive-name)

src/main/java/com/redhat/pctsec/tekton/TaskHandler.java

@@ -1,14 +1,8 @@
 package com.redhat.pctsec.tekton;
-import com.redhat.pctsec.model.RequestType;
 import com.redhat.pctsec.model.ScanTask;
 import com.redhat.pctsec.model.ScanTaskState;
 import io.fabric8.kubernetes.api.model.ConfigMapVolumeSource;
 import io.fabric8.kubernetes.api.model.PersistentVolumeClaimVolumeSource;
-import io.fabric8.kubernetes.api.model.PodSecurityContext;
-import io.fabric8.kubernetes.api.model.PodSecurityContextBuilder;
-import io.fabric8.tekton.client.DefaultTektonClient;
-import io.fabric8.tekton.client.TektonClient;
-import io.fabric8.tekton.client.DefaultTektonClient;
 import io.fabric8.tekton.client.TektonClient;
 import io.fabric8.tekton.pipeline.v1beta1.*;
 
@@ -17,9 +11,10 @@ import io.quarkus.vertx.ConsumeEvent;
 import io.smallrye.common.annotation.Blocking;
 import jakarta.inject.Inject;
 
-import org.apache.commons.lang3.RandomStringUtils;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
+import org.apache.commons.compress.utils.FileNameUtils;
+
 import java.util.ArrayList;
 import java.util.List;
 
@@ -27,13 +22,13 @@ public class TaskHandler {
 
     @ConfigProperty(name = "quarkus.openshift.namespace")
     String NAMESPACE;
-    @ConfigProperty(name = "tekton.pipeline.ref")
+    @ConfigProperty(name = "tekton.scmscan.task.ref")
-    String PIPELINE_REFERENCE;
+    String SCM_SCAN_REFERENCE;
     @ConfigProperty(name = "tekton.service-account")
     String SERVICE_ACCOUNT;
 
-    @ConfigProperty(name = "tekton.task.ref")
+    @ConfigProperty(name = "tekton.brewscan.task.ref")
-    String TASK_REFERENCE;
+    String BREW_SCAN_TASK_REFERENCE;
 
     @Inject
     TektonClient tektonClient;
@@ -71,12 +66,14 @@ public class TaskHandler {
         String scanProfile = "snyk-only-unstable";
 
         // random taskrun name generating for now
-        TaskRun taskRun = new TaskRunBuilder().withNewMetadata().withName("osh-scan-taskrun-" + RandomStringUtils.randomAlphanumeric(8).toLowerCase())
+        TaskRun taskRun = new TaskRunBuilder()
+                .withNewMetadata()
+                .withGenerateName("osh-brew-scan-taskrun-")
                 .endMetadata()
                 .withNewSpec()
                 .withServiceAccountName(SERVICE_ACCOUNT)
                 .withNewTaskRef()
-                .withName(TASK_REFERENCE)
+                .withName(BREW_SCAN_TASK_REFERENCE)
                 .endTaskRef()
                 .withParams(
                         new Param("buildId", new ArrayOrString(buildId)),
@@ -91,49 +88,40 @@ public class TaskHandler {
 
     public String invokeOshScmScanPipeline(String repo, String ref, String mockBuildArgs) {
 
-        PodSecurityContext securityContext = new PodSecurityContextBuilder()
-                .withRunAsNonRoot(true)
-                .withRunAsUser(65532L)
-                .build();
-
-        WorkspaceBinding sourcesWorkspaceBinding = new WorkspaceBindingBuilder()
-                .withName("sources")
-                .withPersistentVolumeClaim(new PersistentVolumeClaimVolumeSource("osh-client-sources", null))
-                .build();
-
         WorkspaceBinding sourceTarsWorkspaceBinding = new WorkspaceBindingBuilder()
-                .withName("source-tars")
+            .withName("source-tars")
-                .withPersistentVolumeClaim(new PersistentVolumeClaimVolumeSource("osh-client-source-tars", null))
+            .withPersistentVolumeClaim(new PersistentVolumeClaimVolumeSource("osh-client-source-tars", null))
-                .build();
+            .build();
 
         WorkspaceBinding sslCaDirectoryWorkspaceBinding = new WorkspaceBindingBuilder()
-                .withName("ssl-ca-directory")
+            .withName("ssl-ca-directory")
-                .withConfigMap(new ConfigMapVolumeSource(null, null, "config-trusted-cabundle", null))
+            .withConfigMap(new ConfigMapVolumeSource(null, null, "config-trusted-cabundle", null))
-                .build();
+            .build();
-
+        
         List<WorkspaceBinding> workspaceBindings = new ArrayList<>();
-        workspaceBindings.add(sourcesWorkspaceBinding);
         workspaceBindings.add(sourceTarsWorkspaceBinding);
         workspaceBindings.add(sslCaDirectoryWorkspaceBinding);
 
-        PipelineRun pipelineRun = new PipelineRunBuilder()
+        TaskRun taskRun = new TaskRunBuilder()
-                .withNewMetadata().withName("osh-scm-scan-" + RandomStringUtils.randomAlphanumeric(8).toLowerCase()).endMetadata()
+        .withNewMetadata()
-                .withNewSpec()
+        .withGenerateName("osh-scm-scan-taskrun-")
-                .withNewPodTemplate()
+        .endMetadata()
-                .withSecurityContext(securityContext)
+        .withNewSpec()
-                .endPodTemplate()
+        .withServiceAccountName(SERVICE_ACCOUNT)
-                .withServiceAccountName(SERVICE_ACCOUNT)
+        .withNewTaskRef()
-                .withNewPipelineRef().withName(PIPELINE_REFERENCE).endPipelineRef()
+        .withName(SCM_SCAN_REFERENCE)
-                .addNewParam().withName("repo-url").withNewValue(repo).endParam()
+        .endTaskRef()
-                .addNewParam().withName("revision").withNewValue(ref).endParam()
+        .addNewParam().withName("repo-url").withNewValue(repo).endParam()
-                .addNewParam().withName("mock-build-params").withNewValue(mockBuildArgs).endParam()
+        .addNewParam().withName("revision").withNewValue(ref).endParam()
-                .withWorkspaces(workspaceBindings)
+        .addNewParam().withName("mock-build-params").withNewValue(mockBuildArgs).endParam()
-                .endSpec()
+        .addNewParam().withName("archive-name").withNewValue(FileNameUtils.getBaseName(repo) + "-" + ref + ".tar.gz").endParam()
-                .build();
+        .withWorkspaces(workspaceBindings)
+        .endSpec()
+        .build();
 
-        tektonClient.v1beta1().pipelineRuns().inNamespace(NAMESPACE).resource(pipelineRun).create();
+        tektonClient.v1beta1().taskRuns().inNamespace(NAMESPACE).resource(taskRun).create();
 
-        return pipelineRun.getMetadata().getName();
+        return taskRun.getMetadata().getName();
     }
 
 

src/main/resources/application.properties

@@ -128,8 +128,8 @@ quarkus.arc.remove-unused-beans=false
 ##########################################
 #   Tekton Specifics (Used in app)       #
 ##########################################
-tekton.pipeline.ref=osh-client-from-source
+tekton.scmscan.task.ref=osh-scan-scm-task
-tekton.task.ref=osh-scan-task
+tekton.brewscan.task.ref=osh-scan-task
 tekton.service-account=${quarkus.openshift.service-account}
 
 ##########################################