Clean up of yaml files before kustomization

See
a9d9ca49bf
for the original repo these are ported from

hack/stage-debug-pod.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: image-debug-with-mount
+  namespace: pct-security-tooling
+spec:
+  serviceAccountName: deployer
+  containers:
+  - command:
+    - /bin/sh
+    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7f0ed1d2500a005e8e134920085ec6b28770b915b0449d45c4a44fbec818f33f
+    name: debug-with-mount
+    volumeMounts:
+      - name: osh-wrapper
+        mountPath: /mounts/kerberos
+      - name: osh-wrapper-config-vol
+        mountPath: /mounts/wraper-config
+      - name: osh-client-sources
+        mountPath: /mounts/osh-client-sources
+      - name: osh-client-tgz
+        mountPath: /mounts/osh-client-tgz
+    resources: {}
+    securityContext: {}
+    stdin: true
+    stdinOnce: true
+    tty: true
+  restartPolicy: Never
+  volumes:
+      - name: osh-wrapper
+        secret:
+          defaultMode: 384
+          optional: false
+          secretName: kerberos-keytab-osh
+      - configMap:
+          defaultMode: 384
+          items:
+            - key: linux-krb5.conf
+              path: linux-krb5.conf
+          name: kerberos-config
+          optional: false
+        name: osh-wrapper-config-vol
+      - name: osh-client-sources
+        persistentVolumeClaim:
+          claimName: osh-client-sources
+      - name: osh-client-tgz
+        persistentVolumeClaim:
+          claimName: osh-client-source-tars
+

k8s/stage/osh-client-tekton/osh-client-config.yaml

@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+  name: kerberos-config-osh-client
+  namespace: pct-security-tooling
+data:
+  linux-krb5.conf: |
+    includedir /etc/krb5.conf.d/
+
+    # depending on your config, you may wish to uncomment the following:
+    # includedir /var/lib/sss/pubconf/krb5.include.d/
+
+    [libdefaults]
+      default_realm = IPA.REDHAT.COM
+      dns_lookup_realm = true
+      dns_lookup_kdc = true
+      rdns = false
+      dns_canonicalize_hostname = false
+      ticket_lifetime = 24h
+      forwardable = true
+      udp_preference_limit = 1
+      default_ccache_name = FILE:/tmp/krb5cc_%{uid}
+      max_retries = 1
+      kdc_timeout = 1500
+
+    [realms]
+
+        REDHAT.COM = {
+            default_domain = redhat.com
+            dns_lookup_kdc = true
+            master_kdc = kerberos.corp.redhat.com
+            admin_server = kerberos.corp.redhat.com
+        }
+
+        IPA.REDHAT.COM = {
+           default_domain = ipa.redhat.com
+           dns_lookup_kdc = true
+           # Trust tickets issued by legacy realm on this host
+           auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
+           auth_to_local = DEFAULT
+        }
+    #DO NOT ADD A [domain_realms] section
+    #https://mojo.redhat.com/docs/DOC-1166841
+
+---
+#oc create configmap osh-client-config --from-file=client.conf --dry-run=client -o yaml > osh-client-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: osh-client-config
+  namespace: pct-security-tooling
+data:
+  client.conf: |+
+    # client config file for covscan
+
+    # Hub XML-RPC address.
+    HUB_URL = "https://cov01.lab.eng.brq2.redhat.com/covscanhub/xmlrpc"
+    BREW_URL = "https://brewhub.engineering.redhat.com/brewhub"
+    KOJI_URL = "https://koji.fedoraproject.org/kojihub"
+    KOJI_PROFILES = "brew,koji"
+
+    CIM_SERVER = "cov01.lab.eng.brq2.redhat.com"
+    CIM_PORT = "8080"
+
+    DEFAULT_MOCKCONFIG = "fedora-rawhide-x86_64"
+
+    # Hub authentication method: "krbv", "password", or "gssapi"
+    AUTH_METHOD = "krbv"
+    KRB_REALM = "IPA.REDHAT.COM"
+
+    # Kerberos principal. If commented, default principal obtained by kinit is used.
+    KRB_PRINCIPAL = "HTTP/osh-pct-security-tooling.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM"
+
+    # Kerberos keytab file.
+    KRB_KEYTAB = "/kerberos/kerberos-keytab-osh"
+
+    # Enables XML-RPC verbose flag
+    DEBUG_XMLRPC = 0

k8s/stage/osh-client-tekton/osh-client-from-source-pipeline-run.yaml

@@ -0,0 +1,99 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: osh-client-from-source-run-
+    #openshift.io/scc: pipelines-scc
+
+spec:
+  serviceAccountName: osh-wrapper-client-sa
+  podTemplate:
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65532
+  pipelineRef:
+    name: osh-client-from-source
+  params:
+  - name: repo-url
+    value: https://code.engineering.redhat.com/gerrit/messaging/activemq-artemis.git
+
+  - name: revision
+    value: amq-broker-7.11
+
+  workspaces:
+    - name: sources
+      persistentVolumeClaim:
+        claimName: osh-client-sources
+    - name: source-tars
+      persistentVolumeClaim:
+        claimName: osh-client-source-tars
+    - name: ssl-ca-directory
+      configmap:
+        name: config-trusted-cabundle
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: osh-client-from-source-run-
+    #openshift.io/scc: pipelines-scc
+
+spec:
+  serviceAccountName: osh-wrapper-client-sa
+  podTemplate:
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65532
+  pipelineRef:
+    name: osh-client-from-source
+  params:
+  - name: repo-url
+    value: https://code.engineering.redhat.com/gerrit/quarkusio/quarkus.git
+
+  - name: revision
+    value: 2.13.8.Final-redhat-00001
+
+  workspaces:
+    - name: sources
+      persistentVolumeClaim:
+        claimName: osh-client-sources
+    - name: source-tars
+      persistentVolumeClaim:
+        claimName: osh-client-source-tars
+    - name: ssl-ca-directory
+      configmap:
+        name: config-trusted-cabundle
+
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: osh-client-from-source-run-
+    #openshift.io/scc: pipelines-scc
+
+spec:
+  serviceAccountName: osh-wrapper-client-sa
+  podTemplate:
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65532
+  pipelineRef:
+    name: osh-client-from-source
+  params:
+  - name: repo-url
+    value: https://code.engineering.redhat.com/gerrit/quarkusio/quarkus-platform.git 
+
+  - name: revision
+    value: 6a13a9fe4e5526bee4a8ea5e425d89945bea1c17
+
+  workspaces:
+    - name: sources
+      persistentVolumeClaim:
+        claimName: osh-client-sources
+    - name: source-tars
+      persistentVolumeClaim:
+        claimName: osh-client-source-tars
+    - name: ssl-ca-directory
+      configmap:
+        name: config-trusted-cabundle
+
+
+

k8s/stage/osh-client-tekton/osh-client-pvc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: osh-client-sources
+  namespace: pct-security-tooling
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: dynamic-nfs
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: osh-client-source-tars
+  namespace: pct-security-tooling
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: dynamic-nfs
+  volumeMode: Filesystem
+

k8s/stage/osh-client-tekton/pipline/osh-client-from-source-pipeline.yaml

@@ -0,0 +1,98 @@
+#requires running `tkn hub install task "git-cli"` first 
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: osh-client-from-source
+spec:
+  description: This pipeline clones a repo, git archives it then sends it to covscan to be scanned with snyk
+  params:
+
+  - name: repo-url
+    description: The SCMURL
+    type: string
+
+  - name: revision
+    description: The revision or tag
+    type: string
+
+  - name: archive-name
+    description: The name of the git archive file
+    type: string
+    default: $(context.pipelineRun.uid).tar.gz
+
+  workspaces:
+    - name: sources
+      description: This workspace contains our cloned sources and is temporary
+    - name: source-tars
+      description: This workspace contains our source tar gzips for covscan and is semi-persistant
+    - name: ssl-ca-directory
+      description: Location of CA bundle for ssl verification with internal services
+
+
+  tasks:
+    - name: clone
+      taskRef:
+        name: git-clone
+      workspaces:
+        - name: output
+          workspace: sources
+          subPath: $(context.pipelineRun.name)
+        - name: ssl-ca-directory
+          workspace: ssl-ca-directory
+      params:
+        - name: url
+          value: $(params.repo-url)
+        - name: revision
+          value: $(params.revision)
+        - name: verbose
+          value: true
+
+    - name: archive
+      runAfter:
+        - clone
+      taskRef:
+        name: git-cli
+      workspaces:
+        - name: source
+          workspace: sources
+          subPath: $(context.pipelineRun.name)
+        - name: source-tars
+          workspace: source-tars
+          subPath: $(context.pipelineRun.name)
+      params:
+        - name: USER_HOME
+          value: /home/git
+        - name: archive-name
+          value: $(params.archive-name)
+        - name: GIT_SCRIPT
+          value: |
+            git config --global --add safe.directory /workspace/source
+            git archive --format=tar.gz HEAD -o /workspace/source-tars/$(params.archive-name)
+
+            #results:
+            #- name: archive-name
+            #description: The name of the tar.gz we created
+
+    - name: covscan
+      params:
+        - name: targz-file
+          value: $(params.archive-name)
+      runAfter:
+        - archive
+      taskRef:
+        name: osh-scan-task-from-source
+      workspaces:
+        - name: source-tars
+          workspace: source-tars
+          subPath: $(context.pipelineRun.name)
+  finally:
+    - name: cleanup-workspace
+      params:
+        - name: clear-dir
+          value: $(context.pipelineRun.name)
+      taskRef:
+        name: cleanup-workspace
+      workspaces:
+        - name: sources
+          workspace: sources
+          #Note we don't provide a subpath, this way we can contain the whole folder

k8s/stage/osh-client-tekton/task/osh-client-from-source-clearup-workspace.yaml

@@ -0,0 +1,25 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: cleanup-workspace
+spec:
+  params:
+  - name: cleanup
+    type: string
+    default: true
+    description: Should we actually cleanup the sources dir
+  - name: clear-dir
+    type: string
+ 
+  workspaces:
+    - name: sources
+      description: Where we checked out our sources
+
+  steps:
+    - name: perform-buildid-scan
+      image: registry.access.redhat.com/ubi9/ubi:9.2-696
+
+      script: |
+        #!/bin/bash
+        echo "Clearing up sources form $(params.clear-dir)"
+        rm -rv /workspace/sources/$(params.clear-dir)

k8s/stage/osh-client-tekton/task/osh-client-from-source.yaml

@@ -0,0 +1,78 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: osh-scan-task-from-source
+spec:
+  stepTemplate:
+    env:
+      - name: "HOME"
+        value: "/tekton/home"
+  params:
+  - name: targz-file
+    type: string
+    default: "source.tar.gz"
+    description: The filename of the tar.gz we'll be uploading to covscan
+
+  - name: scan-profile
+    type: string
+    description: The scan profile we will use
+    default: "snyk-only-unstable"
+
+  - name: tarball-build-script
+    type: string
+    description: Parameters to be passed to tarball-build-script
+    default: ":"
+
+  volumes:
+    - name: osh-client-kerb-vol
+      secret:
+        defaultMode: 292
+        optional: false
+        secretName: kerberos-keytab-osh
+
+    - name: osh-client-kerb-config-vol
+      configMap:
+        name: kerberos-config-osh-client
+        items:
+          - key: linux-krb5.conf
+            path: linux-krb5.conf
+        defaultMode: 292
+        optional: false
+
+    - name: osh-client-config-vol
+      configMap:
+        name: osh-client-config
+        items:
+          - key: client.conf
+            path: client.conf
+        optional: false
+
+  workspaces:
+    - name: source-tars
+      description: source tar gzips are kept here
+
+  steps:
+    - name: perform-buildid-scan
+      image: quay.io/pct-security/osh-wrapper-client:latest
+      workingDir: /home/covscan
+      volumeMounts:
+        - name: osh-client-kerb-vol
+          mountPath: /kerberos
+          readOnly: true
+
+        - name: osh-client-config-vol
+          mountPath: /etc/osh/client.conf
+          readOnly: true
+          subPath: client.conf
+
+        - name: osh-client-kerb-config-vol
+          mountPath: /etc/krb5.conf
+          readOnly: true
+          subPath: linux-krb5.conf
+
+      script: |
+        #!/bin/bash
+        echo $(params.scan-profile)
+        echo $(params.tarball-build-script)
+        echo $(params.targz-file)
+        covscan mock-build -p $(params.scan-profile) --tarball-build-script=$(params.tarball-build-script) /workspace/source-tars/$(params.targz-file)

k8s/stage/osh-client-tekton/task/osh-client-git-cli-modified.yaml

@@ -0,0 +1,146 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  annotations:
+    tekton.dev/categories: Git
+    tekton.dev/displayName: git cli
+    tekton.dev/pipelines.minVersion: 0.21.0
+    tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le
+    tekton.dev/tags: git
+  creationTimestamp: "2023-06-20T22:58:05Z"
+  generation: 2
+  labels:
+    app.kubernetes.io/version: "0.4"
+    hub.tekton.dev/catalog: tekton
+  name: git-cli
+  namespace: pct-security-tooling
+  resourceVersion: "3453559180"
+  uid: 95fc93dd-8780-41ab-9477-b698762dc1de
+spec:
+  description: |-
+    This task can be used to perform git operations.
+    Git command that needs to be run can be passed as a script to the task. This task needs authentication to git in order to push after the git operation.
+  params:
+  - default: cgr.dev/chainguard/git:root-2.39@sha256:7759f87050dd8bacabe61354d75ccd7f864d6b6f8ec42697db7159eccd491139
+    description: |
+      The base image for the task.
+    name: BASE_IMAGE
+    type: string
+  - default: ""
+    description: |
+      Git user name for performing git operation.
+    name: GIT_USER_NAME
+    type: string
+  - default: ""
+    description: |
+      Git user email for performing git operation.
+    name: GIT_USER_EMAIL
+    type: string
+  - default: |
+      git help
+    description: The git script to run.
+    name: GIT_SCRIPT
+    type: string
+  - default: /root
+    description: |
+      Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden
+      the gitInitImage param with an image containing custom user configuration.
+    name: USER_HOME
+    type: string
+  - default: "true"
+    description: Log the commands that are executed during `git-clone`'s operation.
+    name: VERBOSE
+    type: string
+  results:
+  - description: The precise commit SHA after the git operation.
+    name: commit
+    type: string
+  - name: archive-name
+    type: string
+    description: The archive name produced by the git archive
+  steps:
+  - env:
+    - name: HOME
+      value: $(params.USER_HOME)
+    - name: PARAM_VERBOSE
+      value: $(params.VERBOSE)
+    - name: PARAM_USER_HOME
+      value: $(params.USER_HOME)
+    - name: WORKSPACE_OUTPUT_PATH
+      value: $(workspaces.output.path)
+    - name: WORKSPACE_SSH_DIRECTORY_BOUND
+      value: $(workspaces.ssh-directory.bound)
+    - name: WORKSPACE_SSH_DIRECTORY_PATH
+      value: $(workspaces.ssh-directory.path)
+    - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
+      value: $(workspaces.basic-auth.bound)
+    - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
+      value: $(workspaces.basic-auth.path)
+    image: $(params.BASE_IMAGE)
+    name: git
+    resources: {}
+    script: |
+      #!/usr/bin/env sh
+      set -eu
+
+      if [ "${PARAM_VERBOSE}" = "true" ] ; then
+        set -x
+      fi
+
+      if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
+        cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
+        cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
+        chmod 400 "${PARAM_USER_HOME}/.git-credentials"
+        chmod 400 "${PARAM_USER_HOME}/.gitconfig"
+      fi
+
+      if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
+        cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
+        chmod 700 "${PARAM_USER_HOME}"/.ssh
+        chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
+      fi
+
+      # Setting up the config for the git.
+      git config --global user.email "$(params.GIT_USER_EMAIL)"
+      git config --global user.name "$(params.GIT_USER_NAME)"
+
+      eval '$(params.GIT_SCRIPT)'
+
+      RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')"
+      EXIT_CODE="$?"
+      if [ "$EXIT_CODE" != 0 ]
+      then
+        exit $EXIT_CODE
+      fi
+      # Make sure we don't add a trailing newline to the result!
+      printf "%s" "$RESULT_SHA" > "$(results.commit.path)"
+    workingDir: $(workspaces.source.path)
+  workspaces:
+  - description: custom source tar location
+    name: source-tars
+  - description: A workspace that contains the fetched git repository.
+    name: source
+  - description: |
+      An optional workspace that contains the files that need to be added to git. You can
+      access the workspace from your script using `$(workspaces.input.path)`, for instance:
+
+        cp $(workspaces.input.path)/file_that_i_want .
+        git add file_that_i_want
+        # etc
+    name: input
+    optional: true
+  - description: |
+      A .ssh directory with private key, known_hosts, config, etc. Copied to
+      the user's home before git commands are executed. Used to authenticate
+      with the git remote when performing the clone. Binding a Secret to this
+      Workspace is strongly recommended over other volume types.
+    name: ssh-directory
+    optional: true
+  - description: |
+      A Workspace containing a .gitconfig and .git-credentials file. These
+      will be copied to the user's home before any git commands are run. Any
+      other files in this Workspace are ignored. It is strongly recommended
+      to use ssh-directory over basic-auth whenever possible and to bind a
+      Secret to this Workspace over other volume types.
+    name: basic-auth
+    optional: true

k8s/stage/osh-client-tekton/task/osh-scan-task.yaml

@@ -0,0 +1,63 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: osh-scan-task
+spec:
+  stepTemplate:
+    env:
+      - name: "HOME"
+        value: "/tekton/home"
+  params:
+  - name: buildId
+    type: string
+  - name: scanProfile
+    type: string
+
+  volumes:
+    - name: osh-client-kerb-vol
+      secret:
+        defaultMode: 384
+        optional: false
+        secretName: kerberos-keytab-osh
+
+    - name: osh-client-kerb-config-vol
+      configMap:
+        name: kerberos-config-osh-client
+        items:
+          - key: linux-krb5.conf
+            path: linux-krb5.conf
+        defaultMode: 384
+        optional: false
+
+    - name: osh-client-config-vol
+      configMap:
+        name: osh-client-config
+        items:
+          - key: client.conf
+            path: client.conf
+        optional: false
+
+  steps:
+    - name: perform-buildid-scan
+      image: quay.io/pct-security/osh-wrapper-client:latest
+      workingDir: /home/covscan
+      volumeMounts:
+        - name: osh-client-kerb-vol
+          mountPath: /kerberos
+          readOnly: true
+
+        - name: osh-client-config-vol
+          mountPath: /etc/osh/client.conf
+          readOnly: true
+          subPath: client.conf
+
+        - name: osh-client-kerb-config-vol
+          mountPath: /etc/krb5.conf
+          readOnly: true
+          subPath: linux-krb5.conf
+
+      script: |
+        #!/bin/bash
+        echo $(params.buildId)
+        echo $(params.scanProfile)
+        covscan mock-build -p $(params.scanProfile) --brew-build $(params.buildId)