joejstuart · joejstuart · Feb 17, 2022 · Feb 21, 2022 · Feb 21, 2022 · Feb 22, 2022
diff --git a/.ci/pipelines-as-code/kustomization.yaml b/.ci/pipelines-as-code/kustomization.yaml
@@ -0,0 +1,8 @@
+resources:
+- pipelines-as-code.yaml
+- tasks/tekton-chains-tasks.yaml
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+
diff --git a/.ci/pipelines-as-code/pipelines-as-code.yaml b/.ci/pipelines-as-code/pipelines-as-code.yaml
@@ -0,0 +1,7 @@
+apiVersion: pipelinesascode.tekton.dev/v1alpha1
+kind: Repository
+metadata:
+  name: infra-deployments-ci-pac
+  namespace: infra-deployments-ci
+spec:
+  url: https://github.com/redhat-appstudio/infra-deployments
diff --git a/.ci/pipelines-as-code/serviceaccount.yaml b/.ci/pipelines-as-code/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pipeline
diff --git a/.ci/pipelines-as-code/tasks/tekton-chains-tasks.yaml b/.ci/pipelines-as-code/tasks/tekton-chains-tasks.yaml
@@ -0,0 +1,38 @@
+apiVersion: tekton.dev/v1beta1
+kind: ClusterTask
+metadata:
+  name: verify-taskrun-signature
+spec:
+  params:
+    - name: task-url
+      type: string
+      description: The url to a task to run
+      default:  https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml
+  workspaces:
+    - name: source
+  steps:
+    - name: cosign-taskrun
+      image: quay.io/redhat-appstudio/appstudio-utils:latest
+      script: |
+        #!/usr/bin/env bash
+        oc create -f $(params.task-url)
+
+        counter=0
+        timeout=30
+        while [ `tkn tr describe --last -o  jsonpath='{.status.conditions[0].reason}'` != 'Succeeded' ] || [ $counter -gt $timeout ];
+        do
+          echo "waiting for taskRun to finish"
+          sleep 1
+          counter=$((counter+1))
+        done
+
+        if [ $counter -gt $timeout ]; then
+          echo "exiting with error"
+          exit 1
+        fi
+
+        export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')
+        tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature
+        tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload
+        cosign verify-blob --key k8s://tekton-chains/signing-secrets --signature ./signature ./payload
+
diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml
@@ -0,0 +1,50 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: infra-deployments-pull-request
+  annotations:
+    pipelinesascode.tekton.dev/on-event: "[pull_request]"
+    pipelinesascode.tekton.dev/on-target-branch: "[main]"
+    pipelinesascode.tekton.dev/max-keep-runs: "2"
+spec:
+  params:
+    - name: repo_url
+      value: "{{repo_url}}"
+    - name: revision
+      value: "{{revision}}"
+  pipelineSpec:
+    params:
+      - name: repo_url
+        type: string
+      - name: revision
+        type: string
+    tasks:
+      - name: git-clone
+        params:
+          - name: url
+            value: $(params.repo_url)
+          - name: revision
+            value: $(params.revision)
+        taskRef:
+          kind: ClusterTask
+          name: git-clone
+        workspaces:
+          - name: output
+            workspace: source
+      - name: test-tekton-chains
+        runAfter:
+          - git-clone
+        taskRef:
+          kind: ClusterTask
+          name: verify-taskrun-signature
+        workspaces:
+          - name: source
+            workspace: source
+    workspaces:
+      - name: source
+  serviceAccountName: pipeline
+  workspaces:
+    - name: source
+      persistentVolumeClaim:
+        claimName: app-studio-default-workspace
+      subPath: infra-deployments-{{revision}}
diff --git a/argo-cd-apps/base/infra-deployments-ci.yaml b/argo-cd-apps/base/infra-deployments-ci.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infra-deployments-ci
+
+spec:
+  project: default
+
+  source:
+    path: .ci/pipelines-as-code
+    repoURL: https://github.com/redhat-appstudio/infra-deployments.git
+  destination:
+    namespace: infra-deployments-ci
+    server: https://kubernetes.default.svc
+
+  syncPolicy:
+
+    # Comment this out if you want to manually trigger deployments (using the 
+    # Argo CD Web UI or Argo CD CLI), rather than automatically deploying on
+    # every new Git commit to your directory.
+    automated: 
+      prune: true
+      selfHeal: true
+
+    syncOptions:
+    - CreateNamespace=true
+
+    retry:
+      limit: -1 # number of failed sync attempt retries; unlimited number of attempts if less than 0
+      backoff:
+        duration: 10s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h")
+        factor: 2 # a factor to multiply the base duration after each failed retry
+        maxDuration: 3m # the maximum amount of time allowed for the backoff strategy
diff --git a/argo-cd-apps/base/kustomization.yaml b/argo-cd-apps/base/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
 - authentication.yaml
 - has.yaml
 - spi.yaml
+- infra-deployments-ci.yaml
 
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

diff --git a/argo-cd-apps/overlays/development/repo-overlay.yaml b/argo-cd-apps/overlays/development/repo-overlay.yaml
@@ -6,8 +6,8 @@ metadata:
     - resources-finalizer.argocd.argoproj.io
 spec:
   source: # This will be replaced with a reference to your fork of this repo (see hack/patch-apps-for-dev.sh)
-    repoURL: https://github.com/redhat-appstudio/infra-deployments.git
-    targetRevision: main
+    repoURL: https://github.com/joejstuart/infra-deployments.git
+    targetRevision: chains-ci-task
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -17,8 +17,8 @@ metadata:
     - resources-finalizer.argocd.argoproj.io
 spec:
   source:
-    repoURL: https://github.com/redhat-appstudio/infra-deployments.git
-    targetRevision: main
+    repoURL: https://github.com/joejstuart/infra-deployments.git
+    targetRevision: chains-ci-task
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -28,8 +28,8 @@ metadata:
     - resources-finalizer.argocd.argoproj.io
 spec:
   source:
-    repoURL: https://github.com/redhat-appstudio/infra-deployments.git
-    targetRevision: main
+    repoURL: https://github.com/joejstuart/infra-deployments.git
+    targetRevision: chains-ci-task
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -39,5 +39,16 @@ metadata:
     - resources-finalizer.argocd.argoproj.io
 spec:
   source:
-    repoURL: https://github.com/redhat-appstudio/infra-deployments.git
-    targetRevision: main
+    repoURL: https://github.com/joejstuart/infra-deployments.git
+    targetRevision: chains-ci-task
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infra-deployments-ci
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  source:
+    repoURL: https://github.com/joejstuart/infra-deployments.git
+    targetRevision: chains-ci-task
diff --git a/notes b/notes
@@ -0,0 +1 @@
+