From b0ef0d1cf0fea952c26a7badf8ca09c5e725f792 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Mon, 6 Apr 2026 20:22:30 +0000 Subject: [PATCH 01/38] Red Hat Konflux update ambient-code-backend-main Signed-off-by: red-hat-konflux --- ...mbient-code-backend-main-pull-request.yaml | 586 ++++++++++++++++++ .tekton/ambient-code-backend-main-push.yaml | 583 +++++++++++++++++ 2 files changed, 1169 insertions(+) create mode 100644 .tekton/ambient-code-backend-main-pull-request.yaml create mode 100644 .tekton/ambient-code-backend-main-push.yaml diff --git a/.tekton/ambient-code-backend-main-pull-request.yaml b/.tekton/ambient-code-backend-main-pull-request.yaml new file mode 100644 index 000000000..11835840f --- /dev/null +++ b/.tekton/ambient-code-backend-main-pull-request.yaml @@ -0,0 +1,586 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "./components/backend/***".pathChanged() || ".tekton/ambient-code-backend-main-pull-request.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-backend-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-backend-main-on-pull-request + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/backend + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-backend-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/ambient-code-backend-main-push.yaml b/.tekton/ambient-code-backend-main-push.yaml new file mode 100644 index 000000000..fc7e692c3 --- /dev/null +++ b/.tekton/ambient-code-backend-main-push.yaml @@ -0,0 +1,583 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "./components/backend/***".pathChanged() || ".tekton/ambient-code-backend-main-push.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-backend-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-backend-main-on-push + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/backend + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-backend-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From 78f5c9d5d3c4b6022e8e723361d31a8d894dea86 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Mon, 6 Apr 2026 20:22:35 +0000 Subject: [PATCH 02/38] Red Hat Konflux update ambient-code-frontend-main Signed-off-by: red-hat-konflux --- ...bient-code-frontend-main-pull-request.yaml | 586 ++++++++++++++++++ .tekton/ambient-code-frontend-main-push.yaml | 583 +++++++++++++++++ 2 files changed, 1169 insertions(+) create mode 100644 .tekton/ambient-code-frontend-main-pull-request.yaml create mode 100644 .tekton/ambient-code-frontend-main-push.yaml diff --git a/.tekton/ambient-code-frontend-main-pull-request.yaml b/.tekton/ambient-code-frontend-main-pull-request.yaml new file mode 100644 index 000000000..b17e94677 --- /dev/null +++ b/.tekton/ambient-code-frontend-main-pull-request.yaml @@ -0,0 +1,586 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "./components/frontend/***".pathChanged() || ".tekton/ambient-code-frontend-main-pull-request.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-frontend-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-frontend-main-on-pull-request + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/frontend + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-frontend-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/ambient-code-frontend-main-push.yaml b/.tekton/ambient-code-frontend-main-push.yaml new file mode 100644 index 000000000..495262dc4 --- /dev/null +++ b/.tekton/ambient-code-frontend-main-push.yaml @@ -0,0 +1,583 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "./components/frontend/***".pathChanged() || ".tekton/ambient-code-frontend-main-push.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-frontend-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-frontend-main-on-push + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/frontend + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-frontend-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From 70ba1992f0c99cd2c2011abbff895c711fe1be96 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Mon, 6 Apr 2026 20:22:38 +0000 Subject: [PATCH 03/38] Red Hat Konflux update ambient-code-operator-main Signed-off-by: red-hat-konflux --- ...bient-code-operator-main-pull-request.yaml | 586 ++++++++++++++++++ .tekton/ambient-code-operator-main-push.yaml | 583 +++++++++++++++++ 2 files changed, 1169 insertions(+) create mode 100644 .tekton/ambient-code-operator-main-pull-request.yaml create mode 100644 .tekton/ambient-code-operator-main-push.yaml diff --git a/.tekton/ambient-code-operator-main-pull-request.yaml b/.tekton/ambient-code-operator-main-pull-request.yaml new file mode 100644 index 000000000..5aef174ce --- /dev/null +++ b/.tekton/ambient-code-operator-main-pull-request.yaml @@ -0,0 +1,586 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "./components/operator/***".pathChanged() || ".tekton/ambient-code-operator-main-pull-request.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-operator-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-operator-main-on-pull-request + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/operator + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-operator-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/ambient-code-operator-main-push.yaml b/.tekton/ambient-code-operator-main-push.yaml new file mode 100644 index 000000000..524335bb0 --- /dev/null +++ b/.tekton/ambient-code-operator-main-push.yaml @@ -0,0 +1,583 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "./components/operator/***".pathChanged() || ".tekton/ambient-code-operator-main-push.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-operator-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-operator-main-on-push + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/operator + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-operator-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From ac9edd579e1b3b1a2ee5ca08b2b67d996331fb78 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Mon, 6 Apr 2026 20:22:42 +0000 Subject: [PATCH 04/38] Red Hat Konflux update ambient-code-public-api-main Signed-off-by: red-hat-konflux --- ...ent-code-public-api-main-pull-request.yaml | 586 ++++++++++++++++++ .../ambient-code-public-api-main-push.yaml | 583 +++++++++++++++++ 2 files changed, 1169 insertions(+) create mode 100644 .tekton/ambient-code-public-api-main-pull-request.yaml create mode 100644 .tekton/ambient-code-public-api-main-push.yaml diff --git a/.tekton/ambient-code-public-api-main-pull-request.yaml b/.tekton/ambient-code-public-api-main-pull-request.yaml new file mode 100644 index 000000000..188b10b7f --- /dev/null +++ b/.tekton/ambient-code-public-api-main-pull-request.yaml @@ -0,0 +1,586 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "./components/public-api/***".pathChanged() || ".tekton/ambient-code-public-api-main-pull-request.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-public-api-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-public-api-main-on-pull-request + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/public-api + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-public-api-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/ambient-code-public-api-main-push.yaml b/.tekton/ambient-code-public-api-main-push.yaml new file mode 100644 index 000000000..ef9f2ee8b --- /dev/null +++ b/.tekton/ambient-code-public-api-main-push.yaml @@ -0,0 +1,583 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "./components/public-api/***".pathChanged() || ".tekton/ambient-code-public-api-main-push.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-public-api-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-public-api-main-on-push + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/public-api + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-public-api-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From 2d9a3ca7b5dd077eb3636dc7c94351b773ad0d7b Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Tue, 7 Apr 2026 11:07:51 -0600 Subject: [PATCH 05/38] removing label vendor value --- components/ambient-api-server/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/components/ambient-api-server/Dockerfile b/components/ambient-api-server/Dockerfile index 110c7919d..baf339cae 100644 --- a/components/ambient-api-server/Dockerfile +++ b/components/ambient-api-server/Dockerfile @@ -31,7 +31,6 @@ EXPOSE 8000 ENTRYPOINT ["/usr/local/bin/ambient-api-server", "serve"] LABEL name="ambient-api-server" \ - vendor="Ambient" \ version="0.0.1" \ summary="Ambient API Server" \ description="REST API server for the Ambient Code Platform" From b44e31ed73c8e1347c80027abb15b8ebbc117301 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Mon, 6 Apr 2026 20:22:45 +0000 Subject: [PATCH 06/38] Red Hat Konflux update ambient-code-ambient-api-server-main Signed-off-by: red-hat-konflux --- ...-ambient-api-server-main-pull-request.yaml | 586 ++++++++++++++++++ ...ent-code-ambient-api-server-main-push.yaml | 583 +++++++++++++++++ 2 files changed, 1169 insertions(+) create mode 100644 .tekton/ambient-code-ambient-api-server-main-pull-request.yaml create mode 100644 .tekton/ambient-code-ambient-api-server-main-push.yaml diff --git a/.tekton/ambient-code-ambient-api-server-main-pull-request.yaml b/.tekton/ambient-code-ambient-api-server-main-pull-request.yaml new file mode 100644 index 000000000..eda1e0c37 --- /dev/null +++ b/.tekton/ambient-code-ambient-api-server-main-pull-request.yaml @@ -0,0 +1,586 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "./components/ambient-api-server/***".pathChanged() || ".tekton/ambient-code-ambient-api-server-main-pull-request.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-ambient-api-server-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-ambient-api-server-main-on-pull-request + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/ambient-api-server + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-ambient-api-server-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/ambient-code-ambient-api-server-main-push.yaml b/.tekton/ambient-code-ambient-api-server-main-push.yaml new file mode 100644 index 000000000..5ec12ba05 --- /dev/null +++ b/.tekton/ambient-code-ambient-api-server-main-push.yaml @@ -0,0 +1,583 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "./components/ambient-api-server/***".pathChanged() || ".tekton/ambient-code-ambient-api-server-main-push.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-ambient-api-server-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-ambient-api-server-main-on-push + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/ambient-api-server + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:2229dbc5e15acc0a6d8aec526465aeb0ad54e269c311ac3d0aba88013845e308 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:cad04a0f4464283714c23940ef6052753821eff7544ec282e2a4707aa264aaf3 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:3fa26d2c0768329c2df93c646bf5855245b74db7196ad55f83756ce22cd7f0f1 + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-ambient-api-server-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From f91ae6e166a425b6a4ac29116decc73206f8d603 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Wed, 8 Apr 2026 15:56:50 +0000 Subject: [PATCH 07/38] Red Hat Konflux update ambient-code-ambient-runner-main Signed-off-by: red-hat-konflux --- ...code-ambient-runner-main-pull-request.yaml | 582 ++++++++++++++++++ ...ambient-code-ambient-runner-main-push.yaml | 579 +++++++++++++++++ 2 files changed, 1161 insertions(+) create mode 100644 .tekton/ambient-code-ambient-runner-main-pull-request.yaml create mode 100644 .tekton/ambient-code-ambient-runner-main-push.yaml diff --git a/.tekton/ambient-code-ambient-runner-main-pull-request.yaml b/.tekton/ambient-code-ambient-runner-main-pull-request.yaml new file mode 100644 index 000000000..0eca4e39e --- /dev/null +++ b/.tekton/ambient-code-ambient-runner-main-pull-request.yaml @@ -0,0 +1,582 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "./components/runners/ambient-runner/***".pathChanged() || ".tekton/ambient-code-ambient-runner-main-pull-request.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-ambient-runner-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-ambient-runner-main-on-pull-request + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/runners/ambient-runner + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:9917d11f0a38c844184042d504b3d5605c009e6e43785fa113caae8b4c99b75e + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:5375e5b9f5efdb8b27ed981da7d481027a184047138232937992a7027c8bca93 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:ae3fa44f005054d4901d33413972227b5642d376968a67791535cdcc2e98473d + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-ambient-runner-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/ambient-code-ambient-runner-main-push.yaml b/.tekton/ambient-code-ambient-runner-main-push.yaml new file mode 100644 index 000000000..f3a55b182 --- /dev/null +++ b/.tekton/ambient-code-ambient-runner-main-push.yaml @@ -0,0 +1,579 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/RedHatInsights/ambient-code-platform?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "./components/runners/ambient-runner/***".pathChanged() || ".tekton/ambient-code-ambient-runner-main-push.yaml".pathChanged() + || "Dockerfile".pathChanged() ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: ambient-code-main + appstudio.openshift.io/component: ambient-code-ambient-runner-main + pipelines.appstudio.openshift.io/type: build + name: ambient-code-ambient-runner-main-on-push + namespace: hcm-eng-prod-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: components/runners/ambient-runner + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:2c388d28651457db60bb90287e7d8c3680303197196e4476878d98d81e8b6dc9 + - name: kind + value: task + resolver: bundles + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:9917d11f0a38c844184042d504b3d5605c009e6e43785fa113caae8b4c99b75e + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:5375e5b9f5efdb8b27ed981da7d481027a184047138232937992a7027c8bca93 + - name: kind + value: task + resolver: bundles + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:ae3fa44f005054d4901d33413972227b5642d376968a67791535cdcc2e98473d + - name: kind + value: task + resolver: bundles + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:362f0475df00e7dfb5f15dea0481d1b68b287f60411718d70a23da3c059a5613 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:1bc2d0f26b89259db090a47bb38217c82c05e335d626653d184adf1d196ca131 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-ambient-code-ambient-runner-main + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From 083ded9035597ab63ed69b9a44e7cdcc1b177d22 Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Thu, 9 Apr 2026 10:18:52 -0600 Subject: [PATCH 08/38] fixing file copy to container --- components/runners/ambient-runner/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/runners/ambient-runner/Dockerfile b/components/runners/ambient-runner/Dockerfile index d95d0c679..96899768a 100755 --- a/components/runners/ambient-runner/Dockerfile +++ b/components/runners/ambient-runner/Dockerfile @@ -29,7 +29,7 @@ RUN pip3 install --break-system-packages --no-cache-dir uv==${UV_VERSION} pre-co WORKDIR /app # Copy ambient-runner package -COPY ambient-runner /app/ambient-runner +COPY . /app/ambient-runner # Install runner as a package, then remove build-only deps in same layer RUN pip3 install --break-system-packages --no-cache-dir '/app/ambient-runner[all]' && \ From f519b91b073925cf166b455f41c85c7a483eec4d Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Fri, 10 Apr 2026 09:19:43 -0400 Subject: [PATCH 09/38] Add app-interface overlay for AppSRE platform deployment Creates kustomize overlay for deploying to hcmais01ue1 via app-interface: - Uses Konflux images from redhat-services-prod/hcm-eng-prod-tenant - Scales down in-cluster databases (using external RDS from app-interface Phase 2) - Scales down MinIO (using external S3 from app-interface Phase 2) - Includes CRDs, RBAC, routes, and all application components - Patches operator to use Konflux runner image Co-Authored-By: Claude Sonnet 4.5 --- .../ambient-api-server-db-secret-patch.yaml | 21 ++++ .../ambient-api-server-route.yaml | 34 ++++++ .../overlays/app-interface/backend-route.yaml | 17 +++ .../overlays/app-interface/kustomization.yaml | 103 ++++++++++++++++++ .../app-interface/namespace-patch.yaml | 8 ++ .../overlays/app-interface/namespace.yaml | 12 ++ .../operator-config-openshift.yaml | 13 +++ .../operator-runner-image-patch.yaml | 13 +++ .../app-interface/public-api-route.yaml | 17 +++ .../overlays/app-interface/route.yaml | 20 ++++ 10 files changed, 258 insertions(+) create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-route.yaml create mode 100644 components/manifests/overlays/app-interface/backend-route.yaml create mode 100644 components/manifests/overlays/app-interface/kustomization.yaml create mode 100644 components/manifests/overlays/app-interface/namespace-patch.yaml create mode 100644 components/manifests/overlays/app-interface/namespace.yaml create mode 100644 components/manifests/overlays/app-interface/operator-config-openshift.yaml create mode 100644 components/manifests/overlays/app-interface/operator-runner-image-patch.yaml create mode 100644 components/manifests/overlays/app-interface/public-api-route.yaml create mode 100644 components/manifests/overlays/app-interface/route.yaml diff --git a/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml b/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml new file mode 100644 index 000000000..be156c45b --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: ambient-api-server-db + labels: + app: ambient-api-server + component: database + annotations: + # External RDS connection managed via Vault secrets from app-interface Phase 2 + # These values will be injected by vault-secret-manager from Vault path: + # app-interface/data/ambient-code-platform/stage/rds-credentials + qontract.recycle: "true" +type: Opaque +stringData: + # Placeholders - actual values injected from Vault at runtime + db.host: "VAULT_INJECTED" + db.port: "5432" + db.name: "ambient_code" + db.user: "VAULT_INJECTED" + db.password: "VAULT_INJECTED" diff --git a/components/manifests/overlays/app-interface/ambient-api-server-route.yaml b/components/manifests/overlays/app-interface/ambient-api-server-route.yaml new file mode 100644 index 000000000..1530d558f --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-route.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: ambient-api-server + labels: + app: ambient-api-server + component: api +spec: + to: + kind: Service + name: ambient-api-server + port: + targetPort: api + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: ambient-api-server-grpc + labels: + app: ambient-api-server + component: grpc +spec: + to: + kind: Service + name: ambient-api-server + port: + targetPort: grpc + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect diff --git a/components/manifests/overlays/app-interface/backend-route.yaml b/components/manifests/overlays/app-interface/backend-route.yaml new file mode 100644 index 000000000..1e64203f2 --- /dev/null +++ b/components/manifests/overlays/app-interface/backend-route.yaml @@ -0,0 +1,17 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: backend-route + labels: + app: backend-api +spec: + to: + kind: Service + name: backend-service + weight: 100 + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None diff --git a/components/manifests/overlays/app-interface/kustomization.yaml b/components/manifests/overlays/app-interface/kustomization.yaml new file mode 100644 index 000000000..892a04a65 --- /dev/null +++ b/components/manifests/overlays/app-interface/kustomization.yaml @@ -0,0 +1,103 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +metadata: + name: ambient-code-app-interface + +# Target namespace on hcmais01ue1 cluster +namespace: ambient-code + +# Include base resources (CRDs, RBAC, core deployments, platform) +resources: +- ../../base +- route.yaml +- backend-route.yaml +- public-api-route.yaml +- ambient-api-server-route.yaml +- operator-config-openshift.yaml + +# Patches to configure external resources +patches: +# Update operator to use Konflux runner image +- path: operator-runner-image-patch.yaml + target: + kind: Deployment + name: agentic-operator +# Scale down in-cluster databases to 0 (using external RDS from Phase 2) +- target: + kind: Deployment + name: postgresql + patch: |- + - op: replace + path: /spec/replicas + value: 0 +- target: + kind: Deployment + name: ambient-api-server-db + patch: |- + - op: replace + path: /spec/replicas + value: 0 + +# Scale down in-cluster MinIO to 0 (using external S3 from Phase 2) +- target: + kind: Deployment + name: minio + patch: |- + - op: replace + path: /spec/replicas + value: 0 + +# Scale down in-cluster Unleash to 0 (will configure external instance later) +- target: + kind: Deployment + name: unleash + patch: |- + - op: replace + path: /spec/replicas + value: 0 + +# Patch ambient-api-server-db secret to use external RDS (from Vault) +- path: ambient-api-server-db-secret-patch.yaml + target: + kind: Secret + name: ambient-api-server-db + +# Konflux image overrides (redhat-services-prod) +images: +- name: quay.io/ambient_code/vteam_operator + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main + newTag: latest +- name: quay.io/ambient_code/vteam_operator:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main + newTag: latest +- name: quay.io/ambient_code/vteam_backend + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main + newTag: latest +- name: quay.io/ambient_code/vteam_backend:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main + newTag: latest +- name: quay.io/ambient_code/vteam_frontend + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main + newTag: latest +- name: quay.io/ambient_code/vteam_frontend:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main + newTag: latest +- name: quay.io/ambient_code/vteam_public_api + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main + newTag: latest +- name: quay.io/ambient_code/vteam_public_api:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main + newTag: latest +- name: quay.io/ambient_code/vteam_api_server + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main + newTag: latest +- name: quay.io/ambient_code/vteam_api_server:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main + newTag: latest +- name: quay.io/ambient_code/vteam_claude_runner + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main + newTag: latest +- name: quay.io/ambient_code/vteam_claude_runner:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main + newTag: latest diff --git a/components/manifests/overlays/app-interface/namespace-patch.yaml b/components/manifests/overlays/app-interface/namespace-patch.yaml new file mode 100644 index 000000000..34ecce308 --- /dev/null +++ b/components/manifests/overlays/app-interface/namespace-patch.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ambient-code + labels: + environment: stage + service: ambient-code-platform diff --git a/components/manifests/overlays/app-interface/namespace.yaml b/components/manifests/overlays/app-interface/namespace.yaml new file mode 100644 index 000000000..53a8eaca8 --- /dev/null +++ b/components/manifests/overlays/app-interface/namespace.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ambient-code + labels: + environment: stage + service: ambient-code-platform + name: ambient-code + app: vteam + annotations: + app.kubernetes.io/name: ambient-code + app.kubernetes.io/part-of: ambient-code diff --git a/components/manifests/overlays/app-interface/operator-config-openshift.yaml b/components/manifests/overlays/app-interface/operator-config-openshift.yaml new file mode 100644 index 000000000..c58652bfd --- /dev/null +++ b/components/manifests/overlays/app-interface/operator-config-openshift.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: operator-config + labels: + app: agentic-operator + deployment-type: openshift +data: + # Vertex AI Configuration - Enabled for standard OpenShift deployments + USE_VERTEX: "1" + CLOUD_ML_REGION: "global" + ANTHROPIC_VERTEX_PROJECT_ID: "ambient-code-platform" + GOOGLE_APPLICATION_CREDENTIALS: "/app/vertex/ambient-code-key.json" diff --git a/components/manifests/overlays/app-interface/operator-runner-image-patch.yaml b/components/manifests/overlays/app-interface/operator-runner-image-patch.yaml new file mode 100644 index 000000000..a6d919d98 --- /dev/null +++ b/components/manifests/overlays/app-interface/operator-runner-image-patch.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agentic-operator +spec: + template: + spec: + containers: + - name: agentic-operator + env: + - name: AMBIENT_CODE_RUNNER_IMAGE + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main:latest diff --git a/components/manifests/overlays/app-interface/public-api-route.yaml b/components/manifests/overlays/app-interface/public-api-route.yaml new file mode 100644 index 000000000..3d7bf1715 --- /dev/null +++ b/components/manifests/overlays/app-interface/public-api-route.yaml @@ -0,0 +1,17 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: public-api-route + labels: + app: public-api +spec: + to: + kind: Service + name: public-api-service + weight: 100 + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None diff --git a/components/manifests/overlays/app-interface/route.yaml b/components/manifests/overlays/app-interface/route.yaml new file mode 100644 index 000000000..a2283a48d --- /dev/null +++ b/components/manifests/overlays/app-interface/route.yaml @@ -0,0 +1,20 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: frontend-route + labels: + app: frontend + annotations: + haproxy.router.openshift.io/balance: roundrobin + haproxy.router.openshift.io/disable_cookies: "true" +spec: + to: + kind: Service + name: frontend-service + weight: 100 + port: + targetPort: dashboard-ui + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None From 86391186a52a6ec5d38a915841a6fba28fd92b68 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Fri, 10 Apr 2026 09:19:43 -0400 Subject: [PATCH 10/38] Add app-interface overlay for AppSRE platform deployment Creates kustomize overlay for deploying to hcmais01ue1 via app-interface: - Uses Konflux images from redhat-services-prod/hcm-eng-prod-tenant - Scales down in-cluster databases (using external RDS from app-interface Phase 2) - Scales down MinIO (using external S3 from app-interface Phase 2) - Includes CRDs, RBAC, routes, and all application components - Patches operator to use Konflux runner image Co-Authored-By: Claude Sonnet 4.5 --- .../ambient-api-server-db-secret-patch.yaml | 19 ++++ .../ambient-api-server-route.yaml | 34 ++++++ .../overlays/app-interface/backend-route.yaml | 17 +++ .../overlays/app-interface/kustomization.yaml | 103 ++++++++++++++++++ .../app-interface/namespace-patch.yaml | 8 ++ .../overlays/app-interface/namespace.yaml | 12 ++ .../operator-config-openshift.yaml | 13 +++ .../operator-runner-image-patch.yaml | 13 +++ .../app-interface/public-api-route.yaml | 17 +++ .../overlays/app-interface/route.yaml | 20 ++++ 10 files changed, 256 insertions(+) create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-route.yaml create mode 100644 components/manifests/overlays/app-interface/backend-route.yaml create mode 100644 components/manifests/overlays/app-interface/kustomization.yaml create mode 100644 components/manifests/overlays/app-interface/namespace-patch.yaml create mode 100644 components/manifests/overlays/app-interface/namespace.yaml create mode 100644 components/manifests/overlays/app-interface/operator-config-openshift.yaml create mode 100644 components/manifests/overlays/app-interface/operator-runner-image-patch.yaml create mode 100644 components/manifests/overlays/app-interface/public-api-route.yaml create mode 100644 components/manifests/overlays/app-interface/route.yaml diff --git a/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml b/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml new file mode 100644 index 000000000..5d645fb19 --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: ambient-api-server-db + labels: + app: ambient-api-server + component: database + annotations: + # External RDS credentials injected from Vault at runtime + qontract.recycle: "true" +type: Opaque +stringData: + # Placeholders - actual values injected from Vault at runtime + db.host: "VAULT_INJECTED" + db.port: "5432" + db.name: "ambient_code" + db.user: "VAULT_INJECTED" + db.password: "VAULT_INJECTED" diff --git a/components/manifests/overlays/app-interface/ambient-api-server-route.yaml b/components/manifests/overlays/app-interface/ambient-api-server-route.yaml new file mode 100644 index 000000000..1530d558f --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-route.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: ambient-api-server + labels: + app: ambient-api-server + component: api +spec: + to: + kind: Service + name: ambient-api-server + port: + targetPort: api + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: ambient-api-server-grpc + labels: + app: ambient-api-server + component: grpc +spec: + to: + kind: Service + name: ambient-api-server + port: + targetPort: grpc + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect diff --git a/components/manifests/overlays/app-interface/backend-route.yaml b/components/manifests/overlays/app-interface/backend-route.yaml new file mode 100644 index 000000000..1e64203f2 --- /dev/null +++ b/components/manifests/overlays/app-interface/backend-route.yaml @@ -0,0 +1,17 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: backend-route + labels: + app: backend-api +spec: + to: + kind: Service + name: backend-service + weight: 100 + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None diff --git a/components/manifests/overlays/app-interface/kustomization.yaml b/components/manifests/overlays/app-interface/kustomization.yaml new file mode 100644 index 000000000..892a04a65 --- /dev/null +++ b/components/manifests/overlays/app-interface/kustomization.yaml @@ -0,0 +1,103 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +metadata: + name: ambient-code-app-interface + +# Target namespace on hcmais01ue1 cluster +namespace: ambient-code + +# Include base resources (CRDs, RBAC, core deployments, platform) +resources: +- ../../base +- route.yaml +- backend-route.yaml +- public-api-route.yaml +- ambient-api-server-route.yaml +- operator-config-openshift.yaml + +# Patches to configure external resources +patches: +# Update operator to use Konflux runner image +- path: operator-runner-image-patch.yaml + target: + kind: Deployment + name: agentic-operator +# Scale down in-cluster databases to 0 (using external RDS from Phase 2) +- target: + kind: Deployment + name: postgresql + patch: |- + - op: replace + path: /spec/replicas + value: 0 +- target: + kind: Deployment + name: ambient-api-server-db + patch: |- + - op: replace + path: /spec/replicas + value: 0 + +# Scale down in-cluster MinIO to 0 (using external S3 from Phase 2) +- target: + kind: Deployment + name: minio + patch: |- + - op: replace + path: /spec/replicas + value: 0 + +# Scale down in-cluster Unleash to 0 (will configure external instance later) +- target: + kind: Deployment + name: unleash + patch: |- + - op: replace + path: /spec/replicas + value: 0 + +# Patch ambient-api-server-db secret to use external RDS (from Vault) +- path: ambient-api-server-db-secret-patch.yaml + target: + kind: Secret + name: ambient-api-server-db + +# Konflux image overrides (redhat-services-prod) +images: +- name: quay.io/ambient_code/vteam_operator + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main + newTag: latest +- name: quay.io/ambient_code/vteam_operator:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main + newTag: latest +- name: quay.io/ambient_code/vteam_backend + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main + newTag: latest +- name: quay.io/ambient_code/vteam_backend:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main + newTag: latest +- name: quay.io/ambient_code/vteam_frontend + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main + newTag: latest +- name: quay.io/ambient_code/vteam_frontend:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main + newTag: latest +- name: quay.io/ambient_code/vteam_public_api + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main + newTag: latest +- name: quay.io/ambient_code/vteam_public_api:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main + newTag: latest +- name: quay.io/ambient_code/vteam_api_server + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main + newTag: latest +- name: quay.io/ambient_code/vteam_api_server:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main + newTag: latest +- name: quay.io/ambient_code/vteam_claude_runner + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main + newTag: latest +- name: quay.io/ambient_code/vteam_claude_runner:latest + newName: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main + newTag: latest diff --git a/components/manifests/overlays/app-interface/namespace-patch.yaml b/components/manifests/overlays/app-interface/namespace-patch.yaml new file mode 100644 index 000000000..34ecce308 --- /dev/null +++ b/components/manifests/overlays/app-interface/namespace-patch.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ambient-code + labels: + environment: stage + service: ambient-code-platform diff --git a/components/manifests/overlays/app-interface/namespace.yaml b/components/manifests/overlays/app-interface/namespace.yaml new file mode 100644 index 000000000..53a8eaca8 --- /dev/null +++ b/components/manifests/overlays/app-interface/namespace.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ambient-code + labels: + environment: stage + service: ambient-code-platform + name: ambient-code + app: vteam + annotations: + app.kubernetes.io/name: ambient-code + app.kubernetes.io/part-of: ambient-code diff --git a/components/manifests/overlays/app-interface/operator-config-openshift.yaml b/components/manifests/overlays/app-interface/operator-config-openshift.yaml new file mode 100644 index 000000000..c58652bfd --- /dev/null +++ b/components/manifests/overlays/app-interface/operator-config-openshift.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: operator-config + labels: + app: agentic-operator + deployment-type: openshift +data: + # Vertex AI Configuration - Enabled for standard OpenShift deployments + USE_VERTEX: "1" + CLOUD_ML_REGION: "global" + ANTHROPIC_VERTEX_PROJECT_ID: "ambient-code-platform" + GOOGLE_APPLICATION_CREDENTIALS: "/app/vertex/ambient-code-key.json" diff --git a/components/manifests/overlays/app-interface/operator-runner-image-patch.yaml b/components/manifests/overlays/app-interface/operator-runner-image-patch.yaml new file mode 100644 index 000000000..a6d919d98 --- /dev/null +++ b/components/manifests/overlays/app-interface/operator-runner-image-patch.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agentic-operator +spec: + template: + spec: + containers: + - name: agentic-operator + env: + - name: AMBIENT_CODE_RUNNER_IMAGE + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main:latest diff --git a/components/manifests/overlays/app-interface/public-api-route.yaml b/components/manifests/overlays/app-interface/public-api-route.yaml new file mode 100644 index 000000000..3d7bf1715 --- /dev/null +++ b/components/manifests/overlays/app-interface/public-api-route.yaml @@ -0,0 +1,17 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: public-api-route + labels: + app: public-api +spec: + to: + kind: Service + name: public-api-service + weight: 100 + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None diff --git a/components/manifests/overlays/app-interface/route.yaml b/components/manifests/overlays/app-interface/route.yaml new file mode 100644 index 000000000..a2283a48d --- /dev/null +++ b/components/manifests/overlays/app-interface/route.yaml @@ -0,0 +1,20 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: frontend-route + labels: + app: frontend + annotations: + haproxy.router.openshift.io/balance: roundrobin + haproxy.router.openshift.io/disable_cookies: "true" +spec: + to: + kind: Service + name: frontend-service + weight: 100 + port: + targetPort: dashboard-ui + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None From 51621546a1aa4080fad30526c55e1f43f820a4b4 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Sat, 11 Apr 2026 14:49:15 -0400 Subject: [PATCH 11/38] Add OpenShift Templates for AppSRE deployment Convert kustomize overlay to OpenShift Template format for app-interface SaaS deployment. Split into two templates: 1. template-operator.yaml (CRDs, ClusterRoles, operator deployment) - Operator and ambient-runner images - Cluster-scoped resources (CRDs, RBAC) - Operator deployment and its ConfigMaps 2. template-services.yaml (Application services) - Backend, frontend, public-api, ambient-api-server images - All deployments, services, routes, configmaps - Scales in-cluster services to 0 (minio, postgresql, unleash) Both templates use IMAGE_TAG parameter (auto-generated from git commit SHA) and support Konflux image gating through app-interface. This allows app-interface to use provider: openshift-template with proper parameter substitution instead of the directory provider which doesn't run kustomize build. --- .../templates/template-operator.yaml | 1601 +++++++++++++++++ .../templates/template-services.yaml | 1392 ++++++++++++++ 2 files changed, 2993 insertions(+) create mode 100644 components/manifests/templates/template-operator.yaml create mode 100644 components/manifests/templates/template-services.yaml diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml new file mode 100644 index 000000000..e7897eedd --- /dev/null +++ b/components/manifests/templates/template-operator.yaml @@ -0,0 +1,1601 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: ambient-code-operator + annotations: + description: "Ambient Code Platform - Platform components (CRDs, RBAC, Operator)" + +parameters: +- name: IMAGE_TAG + description: "Image tag to deploy (auto-generated from git commit)" + required: true +- name: IMAGE_OPERATOR + description: "Operator image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main" + required: true +- name: IMAGE_AMBIENT_RUNNER + description: "Ambient Runner image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main" + required: true + +objects: +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: ambient-code-platform + annotations: + description: "Ambient Code Platform - AI-powered development environment" + +parameters: +- name: IMAGE_TAG + description: "Image tag to deploy (auto-generated from git commit)" + required: true +- name: IMAGE_OPERATOR + description: "Operator image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main" + required: true +- name: IMAGE_BACKEND + description: "Backend API image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main" + required: true +- name: IMAGE_FRONTEND + description: "Frontend image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main" + required: true +- name: IMAGE_PUBLIC_API + description: "Public API image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main" + required: true +- name: IMAGE_AMBIENT_API_SERVER + description: "Ambient API Server image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main" + required: true +- name: IMAGE_AMBIENT_RUNNER + description: "Ambient Runner image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main" + required: true + + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: agenticsessions.vteam.ambient-code + spec: + group: vteam.ambient-code + names: + kind: AgenticSession + plural: agenticsessions + shortNames: + - as + singular: agenticsession + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + activeWorkflow: + description: Active workflow configuration for dynamic workflow switching + properties: + branch: + default: main + description: Branch to clone + type: string + gitUrl: + description: Git repository URL for the workflow + type: string + path: + description: Optional path within repo (for repos with multiple + workflows) + type: string + type: object + displayName: + description: A descriptive display name for the agentic session generated + from prompt and website + type: string + environmentVariables: + additionalProperties: + type: string + description: 'Key-value pairs injected as environment variables into + all pod containers (init-hydrate, runner, state-sync). Reserved + variables (SESSION_NAME, S3_ENDPOINT, S3_BUCKET, AWS_ACCESS_KEY_ID, + AWS_SECRET_ACCESS_KEY, NAMESPACE, SYNC_INTERVAL) cannot be overridden + in init-hydrate and state-sync containers. Common conventions: RUNNER_TYPE + identifies the runner framework (e.g. "claude-agent-sdk", "gemini-cli"), + RUNNER_STATE_DIR sets the framework state directory relative to + /workspace (defaults to ".claude").' + type: object + inactivityTimeout: + description: Seconds of inactivity before auto-stopping a session. + 0 disables auto-shutdown. If omitted, falls back to project-level + inactivityTimeoutSeconds, then 24h default. + minimum: 0 + type: integer + initialPrompt: + description: Initial prompt used only on first SDK invocation for + brand new sessions (ignored on continuations or workflow restarts). + type: string + llmSettings: + description: LLM configuration settings + properties: + maxTokens: + default: 4000 + type: integer + model: + default: claude-3-7-sonnet-latest + type: string + temperature: + default: 0.7 + type: number + type: object + repos: + description: List of Git repositories to clone and work with + items: + properties: + autoPush: + default: false + description: When true, automatically commit and push changes + to this repository after session completion + type: boolean + branch: + default: main + description: Branch to checkout + type: string + url: + description: Git repository URL + type: string + required: + - url + type: object + type: array + stopOnRunFinished: + description: When true, automatically stop the session when the agent + completes its run (RUN_FINISHED event). Useful for one-shot tasks + triggered by automation. + type: boolean + timeout: + default: 300 + description: Timeout in seconds for the agentic session + type: integer + userContext: + description: Authenticated caller identity captured at creation time + (used for authorization and audit) + properties: + displayName: + description: Human-readable display name + type: string + groups: + description: Group memberships of the user + items: + type: string + type: array + userId: + description: Stable user identifier (from SSO, always overwritten + from auth token) + type: string + type: object + type: object + status: + properties: + completionTime: + description: Timestamp when the session reached a terminal phase. + format: date-time + type: string + conditions: + description: Detailed condition set describing reconciliation progress. + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + observedGeneration: + format: int64 + type: integer + reason: + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + type: string + required: + - type + - status + type: object + type: array + lastActivityTime: + description: Timestamp of last recorded AG-UI activity in this session. + format: date-time + type: string + observedGeneration: + description: Spec generation that the operator has fully reconciled. + format: int64 + type: integer + phase: + default: Pending + enum: + - Pending + - Creating + - Running + - Stopping + - Stopped + - Completed + - Failed + type: string + reconciledRepos: + description: Current reconciliation state for each repository. + items: + properties: + branch: + description: 'DEPRECATED: Use currentActiveBranch instead' + type: string + branches: + description: All local branches available in this repository + items: + type: string + type: array + clonedAt: + format: date-time + type: string + currentActiveBranch: + description: Currently checked out branch (polled from filesystem) + type: string + defaultBranch: + description: Default branch of the remote repository (e.g., + main, master) + type: string + name: + type: string + status: + enum: + - Cloning + - Ready + - Failed + type: string + url: + type: string + type: object + type: array + reconciledWorkflow: + description: Current reconciliation state for the active workflow. + properties: + appliedAt: + format: date-time + type: string + branch: + type: string + gitUrl: + type: string + path: + description: Optional path within the workflow repository + type: string + status: + enum: + - Cloning + - Active + - Failed + type: string + type: object + sdkRestartCount: + description: Number of times the SDK has been restarted during this + session. + type: integer + sdkSessionId: + description: SDK session identifier captured for resume support. + type: string + startTime: + description: Timestamp when the session runner started executing. + format: date-time + type: string + stoppedReason: + description: Reason the session was stopped. + enum: + - user + - inactivity + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + + + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: projectsettings.vteam.ambient-code + spec: + group: vteam.ambient-code + names: + kind: ProjectSettings + plural: projectsettings + shortNames: + - ps + singular: projectsetting + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + groupAccess: + description: Group access configuration creating RoleBindings + items: + properties: + groupName: + description: Name of the group to grant access + type: string + role: + description: Role to assign to the group (admin/edit/view) + enum: + - admin + - edit + - view + type: string + required: + - groupName + - role + type: object + type: array + inactivityTimeoutSeconds: + default: 86400 + description: Default inactivity timeout for sessions in this project + (seconds). 0 disables. Overridden by session-level spec.inactivityTimeout. + minimum: 0 + type: integer + repositories: + description: Git repositories configured for this project + items: + properties: + branch: + description: Optional branch override (defaults to repository's + default branch) + type: string + provider: + description: Git hosting provider (auto-detected from URL if + not specified) + enum: + - github + - gitlab + type: string + url: + description: Repository URL (HTTPS or SSH format) + type: string + required: + - url + type: object + type: array + runnerSecretsName: + description: Name of the Kubernetes Secret in this namespace that + stores runner configuration key/value pairs + type: string + required: + - groupAccess + type: object + status: + properties: + groupBindingsCreated: + description: Number of group RoleBindings successfully created + minimum: 0 + type: integer + limitRangeReady: + description: Whether the default LimitRange for CA bin-packing is + provisioned + type: boolean + scheduledSessionRBACReady: + description: Whether RBAC for scheduled session triggers is provisioned + type: boolean + type: object + type: object + x-kubernetes-validations: + - message: metadata.name must be 'projectsettings' (singleton per namespace) + rule: self.metadata.name == 'projectsettings' + served: true + storage: true + subresources: + status: {} + + + apiVersion: v1 + kind: ServiceAccount + metadata: + name: agentic-operator + namespace: ambient-code + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: agentic-operator + rules: + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions/status + verbs: + - update + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings + verbs: + - get + - list + - watch + - create + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings/status + verbs: + - update + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - create + - delete + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - create + - delete + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - get + - create + - update + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - get + - create + - delete + - apiGroups: + - "" + resources: + - limitranges + verbs: + - get + - create + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - delete + - update + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: agenticsessions-aggregate-to-admin + rules: + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions + verbs: + - '*' + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions/status + verbs: + - get + - update + - patch + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: ambient-frontend-auth + rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: ambient-namespace-viewer + rules: + - apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: ambient-project-admin + rules: + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings/status + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - delete + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - delete + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - delete + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: ambient-project-edit + rules: + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions/status + verbs: + - get + - list + - watch + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings + verbs: + - get + - list + - watch + - apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - apiGroups: + - "" + resourceNames: + - ambient-runner-secrets + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - delete + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: ambient-project-view + rules: + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions + - projectsettings + verbs: + - get + - list + - watch + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions/status + - projectsettings/status + verbs: + - get + - list + - watch + - apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + - services + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: backend-api + rules: + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - vteam.ambient-code + resources: + - agenticsessions/status + verbs: + - get + - update + - patch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resourceNames: + - ambient-project-admin + - ambient-project-edit + - ambient-project-view + resources: + - clusterroles + verbs: + - bind + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - update + - patch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - create + - delete + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + - selfsubjectaccessreviews + verbs: + - create + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: projectsettings-aggregate-to-admin + rules: + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings + verbs: + - '*' + - apiGroups: + - vteam.ambient-code + resources: + - projectsettings/status + verbs: + - get + - update + - patch + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: agentic-operator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: agentic-operator + subjects: + - kind: ServiceAccount + name: agentic-operator + namespace: ambient-code + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ambient-frontend-auth + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ambient-frontend-auth + subjects: + - kind: ServiceAccount + name: frontend + namespace: ambient-code + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ambient-users-can-list-projects + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ambient-namespace-viewer + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + + + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: backend-api + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: backend-api + subjects: + - kind: ServiceAccount + name: backend-api + namespace: ambient-code + + + apiVersion: v1 + data: + agent-registry.json: | + [ + { + "id": "claude-agent-sdk", + "displayName": "Claude Code", + "description": "Anthropic Claude with full coding capabilities", + "framework": "claude-agent-sdk", + "provider": "anthropic", + "container": { + "image": "${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}", + "port": 8001, + "env": { + "RUNNER_TYPE": "claude-agent-sdk", + "RUNNER_STATE_DIR": ".claude" + }, + "resources": { + "requests": {"cpu": "500m", "memory": "512Mi"}, + "limits": {"cpu": "2", "memory": "8Gi"} + } + }, + "sandbox": { + "stateDir": ".claude", + "stateSyncImage": "quay.io/ambient_code/vteam_state_sync:latest", + "persistence": "s3", + "workspaceSize": "10Gi", + "terminationGracePeriod": 60, + "seed": {"cloneRepos": true, "hydrateState": true} + }, + "auth": { + "requiredSecretKeys": ["ANTHROPIC_API_KEY"], + "secretKeyLogic": "any", + "vertexSupported": true + }, + "featureGate": "" + }, + { + "id": "gemini-cli", + "displayName": "Gemini CLI", + "description": "Google Gemini coding agent with built-in file, bash, and search tools", + "framework": "gemini-cli", + "provider": "google", + "container": { + "image": "${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}", + "port": 8001, + "env": { + "RUNNER_TYPE": "gemini-cli", + "RUNNER_STATE_DIR": ".gemini" + } + }, + "sandbox": { + "stateDir": ".gemini", + "stateSyncImage": "quay.io/ambient_code/vteam_state_sync:latest", + "persistence": "s3", + "workspaceSize": "10Gi", + "terminationGracePeriod": 60, + "seed": {"cloneRepos": true, "hydrateState": true} + }, + "auth": { + "requiredSecretKeys": ["GEMINI_API_KEY", "GOOGLE_API_KEY"], + "secretKeyLogic": "any", + "vertexSupported": true + }, + "featureGate": "runner.gemini-cli.enabled" + } + ] + kind: ConfigMap + metadata: + name: ambient-agent-registry + namespace: ambient-code + + + apiVersion: v1 + data: + models.json: | + { + "version": 2, + "defaultModel": "claude-sonnet-4-5", + "providerDefaults": { + "anthropic": "claude-sonnet-4-5", + "google": "gemini-2.5-flash" + }, + "models": [ + { + "id": "claude-sonnet-4-5", + "label": "Claude Sonnet 4.5", + "vertexId": "claude-sonnet-4-5@20250929", + "provider": "anthropic", + "available": true, + "featureGated": false + }, + { + "id": "claude-opus-4-6", + "label": "Claude Opus 4.6", + "vertexId": "claude-opus-4-6@default", + "provider": "anthropic", + "available": true, + "featureGated": true + }, + { + "id": "claude-opus-4-5", + "label": "Claude Opus 4.5", + "vertexId": "claude-opus-4-5@20251101", + "provider": "anthropic", + "available": true, + "featureGated": false + }, + { + "id": "claude-haiku-4-5", + "label": "Claude Haiku 4.5", + "vertexId": "claude-haiku-4-5@20251001", + "provider": "anthropic", + "available": true, + "featureGated": false + }, + { + "id": "claude-sonnet-4-6", + "label": "Claude Sonnet 4.6", + "vertexId": "claude-sonnet-4-6@default", + "provider": "anthropic", + "available": true, + "featureGated": true + }, + { + "id": "gemini-2.5-flash", + "label": "Gemini 2.5 Flash", + "vertexId": "gemini-2.5-flash@default", + "provider": "google", + "available": true, + "featureGated": false + }, + { + "id": "gemini-2.5-pro", + "label": "Gemini 2.5 Pro", + "vertexId": "gemini-2.5-pro@default", + "provider": "google", + "available": true, + "featureGated": true + }, + { + "id": "gemini-2.5-flash-lite", + "label": "Gemini 2.5 Flash Lite", + "vertexId": "gemini-2.5-flash-lite@default", + "provider": "google", + "available": true, + "featureGated": true + }, + { + "id": "gemini-2.5-flash-preview-04-17", + "label": "Gemini 2.5 Flash Preview 04.17", + "vertexId": "gemini-2.5-flash-preview-04-17@default", + "provider": "google", + "available": false, + "featureGated": true + }, + { + "id": "gemini-3.1-flash-image-preview", + "label": "Gemini 3.1 Flash Image Preview", + "vertexId": "gemini-3.1-flash-image-preview@default", + "provider": "google", + "available": false, + "featureGated": true + } + ] + } + kind: ConfigMap + metadata: + name: ambient-models + namespace: ambient-code + + + apiVersion: v1 + data: + ANTHROPIC_VERTEX_PROJECT_ID: ambient-code-platform + CLOUD_ML_REGION: global + GOOGLE_APPLICATION_CREDENTIALS: /app/vertex/ambient-code-key.json + USE_VERTEX: "1" + kind: ConfigMap + metadata: + labels: + app: agentic-operator + deployment-type: openshift + name: operator-config + namespace: ambient-code + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: agentic-operator + name: agentic-operator + namespace: ambient-code + spec: + replicas: 1 + selector: + matchLabels: + app: agentic-operator + template: + metadata: + labels: + app: agentic-operator + spec: + containers: + - args: + - --max-concurrent-reconciles=10 + - --health-probe-bind-address=:8081 + - --leader-elect=false + env: + - name: AMBIENT_CODE_RUNNER_IMAGE + value: ${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG} + - name: MAX_CONCURRENT_RECONCILES + value: "10" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: BACKEND_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: BACKEND_API_URL + value: http://backend-service:8080/api + - name: IMAGE_PULL_POLICY + value: IfNotPresent + - name: USE_VERTEX + valueFrom: + configMapKeyRef: + key: USE_VERTEX + name: operator-config + optional: true + - name: CLOUD_ML_REGION + valueFrom: + configMapKeyRef: + key: CLOUD_ML_REGION + name: operator-config + optional: true + - name: ANTHROPIC_VERTEX_PROJECT_ID + valueFrom: + configMapKeyRef: + key: ANTHROPIC_VERTEX_PROJECT_ID + name: operator-config + optional: true + - name: GOOGLE_APPLICATION_CREDENTIALS + valueFrom: + configMapKeyRef: + key: GOOGLE_APPLICATION_CREDENTIALS + name: operator-config + optional: true + - name: LANGFUSE_ENABLED + valueFrom: + secretKeyRef: + key: LANGFUSE_ENABLED + name: ambient-admin-langfuse-secret + optional: true + - name: LANGFUSE_HOST + valueFrom: + secretKeyRef: + key: LANGFUSE_HOST + name: ambient-admin-langfuse-secret + optional: true + - name: LANGFUSE_PUBLIC_KEY + valueFrom: + secretKeyRef: + key: LANGFUSE_PUBLIC_KEY + name: ambient-admin-langfuse-secret + optional: true + - name: LANGFUSE_SECRET_KEY + valueFrom: + secretKeyRef: + key: LANGFUSE_SECRET_KEY + name: ambient-admin-langfuse-secret + optional: true + - name: GOOGLE_OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + key: GOOGLE_OAUTH_CLIENT_ID + name: google-workflow-app-secret + optional: true + - name: GOOGLE_OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: GOOGLE_OAUTH_CLIENT_SECRET + name: google-workflow-app-secret + optional: true + - name: STATE_SYNC_IMAGE + value: quay.io/ambient_code/vteam_state_sync:latest + - name: S3_ENDPOINT + value: http://minio.ambient-code.svc:9000 + - name: S3_BUCKET + value: ambient-sessions + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: otel-collector.ambient-code.svc:4317 + - name: DEPLOYMENT_ENV + value: production + - name: VERSION + value: latest + image: ${IMAGE_OPERATOR}:${IMAGE_TAG} + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 15 + periodSeconds: 20 + name: agentic-operator + ports: + - containerPort: 8081 + name: health + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + volumeMounts: + - mountPath: /config/models + name: model-manifest + readOnly: true + - mountPath: /config/registry + name: agent-registry + readOnly: true + restartPolicy: Always + serviceAccountName: agentic-operator + volumes: + - configMap: + name: ambient-models + optional: true + name: model-manifest + - configMap: + name: ambient-agent-registry + optional: true + name: agent-registry + + diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml new file mode 100644 index 000000000..534bc5e39 --- /dev/null +++ b/components/manifests/templates/template-services.yaml @@ -0,0 +1,1392 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: ambient-code-services + annotations: + description: "Ambient Code Platform - Application services" + +parameters: +- name: IMAGE_TAG + description: "Image tag to deploy (auto-generated from git commit)" + required: true +- name: IMAGE_BACKEND + description: "Backend API image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main" + required: true +- name: IMAGE_FRONTEND + description: "Frontend image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main" + required: true +- name: IMAGE_PUBLIC_API + description: "Public API image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main" + required: true +- name: IMAGE_AMBIENT_API_SERVER + description: "Ambient API Server image" + value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main" + required: true + +objects: + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app: ambient-api-server + name: ambient-api-server + namespace: ambient-code + + + apiVersion: v1 + kind: ServiceAccount + metadata: + name: backend-api + namespace: ambient-code + + + apiVersion: v1 + kind: ServiceAccount + metadata: + name: frontend + namespace: ambient-code + + + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app: public-api + name: public-api + namespace: ambient-code + + + apiVersion: v1 + data: + acl.yml: | + - claim: email + pattern: ^.*@(redhat\.com|ambient\.code)$ + jwks.json: | + {"keys":[]} + kind: ConfigMap + metadata: + labels: + app: ambient-api-server + component: auth + name: ambient-api-server-auth + namespace: ambient-code + + + apiVersion: v1 + data: + flags.json: | + { + "flags": [ + { + "name": "runner.gemini-cli.enabled", + "description": "Enable Gemini CLI runner type for session creation", + "tags": [ + { + "type": "scope", + "value": "workspace" + } + ] + }, + { + "name": "ldap.autocomplete.enabled", + "description": "Enable LDAP user and group autocomplete for workspace sharing", + "tags": [ + { + "type": "scope", + "value": "workspace" + } + ] + }, + { + "name": "scheduled-session.reuse.enabled", + "description": "Enable reuse last session option for scheduled sessions", + "tags": [ + { + "type": "scope", + "value": "workspace" + } + ] + }, + { + "name": "jira-write", + "description": "Allow Jira MCP server to perform write operations in new sessions", + "tags": [ + { + "type": "scope", + "value": "workspace" + } + ] + } + ] + } + kind: ConfigMap + metadata: + name: ambient-flags + namespace: ambient-code + + + apiVersion: v1 + kind: Secret + metadata: + labels: + app: ambient-api-server + component: api + name: ambient-api-server + namespace: ambient-code + stringData: + sentry.key: "" + type: Opaque + + + apiVersion: v1 + kind: Secret + metadata: + annotations: + qontract.recycle: "true" + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db + namespace: ambient-code + stringData: + db.host: VAULT_INJECTED + db.name: ambient_code + db.password: VAULT_INJECTED + db.port: "5432" + db.user: VAULT_INJECTED + type: Opaque + + + apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes the ambient-api-server REST API + labels: + app: ambient-api-server + component: api + name: ambient-api-server + namespace: ambient-code + spec: + ports: + - name: api + port: 8000 + protocol: TCP + targetPort: 8000 + - name: grpc + port: 9000 + protocol: TCP + targetPort: 9000 + - name: metrics + port: 4433 + protocol: TCP + targetPort: 4433 + - name: health + port: 4434 + protocol: TCP + targetPort: 4434 + selector: + app: ambient-api-server + component: api + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db + namespace: ambient-code + spec: + ports: + - name: postgresql + port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: ambient-api-server + component: database + type: ClusterIP + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: backend-api + name: backend-service + namespace: ambient-code + spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app: backend-api + type: ClusterIP + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: frontend + name: frontend-service + namespace: ambient-code + spec: + ports: + - name: http + port: 3000 + protocol: TCP + targetPort: http + selector: + app: frontend + type: ClusterIP + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: minio + name: minio + namespace: ambient-code + spec: + ports: + - name: api + port: 9000 + protocol: TCP + targetPort: 9000 + - name: console + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: minio + type: ClusterIP + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: postgresql + app.kubernetes.io/name: postgresql + name: postgresql + namespace: ambient-code + spec: + ports: + - name: postgresql + port: 5432 + targetPort: postgresql + selector: + app: postgresql + type: ClusterIP + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: public-api + name: public-api-service + namespace: ambient-code + spec: + ports: + - name: http + port: 8081 + protocol: TCP + targetPort: http + selector: + app: public-api + type: ClusterIP + + + apiVersion: v1 + kind: Service + metadata: + labels: + app: unleash + app.kubernetes.io/name: unleash + name: unleash + namespace: ambient-code + spec: + ports: + - name: http + port: 4242 + targetPort: 4242 + selector: + app: unleash + type: ClusterIP + + + apiVersion: v1 + kind: LimitRange + metadata: + labels: + ambient-code.io/managed: "true" + app.kubernetes.io/managed-by: ambient-code + name: ambient-default-limits + namespace: ambient-code + spec: + limits: + - default: + cpu: "2" + memory: 4Gi + defaultRequest: + cpu: 250m + memory: 256Mi + type: Container + + + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db-data + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + + + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: backend-api + component: state-storage + name: backend-state-pvc + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + + + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: minio + name: minio-data + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 500Gi + + + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: postgresql + app.kubernetes.io/component: database + app.kubernetes.io/name: postgresql + name: postgresql-data + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: ambient-api-server + component: api + name: ambient-api-server + namespace: ambient-code + spec: + replicas: 1 + selector: + matchLabels: + app: ambient-api-server + component: api + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + labels: + app: ambient-api-server + component: api + spec: + containers: + - command: + - /usr/local/bin/ambient-api-server + - serve + - --db-host-file=/secrets/db/db.host + - --db-port-file=/secrets/db/db.port + - --db-user-file=/secrets/db/db.user + - --db-password-file=/secrets/db/db.password + - --db-name-file=/secrets/db/db.name + - --enable-jwt=true + - --enable-authz=false + - --jwk-cert-file=/configs/authentication/jwks.json + - --enable-https=false + - --api-server-bindaddress=:8000 + - --metrics-server-bindaddress=:4433 + - --health-check-server-bindaddress=:4434 + - --db-sslmode=disable + - --db-max-open-connections=50 + - --enable-db-debug=false + - --enable-metrics-https=false + - --http-read-timeout=5s + - --http-write-timeout=30s + - --cors-allowed-origins=* + - --cors-allowed-headers=X-Ambient-Project + - --enable-grpc=true + - --grpc-server-bindaddress=:9000 + - --alsologtostderr + - -v=4 + env: + - name: AMBIENT_ENV + value: development + image: ${IMAGE_AMBIENT_API_SERVER}:${IMAGE_TAG} + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /api/ambient + port: 8000 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 5 + name: api-server + ports: + - containerPort: 8000 + name: api + protocol: TCP + - containerPort: 4433 + name: metrics + protocol: TCP + - containerPort: 4434 + name: health + protocol: TCP + - containerPort: 9000 + name: grpc + protocol: TCP + readinessProbe: + httpGet: + httpHeaders: + - name: User-Agent + value: Probe + path: /healthcheck + port: 4434 + scheme: HTTP + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 200m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + volumeMounts: + - mountPath: /secrets/db + name: db-secrets + - mountPath: /secrets/service + name: app-secrets + - mountPath: /configs/authentication + name: auth-config + initContainers: + - command: + - /usr/local/bin/ambient-api-server + - migrate + - --db-host-file=/secrets/db/db.host + - --db-port-file=/secrets/db/db.port + - --db-user-file=/secrets/db/db.user + - --db-password-file=/secrets/db/db.password + - --db-name-file=/secrets/db/db.name + - --alsologtostderr + - -v=4 + image: ${IMAGE_AMBIENT_API_SERVER}:${IMAGE_TAG} + imagePullPolicy: Always + name: migration + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + volumeMounts: + - mountPath: /secrets/db + name: db-secrets + serviceAccountName: ambient-api-server + volumes: + - name: db-secrets + secret: + secretName: ambient-api-server-db + - name: app-secrets + secret: + secretName: ambient-api-server + - configMap: + name: ambient-api-server-auth + name: auth-config + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: ambient-api-server + component: database + strategy: + type: Recreate + template: + metadata: + labels: + app: ambient-api-server + component: database + spec: + containers: + - env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + key: db.user + name: ambient-api-server-db + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: ambient-api-server-db + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + key: db.name + name: ambient-api-server-db + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + image: postgres:16 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: ambient-api-server-db-data + volumes: + - name: ambient-api-server-db-data + persistentVolumeClaim: + claimName: ambient-api-server-db-data + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: backend-api + name: backend-api + namespace: ambient-code + spec: + replicas: 1 + selector: + matchLabels: + app: backend-api + strategy: + type: Recreate + template: + metadata: + labels: + app: backend-api + role: backend + spec: + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PORT + value: "8080" + - name: STATE_BASE_DIR + value: /workspace + - name: SPEC_KIT_REPO + value: ambient-code/spec-kit-rh + - name: SPEC_KIT_VERSION + value: main + - name: SPEC_KIT_TEMPLATE + value: spec-kit-template-claude-sh + - name: IMAGE_PULL_POLICY + valueFrom: + configMapKeyRef: + key: IMAGE_PULL_POLICY + name: operator-config + optional: true + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + key: GITHUB_APP_ID + name: github-app-secret + optional: true + - name: GITHUB_PRIVATE_KEY + valueFrom: + secretKeyRef: + key: GITHUB_PRIVATE_KEY + name: github-app-secret + optional: true + - name: GITHUB_CLIENT_ID + valueFrom: + secretKeyRef: + key: GITHUB_CLIENT_ID + name: github-app-secret + optional: true + - name: GITHUB_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: GITHUB_CLIENT_SECRET + name: github-app-secret + optional: true + - name: GITHUB_STATE_SECRET + valueFrom: + secretKeyRef: + key: GITHUB_STATE_SECRET + name: github-app-secret + optional: true + - name: GOOGLE_OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + key: GOOGLE_OAUTH_CLIENT_ID + name: google-workflow-app-secret + optional: true + - name: GOOGLE_OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: GOOGLE_OAUTH_CLIENT_SECRET + name: google-workflow-app-secret + optional: true + - name: OAUTH_STATE_SECRET + valueFrom: + secretKeyRef: + key: OAUTH_STATE_SECRET + name: google-workflow-app-secret + optional: true + - name: BACKEND_URL + valueFrom: + secretKeyRef: + key: BACKEND_URL + name: google-workflow-app-secret + optional: true + - name: OPERATOR_IMAGE + valueFrom: + configMapKeyRef: + key: OPERATOR_IMAGE + name: operator-config + optional: true + - name: OOTB_WORKFLOWS_REPO + value: https://github.com/ambient-code/workflows.git + - name: OOTB_WORKFLOWS_BRANCH + value: main + - name: OOTB_WORKFLOWS_PATH + value: workflows + - name: USE_VERTEX + valueFrom: + configMapKeyRef: + key: USE_VERTEX + name: operator-config + optional: true + - name: CLOUD_ML_REGION + valueFrom: + configMapKeyRef: + key: CLOUD_ML_REGION + name: operator-config + optional: true + - name: ANTHROPIC_VERTEX_PROJECT_ID + valueFrom: + configMapKeyRef: + key: ANTHROPIC_VERTEX_PROJECT_ID + name: operator-config + optional: true + - name: GOOGLE_APPLICATION_CREDENTIALS + valueFrom: + configMapKeyRef: + key: GOOGLE_APPLICATION_CREDENTIALS + name: operator-config + optional: true + - name: LDAP_SRV_DOMAIN + valueFrom: + configMapKeyRef: + key: LDAP_SRV_DOMAIN + name: ldap-config + optional: true + - name: LDAP_URL + valueFrom: + configMapKeyRef: + key: LDAP_URL + name: ldap-config + optional: true + - name: LDAP_BASE_DN + valueFrom: + configMapKeyRef: + key: LDAP_BASE_DN + name: ldap-config + optional: true + - name: LDAP_GROUP_BASE_DN + valueFrom: + configMapKeyRef: + key: LDAP_GROUP_BASE_DN + name: ldap-config + optional: true + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + key: LDAP_BIND_DN + name: ldap-config + optional: true + - name: LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + key: LDAP_BIND_PASSWORD + name: ldap-credentials + optional: true + - name: LDAP_CA_CERT_PATH + valueFrom: + configMapKeyRef: + key: LDAP_CA_CERT_PATH + name: ldap-config + optional: true + - name: UNLEASH_URL + valueFrom: + secretKeyRef: + key: unleash-url + name: unleash-credentials + optional: true + - name: UNLEASH_CLIENT_KEY + valueFrom: + secretKeyRef: + key: client-api-token + name: unleash-credentials + optional: true + - name: UNLEASH_ADMIN_URL + valueFrom: + secretKeyRef: + key: unleash-admin-url + name: unleash-credentials + optional: true + - name: UNLEASH_ADMIN_TOKEN + valueFrom: + secretKeyRef: + key: admin-api-token + name: unleash-credentials + optional: true + - name: UNLEASH_PROJECT + valueFrom: + secretKeyRef: + key: unleash-project + name: unleash-credentials + optional: true + - name: UNLEASH_ENVIRONMENT + valueFrom: + secretKeyRef: + key: unleash-environment + name: unleash-credentials + optional: true + image: ${IMAGE_BACKEND}:${IMAGE_TAG} + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + name: backend-api + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: "1" + memory: 1536Mi + requests: + cpu: 200m + memory: 512Mi + volumeMounts: + - mountPath: /workspace + name: backend-state + - mountPath: /app/vertex + name: vertex-credentials + readOnly: true + - mountPath: /config/models + name: model-manifest + readOnly: true + - mountPath: /config/flags + name: flags-config + readOnly: true + - mountPath: /config/registry + name: agent-registry + readOnly: true + - mountPath: /etc/pki/custom-ca + name: ldap-ca-cert + readOnly: true + serviceAccountName: backend-api + volumes: + - name: backend-state + persistentVolumeClaim: + claimName: backend-state-pvc + - name: vertex-credentials + secret: + optional: true + secretName: ambient-vertex + - configMap: + name: ambient-models + optional: true + name: model-manifest + - configMap: + name: ambient-flags + optional: true + name: flags-config + - configMap: + name: ambient-agent-registry + optional: true + name: agent-registry + - configMap: + name: ldap-ca-cert + optional: true + name: ldap-ca-cert + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: frontend + name: frontend + namespace: ambient-code + spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + spec: + containers: + - env: + - name: BACKEND_URL + value: http://backend-service:8080/api + - name: NODE_ENV + value: production + - name: GITHUB_APP_SLUG + value: ambient-code + - name: UNLEASH_URL + valueFrom: + secretKeyRef: + key: unleash-url + name: unleash-credentials + optional: true + - name: UNLEASH_CLIENT_KEY + valueFrom: + secretKeyRef: + key: client-api-token + name: unleash-credentials + optional: true + image: ${IMAGE_FRONTEND}:${IMAGE_TAG} + imagePullPolicy: Always + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + name: frontend + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + serviceAccountName: frontend + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: minio + name: minio + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: minio + template: + metadata: + labels: + app: minio + spec: + containers: + - args: + - server + - /data + - --console-address + - :9001 + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + key: root-user + name: minio-credentials + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: root-password + name: minio-credentials + image: quay.io/minio/minio:latest + livenessProbe: + failureThreshold: 5 + httpGet: + path: /minio/health/live + port: 9000 + initialDelaySeconds: 60 + periodSeconds: 15 + timeoutSeconds: 5 + name: minio + ports: + - containerPort: 9000 + name: api + protocol: TCP + - containerPort: 9001 + name: console + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + path: /minio/health/ready + port: 9000 + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: 6000m + memory: 12Gi + requests: + cpu: 3000m + memory: 6Gi + volumeMounts: + - mountPath: /data + name: data + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-data + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: postgresql + app.kubernetes.io/component: database + app.kubernetes.io/name: postgresql + name: postgresql + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: postgresql + strategy: + type: Recreate + template: + metadata: + labels: + app: postgresql + app.kubernetes.io/name: postgresql + spec: + containers: + - env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + key: db.user + name: postgresql-credentials + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: postgresql-credentials + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + key: db.name + name: postgresql-credentials + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + image: postgres:16 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: data + volumes: + - name: data + persistentVolumeClaim: + claimName: postgresql-data + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: public-api + name: public-api + namespace: ambient-code + spec: + replicas: 1 + selector: + matchLabels: + app: public-api + template: + metadata: + labels: + app: public-api + role: api-gateway + spec: + containers: + - env: + - name: PORT + value: "8081" + - name: BACKEND_URL + value: http://backend-service:8080 + - name: GIN_MODE + value: release + - name: BACKEND_TIMEOUT + value: 30s + - name: RATE_LIMIT_RPS + value: "100" + - name: RATE_LIMIT_BURST + value: "200" + image: ${IMAGE_PUBLIC_API}:${IMAGE_TAG} + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + name: public-api + ports: + - containerPort: 8081 + name: http + readinessProbe: + httpGet: + path: /ready + port: http + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + serviceAccountName: public-api + + + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: unleash + app.kubernetes.io/component: server + app.kubernetes.io/name: unleash + name: unleash + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: unleash + template: + metadata: + labels: + app: unleash + app.kubernetes.io/name: unleash + spec: + containers: + - env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + key: database-url + name: unleash-credentials + - name: DATABASE_SSL + valueFrom: + secretKeyRef: + key: database-ssl + name: unleash-credentials + - name: LOG_LEVEL + value: info + - name: INIT_ADMIN_API_TOKENS + valueFrom: + secretKeyRef: + key: admin-api-token + name: unleash-credentials + - name: INIT_CLIENT_API_TOKENS + valueFrom: + secretKeyRef: + key: client-api-token + name: unleash-credentials + - name: INIT_FRONTEND_API_TOKENS + valueFrom: + secretKeyRef: + key: frontend-api-token + name: unleash-credentials + - name: UNLEASH_DEFAULT_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: default-admin-password + name: unleash-credentials + image: unleashorg/unleash-server:5.11.3 + livenessProbe: + httpGet: + path: /health + port: 4242 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + name: unleash + ports: + - containerPort: 4242 + name: http + readinessProbe: + httpGet: + path: /health + port: 4242 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + + + apiVersion: policy/v1 + kind: PodDisruptionBudget + metadata: + labels: + app: public-api + name: public-api-pdb + namespace: ambient-code + spec: + minAvailable: 1 + selector: + matchLabels: + app: public-api + + + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + labels: + app: ambient-api-server + component: api + name: ambient-api-server + namespace: ambient-code + spec: + port: + targetPort: api + tls: + insecureEdgeTerminationPolicy: Redirect + termination: reencrypt + to: + kind: Service + name: ambient-api-server + + + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + labels: + app: ambient-api-server + component: grpc + name: ambient-api-server-grpc + namespace: ambient-code + spec: + port: + targetPort: grpc + tls: + insecureEdgeTerminationPolicy: Redirect + termination: reencrypt + to: + kind: Service + name: ambient-api-server + + + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + labels: + app: backend-api + name: backend-route + namespace: ambient-code + spec: + port: + targetPort: http + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: backend-service + weight: 100 + wildcardPolicy: None + + + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + annotations: + haproxy.router.openshift.io/balance: roundrobin + haproxy.router.openshift.io/disable_cookies: "true" + labels: + app: frontend + name: frontend-route + namespace: ambient-code + spec: + port: + targetPort: dashboard-ui + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: frontend-service + weight: 100 + wildcardPolicy: None + + + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + labels: + app: public-api + name: public-api-route + namespace: ambient-code + spec: + port: + targetPort: http + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: public-api-service + weight: 100 + wildcardPolicy: None + + From 3471461c08bf24360e1e1d09ca00bd8ae926f956 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Sun, 12 Apr 2026 20:46:02 -0400 Subject: [PATCH 12/38] fix: correct OpenShift Template objects array format The objects field must be a YAML array with proper list indicators. Previous version was missing the '-' prefix on array items, causing: 'unable to decode STDIN: json: cannot unmarshal object into Go struct field Template.objects of type []runtime.RawExtension' Changes: - Rebuild templates using Python yaml library for correct formatting - Objects now properly formatted as YAML array with '- apiVersion:' - Add validate.sh script for testing with oc process - Both templates validated successfully Generated from kustomize overlay output with proper YAML structure. --- .../templates/template-operator.yaml | 437 ++++-------------- .../templates/template-services.yaml | 241 +++------- components/manifests/templates/validate.sh | 16 + 3 files changed, 170 insertions(+), 524 deletions(-) create mode 100755 components/manifests/templates/validate.sh diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml index e7897eedd..d56a367fd 100644 --- a/components/manifests/templates/template-operator.yaml +++ b/components/manifests/templates/template-operator.yaml @@ -1,62 +1,23 @@ ---- apiVersion: template.openshift.io/v1 kind: Template metadata: name: ambient-code-operator annotations: - description: "Ambient Code Platform - Platform components (CRDs, RBAC, Operator)" - + description: Ambient Code Platform - Platform components (CRDs, RBAC, Operator) parameters: - name: IMAGE_TAG - description: "Image tag to deploy (auto-generated from git commit)" + description: Image tag to deploy (auto-generated from git commit) required: true - name: IMAGE_OPERATOR - description: "Operator image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main" + description: Operator image + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main required: true - name: IMAGE_AMBIENT_RUNNER - description: "Ambient Runner image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main" + description: Ambient Runner image + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main required: true - objects: -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: ambient-code-platform - annotations: - description: "Ambient Code Platform - AI-powered development environment" - -parameters: -- name: IMAGE_TAG - description: "Image tag to deploy (auto-generated from git commit)" - required: true -- name: IMAGE_OPERATOR - description: "Operator image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main" - required: true -- name: IMAGE_BACKEND - description: "Backend API image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main" - required: true -- name: IMAGE_FRONTEND - description: "Frontend image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main" - required: true -- name: IMAGE_PUBLIC_API - description: "Public API image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main" - required: true -- name: IMAGE_AMBIENT_API_SERVER - description: "Ambient API Server image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main" - required: true -- name: IMAGE_AMBIENT_RUNNER - description: "Ambient Runner image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main" - required: true - - apiVersion: apiextensions.k8s.io/v1 +- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: agenticsessions.vteam.ambient-code @@ -87,35 +48,23 @@ parameters: description: Git repository URL for the workflow type: string path: - description: Optional path within repo (for repos with multiple - workflows) + description: Optional path within repo (for repos with multiple workflows) type: string type: object displayName: - description: A descriptive display name for the agentic session generated - from prompt and website + description: A descriptive display name for the agentic session generated from prompt and website type: string environmentVariables: additionalProperties: type: string - description: 'Key-value pairs injected as environment variables into - all pod containers (init-hydrate, runner, state-sync). Reserved - variables (SESSION_NAME, S3_ENDPOINT, S3_BUCKET, AWS_ACCESS_KEY_ID, - AWS_SECRET_ACCESS_KEY, NAMESPACE, SYNC_INTERVAL) cannot be overridden - in init-hydrate and state-sync containers. Common conventions: RUNNER_TYPE - identifies the runner framework (e.g. "claude-agent-sdk", "gemini-cli"), - RUNNER_STATE_DIR sets the framework state directory relative to - /workspace (defaults to ".claude").' + description: 'Key-value pairs injected as environment variables into all pod containers (init-hydrate, runner, state-sync). Reserved variables (SESSION_NAME, S3_ENDPOINT, S3_BUCKET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NAMESPACE, SYNC_INTERVAL) cannot be overridden in init-hydrate and state-sync containers. Common conventions: RUNNER_TYPE identifies the runner framework (e.g. "claude-agent-sdk", "gemini-cli"), RUNNER_STATE_DIR sets the framework state directory relative to /workspace (defaults to ".claude").' type: object inactivityTimeout: - description: Seconds of inactivity before auto-stopping a session. - 0 disables auto-shutdown. If omitted, falls back to project-level - inactivityTimeoutSeconds, then 24h default. + description: Seconds of inactivity before auto-stopping a session. 0 disables auto-shutdown. If omitted, falls back to project-level inactivityTimeoutSeconds, then 24h default. minimum: 0 type: integer initialPrompt: - description: Initial prompt used only on first SDK invocation for - brand new sessions (ignored on continuations or workflow restarts). + description: Initial prompt used only on first SDK invocation for brand new sessions (ignored on continuations or workflow restarts). type: string llmSettings: description: LLM configuration settings @@ -136,8 +85,7 @@ parameters: properties: autoPush: default: false - description: When true, automatically commit and push changes - to this repository after session completion + description: When true, automatically commit and push changes to this repository after session completion type: boolean branch: default: main @@ -151,17 +99,14 @@ parameters: type: object type: array stopOnRunFinished: - description: When true, automatically stop the session when the agent - completes its run (RUN_FINISHED event). Useful for one-shot tasks - triggered by automation. + description: When true, automatically stop the session when the agent completes its run (RUN_FINISHED event). Useful for one-shot tasks triggered by automation. type: boolean timeout: default: 300 description: Timeout in seconds for the agentic session type: integer userContext: - description: Authenticated caller identity captured at creation time - (used for authorization and audit) + description: Authenticated caller identity captured at creation time (used for authorization and audit) properties: displayName: description: Human-readable display name @@ -172,8 +117,7 @@ parameters: type: string type: array userId: - description: Stable user identifier (from SSO, always overwritten - from auth token) + description: Stable user identifier (from SSO, always overwritten from auth token) type: string type: object type: object @@ -199,8 +143,8 @@ parameters: type: string status: enum: - - "True" - - "False" + - 'True' + - 'False' - Unknown type: string type: @@ -248,8 +192,7 @@ parameters: description: Currently checked out branch (polled from filesystem) type: string defaultBranch: - description: Default branch of the remote repository (e.g., - main, master) + description: Default branch of the remote repository (e.g., main, master) type: string name: type: string @@ -284,8 +227,7 @@ parameters: type: string type: object sdkRestartCount: - description: Number of times the SDK has been restarted during this - session. + description: Number of times the SDK has been restarted during this session. type: integer sdkSessionId: description: SDK session identifier captured for resume support. @@ -306,9 +248,7 @@ parameters: storage: true subresources: status: {} - - - apiVersion: apiextensions.k8s.io/v1 +- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: projectsettings.vteam.ambient-code @@ -353,8 +293,7 @@ parameters: type: array inactivityTimeoutSeconds: default: 86400 - description: Default inactivity timeout for sessions in this project - (seconds). 0 disables. Overridden by session-level spec.inactivityTimeout. + description: Default inactivity timeout for sessions in this project (seconds). 0 disables. Overridden by session-level spec.inactivityTimeout. minimum: 0 type: integer repositories: @@ -362,12 +301,10 @@ parameters: items: properties: branch: - description: Optional branch override (defaults to repository's - default branch) + description: Optional branch override (defaults to repository's default branch) type: string provider: - description: Git hosting provider (auto-detected from URL if - not specified) + description: Git hosting provider (auto-detected from URL if not specified) enum: - github - gitlab @@ -380,8 +317,7 @@ parameters: type: object type: array runnerSecretsName: - description: Name of the Kubernetes Secret in this namespace that - stores runner configuration key/value pairs + description: Name of the Kubernetes Secret in this namespace that stores runner configuration key/value pairs type: string required: - groupAccess @@ -393,8 +329,7 @@ parameters: minimum: 0 type: integer limitRangeReady: - description: Whether the default LimitRange for CA bin-packing is - provisioned + description: Whether the default LimitRange for CA bin-packing is provisioned type: boolean scheduledSessionRBACReady: description: Whether RBAC for scheduled session triggers is provisioned @@ -408,16 +343,12 @@ parameters: storage: true subresources: status: {} - - - apiVersion: v1 +- apiVersion: v1 kind: ServiceAccount metadata: name: agentic-operator namespace: ambient-code - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: agentic-operator @@ -455,7 +386,7 @@ parameters: verbs: - update - apiGroups: - - "" + - '' resources: - namespaces verbs: @@ -473,7 +404,7 @@ parameters: - create - delete - apiGroups: - - "" + - '' resources: - pods verbs: @@ -484,13 +415,13 @@ parameters: - delete - deletecollection - apiGroups: - - "" + - '' resources: - pods/log verbs: - get - apiGroups: - - "" + - '' resources: - persistentvolumeclaims verbs: @@ -499,7 +430,7 @@ parameters: - create - delete - apiGroups: - - "" + - '' resources: - services verbs: @@ -518,7 +449,7 @@ parameters: - watch - create - apiGroups: - - "" + - '' resources: - serviceaccounts verbs: @@ -526,7 +457,7 @@ parameters: - create - delete - apiGroups: - - "" + - '' resources: - serviceaccounts/token verbs: @@ -549,20 +480,20 @@ parameters: - create - delete - apiGroups: - - "" + - '' resources: - limitranges verbs: - get - create - apiGroups: - - "" + - '' resources: - configmaps verbs: - get - apiGroups: - - "" + - '' resources: - secrets verbs: @@ -570,13 +501,11 @@ parameters: - create - delete - update - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-admin: 'true' name: agenticsessions-aggregate-to-admin rules: - apiGroups: @@ -593,9 +522,7 @@ parameters: - get - update - patch - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ambient-frontend-auth @@ -612,9 +539,7 @@ parameters: - subjectaccessreviews verbs: - create - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ambient-namespace-viewer @@ -627,9 +552,7 @@ parameters: - get - list - watch - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ambient-project-admin @@ -677,7 +600,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - secrets - configmaps @@ -690,7 +613,7 @@ parameters: - patch - delete - apiGroups: - - "" + - '' resources: - serviceaccounts verbs: @@ -702,7 +625,7 @@ parameters: - patch - delete - apiGroups: - - "" + - '' resources: - serviceaccounts/token verbs: @@ -733,7 +656,7 @@ parameters: - patch - delete - apiGroups: - - "" + - '' resources: - pods - pods/log @@ -742,7 +665,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - events verbs: @@ -758,7 +681,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - persistentvolumeclaims verbs: @@ -767,7 +690,7 @@ parameters: - watch - delete - apiGroups: - - "" + - '' resources: - services verbs: @@ -784,9 +707,7 @@ parameters: - list - watch - delete - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ambient-project-edit @@ -827,13 +748,13 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - configmaps verbs: - get - apiGroups: - - "" + - '' resourceNames: - ambient-runner-secrets resources: @@ -841,7 +762,7 @@ parameters: verbs: - get - apiGroups: - - "" + - '' resources: - secrets verbs: @@ -856,7 +777,7 @@ parameters: - watch - delete - apiGroups: - - "" + - '' resources: - pods - pods/log @@ -865,7 +786,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - events verbs: @@ -873,7 +794,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - persistentvolumeclaims verbs: @@ -881,7 +802,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - services verbs: @@ -897,7 +818,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - serviceaccounts verbs: @@ -919,14 +840,12 @@ parameters: - patch - delete - apiGroups: - - "" + - '' resources: - serviceaccounts/token verbs: - create - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ambient-project-view @@ -966,7 +885,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - pods - pods/log @@ -975,7 +894,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - events verbs: @@ -983,7 +902,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - persistentvolumeclaims - services @@ -999,9 +918,7 @@ parameters: - get - list - watch - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: backend-api @@ -1027,7 +944,7 @@ parameters: - update - patch - apiGroups: - - "" + - '' resources: - serviceaccounts verbs: @@ -1037,7 +954,7 @@ parameters: - update - patch - apiGroups: - - "" + - '' resources: - serviceaccounts/token verbs: @@ -1071,7 +988,7 @@ parameters: verbs: - bind - apiGroups: - - "" + - '' resources: - secrets verbs: @@ -1082,7 +999,7 @@ parameters: - patch - delete - apiGroups: - - "" + - '' resources: - configmaps verbs: @@ -1091,7 +1008,7 @@ parameters: - update - patch - apiGroups: - - "" + - '' resources: - namespaces verbs: @@ -1134,7 +1051,7 @@ parameters: - patch - delete - apiGroups: - - "" + - '' resources: - pods verbs: @@ -1145,13 +1062,13 @@ parameters: - delete - deletecollection - apiGroups: - - "" + - '' resources: - pods/log verbs: - get - apiGroups: - - "" + - '' resources: - persistentvolumeclaims verbs: @@ -1159,7 +1076,7 @@ parameters: - list - watch - apiGroups: - - "" + - '' resources: - services verbs: @@ -1174,13 +1091,11 @@ parameters: - selfsubjectaccessreviews verbs: - create - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-admin: 'true' name: projectsettings-aggregate-to-admin rules: - apiGroups: @@ -1197,9 +1112,7 @@ parameters: - get - update - patch - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: agentic-operator @@ -1211,9 +1124,7 @@ parameters: - kind: ServiceAccount name: agentic-operator namespace: ambient-code - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ambient-frontend-auth @@ -1225,9 +1136,7 @@ parameters: - kind: ServiceAccount name: frontend namespace: ambient-code - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ambient-users-can-list-projects @@ -1239,9 +1148,7 @@ parameters: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - - - apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: backend-api @@ -1253,186 +1160,30 @@ parameters: - kind: ServiceAccount name: backend-api namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 data: - agent-registry.json: | - [ - { - "id": "claude-agent-sdk", - "displayName": "Claude Code", - "description": "Anthropic Claude with full coding capabilities", - "framework": "claude-agent-sdk", - "provider": "anthropic", - "container": { - "image": "${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}", - "port": 8001, - "env": { - "RUNNER_TYPE": "claude-agent-sdk", - "RUNNER_STATE_DIR": ".claude" - }, - "resources": { - "requests": {"cpu": "500m", "memory": "512Mi"}, - "limits": {"cpu": "2", "memory": "8Gi"} - } - }, - "sandbox": { - "stateDir": ".claude", - "stateSyncImage": "quay.io/ambient_code/vteam_state_sync:latest", - "persistence": "s3", - "workspaceSize": "10Gi", - "terminationGracePeriod": 60, - "seed": {"cloneRepos": true, "hydrateState": true} - }, - "auth": { - "requiredSecretKeys": ["ANTHROPIC_API_KEY"], - "secretKeyLogic": "any", - "vertexSupported": true - }, - "featureGate": "" - }, - { - "id": "gemini-cli", - "displayName": "Gemini CLI", - "description": "Google Gemini coding agent with built-in file, bash, and search tools", - "framework": "gemini-cli", - "provider": "google", - "container": { - "image": "${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}", - "port": 8001, - "env": { - "RUNNER_TYPE": "gemini-cli", - "RUNNER_STATE_DIR": ".gemini" - } - }, - "sandbox": { - "stateDir": ".gemini", - "stateSyncImage": "quay.io/ambient_code/vteam_state_sync:latest", - "persistence": "s3", - "workspaceSize": "10Gi", - "terminationGracePeriod": 60, - "seed": {"cloneRepos": true, "hydrateState": true} - }, - "auth": { - "requiredSecretKeys": ["GEMINI_API_KEY", "GOOGLE_API_KEY"], - "secretKeyLogic": "any", - "vertexSupported": true - }, - "featureGate": "runner.gemini-cli.enabled" - } - ] + agent-registry.json: "[\n {\n \"id\": \"claude-agent-sdk\",\n \"displayName\": \"Claude Code\",\n \"description\": \"Anthropic Claude with full coding capabilities\",\n \"framework\": \"claude-agent-sdk\",\n \"provider\": \"anthropic\",\n \"container\": {\n \"image\": \"${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}\",\n \"port\": 8001,\n \"env\": {\n \"RUNNER_TYPE\": \"claude-agent-sdk\",\n \"RUNNER_STATE_DIR\": \".claude\"\n },\n \"resources\": {\n \"requests\": {\"cpu\": \"500m\", \"memory\": \"512Mi\"},\n \"limits\": {\"cpu\": \"2\", \"memory\": \"8Gi\"}\n }\n },\n \"sandbox\": {\n \"stateDir\": \".claude\",\n \"stateSyncImage\": \"quay.io/ambient_code/vteam_state_sync:latest\",\n \"persistence\": \"s3\",\n \"workspaceSize\": \"10Gi\",\n \"terminationGracePeriod\": 60,\n \"seed\": {\"cloneRepos\": true, \"hydrateState\": true}\n },\n \"auth\": {\n \"requiredSecretKeys\"\ + : [\"ANTHROPIC_API_KEY\"],\n \"secretKeyLogic\": \"any\",\n \"vertexSupported\": true\n },\n \"featureGate\": \"\"\n },\n {\n \"id\": \"gemini-cli\",\n \"displayName\": \"Gemini CLI\",\n \"description\": \"Google Gemini coding agent with built-in file, bash, and search tools\",\n \"framework\": \"gemini-cli\",\n \"provider\": \"google\",\n \"container\": {\n \"image\": \"${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}\",\n \"port\": 8001,\n \"env\": {\n \"RUNNER_TYPE\": \"gemini-cli\",\n \"RUNNER_STATE_DIR\": \".gemini\"\n }\n },\n \"sandbox\": {\n \"stateDir\": \".gemini\",\n \"stateSyncImage\": \"quay.io/ambient_code/vteam_state_sync:latest\",\n \"persistence\": \"s3\",\n \"workspaceSize\": \"10Gi\",\n \"terminationGracePeriod\": 60,\n \"seed\": {\"cloneRepos\": true, \"hydrateState\": true}\n },\n \"auth\": {\n \"requiredSecretKeys\": [\"GEMINI_API_KEY\", \"GOOGLE_API_KEY\"\ + ],\n \"secretKeyLogic\": \"any\",\n \"vertexSupported\": true\n },\n \"featureGate\": \"runner.gemini-cli.enabled\"\n }\n]\n" kind: ConfigMap metadata: name: ambient-agent-registry namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 data: - models.json: | - { - "version": 2, - "defaultModel": "claude-sonnet-4-5", - "providerDefaults": { - "anthropic": "claude-sonnet-4-5", - "google": "gemini-2.5-flash" - }, - "models": [ - { - "id": "claude-sonnet-4-5", - "label": "Claude Sonnet 4.5", - "vertexId": "claude-sonnet-4-5@20250929", - "provider": "anthropic", - "available": true, - "featureGated": false - }, - { - "id": "claude-opus-4-6", - "label": "Claude Opus 4.6", - "vertexId": "claude-opus-4-6@default", - "provider": "anthropic", - "available": true, - "featureGated": true - }, - { - "id": "claude-opus-4-5", - "label": "Claude Opus 4.5", - "vertexId": "claude-opus-4-5@20251101", - "provider": "anthropic", - "available": true, - "featureGated": false - }, - { - "id": "claude-haiku-4-5", - "label": "Claude Haiku 4.5", - "vertexId": "claude-haiku-4-5@20251001", - "provider": "anthropic", - "available": true, - "featureGated": false - }, - { - "id": "claude-sonnet-4-6", - "label": "Claude Sonnet 4.6", - "vertexId": "claude-sonnet-4-6@default", - "provider": "anthropic", - "available": true, - "featureGated": true - }, - { - "id": "gemini-2.5-flash", - "label": "Gemini 2.5 Flash", - "vertexId": "gemini-2.5-flash@default", - "provider": "google", - "available": true, - "featureGated": false - }, - { - "id": "gemini-2.5-pro", - "label": "Gemini 2.5 Pro", - "vertexId": "gemini-2.5-pro@default", - "provider": "google", - "available": true, - "featureGated": true - }, - { - "id": "gemini-2.5-flash-lite", - "label": "Gemini 2.5 Flash Lite", - "vertexId": "gemini-2.5-flash-lite@default", - "provider": "google", - "available": true, - "featureGated": true - }, - { - "id": "gemini-2.5-flash-preview-04-17", - "label": "Gemini 2.5 Flash Preview 04.17", - "vertexId": "gemini-2.5-flash-preview-04-17@default", - "provider": "google", - "available": false, - "featureGated": true - }, - { - "id": "gemini-3.1-flash-image-preview", - "label": "Gemini 3.1 Flash Image Preview", - "vertexId": "gemini-3.1-flash-image-preview@default", - "provider": "google", - "available": false, - "featureGated": true - } - ] - } + models.json: "{\n \"version\": 2,\n \"defaultModel\": \"claude-sonnet-4-5\",\n \"providerDefaults\": {\n \"anthropic\": \"claude-sonnet-4-5\",\n \"google\": \"gemini-2.5-flash\"\n },\n \"models\": [\n {\n \"id\": \"claude-sonnet-4-5\",\n \"label\": \"Claude Sonnet 4.5\",\n \"vertexId\": \"claude-sonnet-4-5@20250929\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-opus-4-6\",\n \"label\": \"Claude Opus 4.6\",\n \"vertexId\": \"claude-opus-4-6@default\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"claude-opus-4-5\",\n \"label\": \"Claude Opus 4.5\",\n \"vertexId\": \"claude-opus-4-5@20251101\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-haiku-4-5\",\n \"label\": \"Claude Haiku\ + \ 4.5\",\n \"vertexId\": \"claude-haiku-4-5@20251001\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-sonnet-4-6\",\n \"label\": \"Claude Sonnet 4.6\",\n \"vertexId\": \"claude-sonnet-4-6@default\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash\",\n \"label\": \"Gemini 2.5 Flash\",\n \"vertexId\": \"gemini-2.5-flash@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"gemini-2.5-pro\",\n \"label\": \"Gemini 2.5 Pro\",\n \"vertexId\": \"gemini-2.5-pro@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash-lite\",\n \"label\": \"Gemini 2.5 Flash Lite\",\n \"vertexId\": \"gemini-2.5-flash-lite@default\"\ + ,\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash-preview-04-17\",\n \"label\": \"Gemini 2.5 Flash Preview 04.17\",\n \"vertexId\": \"gemini-2.5-flash-preview-04-17@default\",\n \"provider\": \"google\",\n \"available\": false,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-3.1-flash-image-preview\",\n \"label\": \"Gemini 3.1 Flash Image Preview\",\n \"vertexId\": \"gemini-3.1-flash-image-preview@default\",\n \"provider\": \"google\",\n \"available\": false,\n \"featureGated\": true\n }\n ]\n}\n" kind: ConfigMap metadata: name: ambient-models namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 data: ANTHROPIC_VERTEX_PROJECT_ID: ambient-code-platform CLOUD_ML_REGION: global GOOGLE_APPLICATION_CREDENTIALS: /app/vertex/ambient-code-key.json - USE_VERTEX: "1" + USE_VERTEX: '1' kind: ConfigMap metadata: labels: @@ -1440,9 +1191,7 @@ parameters: deployment-type: openshift name: operator-config namespace: ambient-code - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -1468,7 +1217,7 @@ parameters: - name: AMBIENT_CODE_RUNNER_IMAGE value: ${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG} - name: MAX_CONCURRENT_RECONCILES - value: "10" + value: '10' - name: NAMESPACE valueFrom: fieldRef: @@ -1597,5 +1346,3 @@ parameters: name: ambient-agent-registry optional: true name: agent-registry - - diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 534bc5e39..57a0bb849 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -1,72 +1,60 @@ ---- apiVersion: template.openshift.io/v1 kind: Template metadata: name: ambient-code-services annotations: - description: "Ambient Code Platform - Application services" - + description: Ambient Code Platform - Application services parameters: - name: IMAGE_TAG - description: "Image tag to deploy (auto-generated from git commit)" + description: Image tag to deploy (auto-generated from git commit) required: true - name: IMAGE_BACKEND - description: "Backend API image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main" + description: Backend API image + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main required: true - name: IMAGE_FRONTEND - description: "Frontend image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main" + description: Frontend image + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main required: true - name: IMAGE_PUBLIC_API - description: "Public API image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main" + description: Public API image + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main required: true - name: IMAGE_AMBIENT_API_SERVER - description: "Ambient API Server image" - value: "quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main" + description: Ambient API Server image + value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main required: true - objects: - apiVersion: v1 +- apiVersion: v1 kind: ServiceAccount metadata: labels: app: ambient-api-server name: ambient-api-server namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 kind: ServiceAccount metadata: name: backend-api namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 kind: ServiceAccount metadata: name: frontend namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 kind: ServiceAccount metadata: labels: app: public-api name: public-api namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 data: - acl.yml: | - - claim: email - pattern: ^.*@(redhat\.com|ambient\.code)$ - jwks.json: | - {"keys":[]} + acl.yml: "- claim: email\n pattern: ^.*@(redhat\\.com|ambient\\.code)$\n" + jwks.json: '{"keys":[]} + + ' kind: ConfigMap metadata: labels: @@ -74,62 +62,15 @@ objects: component: auth name: ambient-api-server-auth namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 data: - flags.json: | - { - "flags": [ - { - "name": "runner.gemini-cli.enabled", - "description": "Enable Gemini CLI runner type for session creation", - "tags": [ - { - "type": "scope", - "value": "workspace" - } - ] - }, - { - "name": "ldap.autocomplete.enabled", - "description": "Enable LDAP user and group autocomplete for workspace sharing", - "tags": [ - { - "type": "scope", - "value": "workspace" - } - ] - }, - { - "name": "scheduled-session.reuse.enabled", - "description": "Enable reuse last session option for scheduled sessions", - "tags": [ - { - "type": "scope", - "value": "workspace" - } - ] - }, - { - "name": "jira-write", - "description": "Allow Jira MCP server to perform write operations in new sessions", - "tags": [ - { - "type": "scope", - "value": "workspace" - } - ] - } - ] - } + flags.json: "{\n \"flags\": [\n {\n \"name\": \"runner.gemini-cli.enabled\",\n \"description\": \"Enable Gemini CLI runner type for session creation\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"ldap.autocomplete.enabled\",\n \"description\": \"Enable LDAP user and group autocomplete for workspace sharing\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"scheduled-session.reuse.enabled\",\n \"description\": \"Enable reuse last session option for scheduled sessions\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"jira-write\",\n \"description\": \"Allow Jira MCP server to perform write operations in new sessions\",\n \"tags\": [\n \ + \ {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n }\n ]\n}\n" kind: ConfigMap metadata: name: ambient-flags namespace: ambient-code - - - apiVersion: v1 +- apiVersion: v1 kind: Secret metadata: labels: @@ -138,15 +79,13 @@ objects: name: ambient-api-server namespace: ambient-code stringData: - sentry.key: "" + sentry.key: '' type: Opaque - - - apiVersion: v1 +- apiVersion: v1 kind: Secret metadata: annotations: - qontract.recycle: "true" + qontract.recycle: 'true' labels: app: ambient-api-server component: database @@ -156,12 +95,10 @@ objects: db.host: VAULT_INJECTED db.name: ambient_code db.password: VAULT_INJECTED - db.port: "5432" + db.port: '5432' db.user: VAULT_INJECTED type: Opaque - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: annotations: @@ -192,9 +129,7 @@ objects: selector: app: ambient-api-server component: api - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -212,9 +147,7 @@ objects: app: ambient-api-server component: database type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -230,9 +163,7 @@ objects: selector: app: backend-api type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -248,9 +179,7 @@ objects: selector: app: frontend type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -270,9 +199,7 @@ objects: selector: app: minio type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -288,9 +215,7 @@ objects: selector: app: postgresql type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -306,9 +231,7 @@ objects: selector: app: public-api type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: Service metadata: labels: @@ -324,28 +247,24 @@ objects: selector: app: unleash type: ClusterIP - - - apiVersion: v1 +- apiVersion: v1 kind: LimitRange metadata: labels: - ambient-code.io/managed: "true" + ambient-code.io/managed: 'true' app.kubernetes.io/managed-by: ambient-code name: ambient-default-limits namespace: ambient-code spec: limits: - default: - cpu: "2" + cpu: '2' memory: 4Gi defaultRequest: cpu: 250m memory: 256Mi type: Container - - - apiVersion: v1 +- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: @@ -359,9 +278,7 @@ objects: resources: requests: storage: 1Gi - - - apiVersion: v1 +- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: @@ -375,9 +292,7 @@ objects: resources: requests: storage: 5Gi - - - apiVersion: v1 +- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: @@ -390,9 +305,7 @@ objects: resources: requests: storage: 500Gi - - - apiVersion: v1 +- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: @@ -407,9 +320,7 @@ objects: resources: requests: storage: 10Gi - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -552,9 +463,7 @@ objects: - configMap: name: ambient-api-server-auth name: auth-config - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -625,9 +534,7 @@ objects: - name: ambient-api-server-db-data persistentVolumeClaim: claimName: ambient-api-server-db-data - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -654,7 +561,7 @@ objects: fieldRef: fieldPath: metadata.namespace - name: PORT - value: "8080" + value: '8080' - name: STATE_BASE_DIR value: /workspace - name: SPEC_KIT_REPO @@ -857,7 +764,7 @@ objects: periodSeconds: 5 resources: limits: - cpu: "1" + cpu: '1' memory: 1536Mi requests: cpu: 200m @@ -905,9 +812,7 @@ objects: name: ldap-ca-cert optional: true name: ldap-ca-cert - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -969,9 +874,7 @@ objects: cpu: 100m memory: 256Mi serviceAccountName: frontend - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -1044,9 +947,7 @@ objects: - name: data persistentVolumeClaim: claimName: minio-data - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -1124,9 +1025,7 @@ objects: - name: data persistentVolumeClaim: claimName: postgresql-data - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -1147,7 +1046,7 @@ objects: containers: - env: - name: PORT - value: "8081" + value: '8081' - name: BACKEND_URL value: http://backend-service:8080 - name: GIN_MODE @@ -1155,9 +1054,9 @@ objects: - name: BACKEND_TIMEOUT value: 30s - name: RATE_LIMIT_RPS - value: "100" + value: '100' - name: RATE_LIMIT_BURST - value: "200" + value: '200' image: ${IMAGE_PUBLIC_API}:${IMAGE_TAG} imagePullPolicy: Always livenessProbe: @@ -1191,9 +1090,7 @@ objects: readOnlyRootFilesystem: true runAsNonRoot: true serviceAccountName: public-api - - - apiVersion: apps/v1 +- apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -1273,9 +1170,7 @@ objects: requests: cpu: 100m memory: 256Mi - - - apiVersion: policy/v1 +- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: labels: @@ -1287,9 +1182,7 @@ objects: selector: matchLabels: app: public-api - - - apiVersion: route.openshift.io/v1 +- apiVersion: route.openshift.io/v1 kind: Route metadata: labels: @@ -1306,9 +1199,7 @@ objects: to: kind: Service name: ambient-api-server - - - apiVersion: route.openshift.io/v1 +- apiVersion: route.openshift.io/v1 kind: Route metadata: labels: @@ -1325,9 +1216,7 @@ objects: to: kind: Service name: ambient-api-server - - - apiVersion: route.openshift.io/v1 +- apiVersion: route.openshift.io/v1 kind: Route metadata: labels: @@ -1345,14 +1234,12 @@ objects: name: backend-service weight: 100 wildcardPolicy: None - - - apiVersion: route.openshift.io/v1 +- apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: haproxy.router.openshift.io/balance: roundrobin - haproxy.router.openshift.io/disable_cookies: "true" + haproxy.router.openshift.io/disable_cookies: 'true' labels: app: frontend name: frontend-route @@ -1368,9 +1255,7 @@ objects: name: frontend-service weight: 100 wildcardPolicy: None - - - apiVersion: route.openshift.io/v1 +- apiVersion: route.openshift.io/v1 kind: Route metadata: labels: @@ -1388,5 +1273,3 @@ objects: name: public-api-service weight: 100 wildcardPolicy: None - - diff --git a/components/manifests/templates/validate.sh b/components/manifests/templates/validate.sh new file mode 100755 index 000000000..0f6bf2197 --- /dev/null +++ b/components/manifests/templates/validate.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# Validate OpenShift templates + +set -e + +echo "Validating OpenShift templates..." + +cd "$(dirname "$0")" + +for template in template-operator.yaml template-services.yaml; do + echo " Checking $template..." + oc process -f "$template" --param=IMAGE_TAG=validation-test --local > /dev/null + echo " ✓ Valid" +done + +echo "✓ All templates valid" From c040bb709c05f84bc589513a0a619684a4c36d8d Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 13 Apr 2026 09:42:28 -0400 Subject: [PATCH 13/38] refactor: remove in-cluster services from template Remove minio, postgresql, unleash, ambient-api-server-db. Using external RDS and S3 from app-interface. Removed 12 resources (4 Deployments, 4 Services, 3 PVCs, 1 Secret) Remaining: ambient-api-server, backend-api, frontend, public-api --- .../templates/template-services.yaml | 431 ------------------ 1 file changed, 431 deletions(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 57a0bb849..493a719b5 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -81,23 +81,6 @@ objects: stringData: sentry.key: '' type: Opaque -- apiVersion: v1 - kind: Secret - metadata: - annotations: - qontract.recycle: 'true' - labels: - app: ambient-api-server - component: database - name: ambient-api-server-db - namespace: ambient-code - stringData: - db.host: VAULT_INJECTED - db.name: ambient_code - db.password: VAULT_INJECTED - db.port: '5432' - db.user: VAULT_INJECTED - type: Opaque - apiVersion: v1 kind: Service metadata: @@ -129,24 +112,6 @@ objects: selector: app: ambient-api-server component: api -- apiVersion: v1 - kind: Service - metadata: - labels: - app: ambient-api-server - component: database - name: ambient-api-server-db - namespace: ambient-code - spec: - ports: - - name: postgresql - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - app: ambient-api-server - component: database - type: ClusterIP - apiVersion: v1 kind: Service metadata: @@ -179,42 +144,6 @@ objects: selector: app: frontend type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - labels: - app: minio - name: minio - namespace: ambient-code - spec: - ports: - - name: api - port: 9000 - protocol: TCP - targetPort: 9000 - - name: console - port: 9001 - protocol: TCP - targetPort: 9001 - selector: - app: minio - type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - labels: - app: postgresql - app.kubernetes.io/name: postgresql - name: postgresql - namespace: ambient-code - spec: - ports: - - name: postgresql - port: 5432 - targetPort: postgresql - selector: - app: postgresql - type: ClusterIP - apiVersion: v1 kind: Service metadata: @@ -231,22 +160,6 @@ objects: selector: app: public-api type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - labels: - app: unleash - app.kubernetes.io/name: unleash - name: unleash - namespace: ambient-code - spec: - ports: - - name: http - port: 4242 - targetPort: 4242 - selector: - app: unleash - type: ClusterIP - apiVersion: v1 kind: LimitRange metadata: @@ -264,20 +177,6 @@ objects: cpu: 250m memory: 256Mi type: Container -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - labels: - app: ambient-api-server - component: database - name: ambient-api-server-db-data - namespace: ambient-code - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -292,34 +191,6 @@ objects: resources: requests: storage: 5Gi -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - labels: - app: minio - name: minio-data - namespace: ambient-code - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 500Gi -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - labels: - app: postgresql - app.kubernetes.io/component: database - app.kubernetes.io/name: postgresql - name: postgresql-data - namespace: ambient-code - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi - apiVersion: apps/v1 kind: Deployment metadata: @@ -463,77 +334,6 @@ objects: - configMap: name: ambient-api-server-auth name: auth-config -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: ambient-api-server - component: database - name: ambient-api-server-db - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: ambient-api-server - component: database - strategy: - type: Recreate - template: - metadata: - labels: - app: ambient-api-server - component: database - spec: - containers: - - env: - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: db.user - name: ambient-api-server-db - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: ambient-api-server-db - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: db.name - name: ambient-api-server-db - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - image: postgres:16 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - name: postgresql - ports: - - containerPort: 5432 - name: postgresql - readinessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: ambient-api-server-db-data - volumes: - - name: ambient-api-server-db-data - persistentVolumeClaim: - claimName: ambient-api-server-db-data - apiVersion: apps/v1 kind: Deployment metadata: @@ -874,157 +674,6 @@ objects: cpu: 100m memory: 256Mi serviceAccountName: frontend -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: minio - name: minio - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: minio - template: - metadata: - labels: - app: minio - spec: - containers: - - args: - - server - - /data - - --console-address - - :9001 - env: - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - key: root-user - name: minio-credentials - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: root-password - name: minio-credentials - image: quay.io/minio/minio:latest - livenessProbe: - failureThreshold: 5 - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 60 - periodSeconds: 15 - timeoutSeconds: 5 - name: minio - ports: - - containerPort: 9000 - name: api - protocol: TCP - - containerPort: 9001 - name: console - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - path: /minio/health/ready - port: 9000 - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: 6000m - memory: 12Gi - requests: - cpu: 3000m - memory: 6Gi - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: minio-data -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: postgresql - app.kubernetes.io/component: database - app.kubernetes.io/name: postgresql - name: postgresql - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: postgresql - strategy: - type: Recreate - template: - metadata: - labels: - app: postgresql - app.kubernetes.io/name: postgresql - spec: - containers: - - env: - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: db.user - name: postgresql-credentials - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: postgresql-credentials - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: db.name - name: postgresql-credentials - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - image: postgres:16 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - name: postgresql - ports: - - containerPort: 5432 - name: postgresql - readinessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: postgresql-data - apiVersion: apps/v1 kind: Deployment metadata: @@ -1090,86 +739,6 @@ objects: readOnlyRootFilesystem: true runAsNonRoot: true serviceAccountName: public-api -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: unleash - app.kubernetes.io/component: server - app.kubernetes.io/name: unleash - name: unleash - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: unleash - template: - metadata: - labels: - app: unleash - app.kubernetes.io/name: unleash - spec: - containers: - - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - key: database-url - name: unleash-credentials - - name: DATABASE_SSL - valueFrom: - secretKeyRef: - key: database-ssl - name: unleash-credentials - - name: LOG_LEVEL - value: info - - name: INIT_ADMIN_API_TOKENS - valueFrom: - secretKeyRef: - key: admin-api-token - name: unleash-credentials - - name: INIT_CLIENT_API_TOKENS - valueFrom: - secretKeyRef: - key: client-api-token - name: unleash-credentials - - name: INIT_FRONTEND_API_TOKENS - valueFrom: - secretKeyRef: - key: frontend-api-token - name: unleash-credentials - - name: UNLEASH_DEFAULT_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: default-admin-password - name: unleash-credentials - image: unleashorg/unleash-server:5.11.3 - livenessProbe: - httpGet: - path: /health - port: 4242 - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - name: unleash - ports: - - containerPort: 4242 - name: http - readinessProbe: - httpGet: - path: /health - port: 4242 - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - apiVersion: policy/v1 kind: PodDisruptionBudget metadata: From 2f251bba4f4608ad3ccaaf7073a1d7820e42e57e Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Mon, 13 Apr 2026 13:45:19 -0600 Subject: [PATCH 14/38] updating postgresql db name --- components/ambient-api-server/templates/db-template.yml | 2 +- components/manifests/README.md | 4 ++-- .../manifests/base/core/ambient-api-server-service.yml | 2 +- .../manifests/base/platform/ambient-api-server-db.yml | 6 +++--- .../base/platform/ambient-api-server-secrets.yml | 2 +- .../ambient-api-server-db-json-patch.yaml | 6 +++--- .../ambient-api-server-init-db-patch.yaml | 8 ++++---- .../components/ambient-api-server-db/kustomization.yaml | 2 +- .../app-interface/ambient-api-server-db-secret-patch.yaml | 2 +- .../manifests/overlays/app-interface/kustomization.yaml | 4 ++-- .../overlays/kind/api-server-db-security-patch.yaml | 6 +++--- .../manifests/overlays/kind/api-server-no-jwt-patch.yaml | 2 +- .../ambient-api-server-db-credentials-patch.yaml | 2 +- .../local-dev/ambient-api-server-db-json-patch.yaml | 6 +++--- .../local-dev/ambient-api-server-init-db-patch.yaml | 8 ++++---- components/manifests/templates/template-services.yaml | 2 +- 16 files changed, 32 insertions(+), 32 deletions(-) diff --git a/components/ambient-api-server/templates/db-template.yml b/components/ambient-api-server/templates/db-template.yml index 71507a21e..2df011c93 100644 --- a/components/ambient-api-server/templates/db-template.yml +++ b/components/ambient-api-server/templates/db-template.yml @@ -14,7 +14,7 @@ parameters: description: The name of the OpenShift Service exposed for the database. displayName: Database Service Name required: true - value: ambient-api-server-db + value: ambient-code-rds - name: DATABASE_USER description: Username for PostgreSQL user that will be used for accessing the database. diff --git a/components/manifests/README.md b/components/manifests/README.md index 41d00f90c..38a5a0ad5 100644 --- a/components/manifests/README.md +++ b/components/manifests/README.md @@ -26,7 +26,7 @@ manifests/ │ ├── platform/ # Cluster-level resources │ │ ├── namespace.yaml │ │ ├── ambient-api-server-db.yml # ambient-api-server PostgreSQL deployment -│ │ └── ambient-api-server-secrets.yml # Secret template (values injected per-env) +│ │ └── ambient-api-server-secrets.yml # Secret template (ambient-code-rds secret for DB) │ ├── crds/ # Custom Resource Definitions │ │ ├── agenticsessions-crd.yaml │ │ └── projectsettings-crd.yaml @@ -121,7 +121,7 @@ Components are opt-in kustomize modules included via the `components:` block in |---|---|---| | `oauth-proxy` | Adds OpenShift OAuth proxy sidecar to frontend | `production` | | `postgresql-rhel` | Patches PostgreSQL to use `registry.redhat.io/rhel10/postgresql-16` | `production`, `local-dev` | -| `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` | +| `ambient-api-server-db` | RHEL patch for ambient-api-server DB (updates ambient-code-rds secret refs) | `production`, `local-dev` | | `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` | ## Building and Validating diff --git a/components/manifests/base/core/ambient-api-server-service.yml b/components/manifests/base/core/ambient-api-server-service.yml index 3aad19313..931e4734c 100644 --- a/components/manifests/base/core/ambient-api-server-service.yml +++ b/components/manifests/base/core/ambient-api-server-service.yml @@ -146,7 +146,7 @@ spec: volumes: - name: db-secrets secret: - secretName: ambient-api-server-db + secretName: ambient-code-rds - name: app-secrets secret: secretName: ambient-api-server diff --git a/components/manifests/base/platform/ambient-api-server-db.yml b/components/manifests/base/platform/ambient-api-server-db.yml index b51b69e01..9ea515847 100644 --- a/components/manifests/base/platform/ambient-api-server-db.yml +++ b/components/manifests/base/platform/ambient-api-server-db.yml @@ -65,17 +65,17 @@ spec: valueFrom: secretKeyRef: key: db.user - name: ambient-api-server-db + name: ambient-code-rds - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: key: db.password - name: ambient-api-server-db + name: ambient-code-rds - name: POSTGRES_DB valueFrom: secretKeyRef: key: db.name - name: ambient-api-server-db + name: ambient-code-rds - name: PGDATA value: /var/lib/postgresql/data/pgdata volumeMounts: diff --git a/components/manifests/base/platform/ambient-api-server-secrets.yml b/components/manifests/base/platform/ambient-api-server-secrets.yml index 0bea83102..a2476fdb0 100644 --- a/components/manifests/base/platform/ambient-api-server-secrets.yml +++ b/components/manifests/base/platform/ambient-api-server-secrets.yml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: ambient-api-server-db + name: ambient-code-rds labels: app: ambient-api-server component: database diff --git a/components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml b/components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml index 2888c8260..bc52d9a19 100644 --- a/components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml +++ b/components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml @@ -11,17 +11,17 @@ - name: POSTGRESQL_USER valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.user - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.password - name: POSTGRESQL_DATABASE valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.name - op: replace path: /spec/template/spec/containers/0/volumeMounts diff --git a/components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml b/components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml index 408f7b9d5..0e668dc5c 100644 --- a/components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml +++ b/components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml @@ -41,20 +41,20 @@ spec: - name: PGHOST valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.host - name: PGUSER valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.user - name: PGPASSWORD valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.password - name: PGDATABASE valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.name diff --git a/components/manifests/components/ambient-api-server-db/kustomization.yaml b/components/manifests/components/ambient-api-server-db/kustomization.yaml index 68fb640d2..7dea0093c 100644 --- a/components/manifests/components/ambient-api-server-db/kustomization.yaml +++ b/components/manifests/components/ambient-api-server-db/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -# Requires: ambient-api-server-db Secret in the target namespace +# Requires: ambient-code-rds Secret in the target namespace patches: - path: ambient-api-server-db-json-patch.yaml diff --git a/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml b/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml index 5d645fb19..e1475901c 100644 --- a/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml +++ b/components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: ambient-api-server-db + name: ambient-code-rds labels: app: ambient-api-server component: database diff --git a/components/manifests/overlays/app-interface/kustomization.yaml b/components/manifests/overlays/app-interface/kustomization.yaml index 892a04a65..73c504ba9 100644 --- a/components/manifests/overlays/app-interface/kustomization.yaml +++ b/components/manifests/overlays/app-interface/kustomization.yaml @@ -57,11 +57,11 @@ patches: path: /spec/replicas value: 0 -# Patch ambient-api-server-db secret to use external RDS (from Vault) +# Patch ambient-code-rds secret to use external RDS (from Vault) - path: ambient-api-server-db-secret-patch.yaml target: kind: Secret - name: ambient-api-server-db + name: ambient-code-rds # Konflux image overrides (redhat-services-prod) images: diff --git a/components/manifests/overlays/kind/api-server-db-security-patch.yaml b/components/manifests/overlays/kind/api-server-db-security-patch.yaml index bf77013f7..1d415d32b 100644 --- a/components/manifests/overlays/kind/api-server-db-security-patch.yaml +++ b/components/manifests/overlays/kind/api-server-db-security-patch.yaml @@ -22,17 +22,17 @@ spec: - name: POSTGRES_USER valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.user - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.password - name: POSTGRES_DB valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.name - name: PGDATA value: /var/lib/postgresql/data/pgdata diff --git a/components/manifests/overlays/kind/api-server-no-jwt-patch.yaml b/components/manifests/overlays/kind/api-server-no-jwt-patch.yaml index 03e24e2e7..4459e34cd 100644 --- a/components/manifests/overlays/kind/api-server-no-jwt-patch.yaml +++ b/components/manifests/overlays/kind/api-server-no-jwt-patch.yaml @@ -3,7 +3,7 @@ value: - name: db-secrets secret: - secretName: ambient-api-server-db + secretName: ambient-code-rds - name: app-secrets secret: secretName: ambient-api-server diff --git a/components/manifests/overlays/local-dev/ambient-api-server-db-credentials-patch.yaml b/components/manifests/overlays/local-dev/ambient-api-server-db-credentials-patch.yaml index dbe96f2c6..2192ab0ac 100644 --- a/components/manifests/overlays/local-dev/ambient-api-server-db-credentials-patch.yaml +++ b/components/manifests/overlays/local-dev/ambient-api-server-db-credentials-patch.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: Secret metadata: - name: ambient-api-server-db + name: ambient-code-rds stringData: db.host: vteam-ambient-api-server-db diff --git a/components/manifests/overlays/local-dev/ambient-api-server-db-json-patch.yaml b/components/manifests/overlays/local-dev/ambient-api-server-db-json-patch.yaml index 2888c8260..bc52d9a19 100644 --- a/components/manifests/overlays/local-dev/ambient-api-server-db-json-patch.yaml +++ b/components/manifests/overlays/local-dev/ambient-api-server-db-json-patch.yaml @@ -11,17 +11,17 @@ - name: POSTGRESQL_USER valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.user - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.password - name: POSTGRESQL_DATABASE valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.name - op: replace path: /spec/template/spec/containers/0/volumeMounts diff --git a/components/manifests/overlays/local-dev/ambient-api-server-init-db-patch.yaml b/components/manifests/overlays/local-dev/ambient-api-server-init-db-patch.yaml index 408f7b9d5..0e668dc5c 100644 --- a/components/manifests/overlays/local-dev/ambient-api-server-init-db-patch.yaml +++ b/components/manifests/overlays/local-dev/ambient-api-server-init-db-patch.yaml @@ -41,20 +41,20 @@ spec: - name: PGHOST valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.host - name: PGUSER valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.user - name: PGPASSWORD valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.password - name: PGDATABASE valueFrom: secretKeyRef: - name: ambient-api-server-db + name: ambient-code-rds key: db.name diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 493a719b5..c16b9b1ba 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -327,7 +327,7 @@ objects: volumes: - name: db-secrets secret: - secretName: ambient-api-server-db + secretName: ambient-code-rds - name: app-secrets secret: secretName: ambient-api-server From 7ecd3c760101cdccc6443ef69871e35545347698 Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Wed, 15 Apr 2026 10:38:06 -0600 Subject: [PATCH 15/38] enabling ssl mode for rds --- .../ambient-api-server-jwt-args-patch.yaml | 5 ++--- ...mbient-api-server-migration-ssl-patch.yaml | 21 +++++++++++++++++++ .../overlays/production/kustomization.yaml | 6 ++++++ 3 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 components/manifests/overlays/production/ambient-api-server-migration-ssl-patch.yaml diff --git a/components/manifests/overlays/production/ambient-api-server-jwt-args-patch.yaml b/components/manifests/overlays/production/ambient-api-server-jwt-args-patch.yaml index 0f875a04a..93931ad9b 100644 --- a/components/manifests/overlays/production/ambient-api-server-jwt-args-patch.yaml +++ b/components/manifests/overlays/production/ambient-api-server-jwt-args-patch.yaml @@ -33,9 +33,8 @@ spec: - --metrics-server-bindaddress=:4433 - --health-check-server-bindaddress=:4434 - --enable-health-check-https=true - # SSL disabled: PostgreSQL is in-cluster (same namespace, pod network only). - # Switch to --db-sslmode=require if using an external database. - - --db-sslmode=disable + # SSL required: Using external AWS RDS database + - --db-sslmode=require - --db-max-open-connections=50 - --enable-db-debug=false - --enable-metrics-https=false diff --git a/components/manifests/overlays/production/ambient-api-server-migration-ssl-patch.yaml b/components/manifests/overlays/production/ambient-api-server-migration-ssl-patch.yaml new file mode 100644 index 000000000..191e9d2c9 --- /dev/null +++ b/components/manifests/overlays/production/ambient-api-server-migration-ssl-patch.yaml @@ -0,0 +1,21 @@ +# Production: enable SSL for migration init container when using external RDS +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ambient-api-server +spec: + template: + spec: + initContainers: + - name: migration + command: + - /usr/local/bin/ambient-api-server + - migrate + - --db-host-file=/secrets/db/db.host + - --db-port-file=/secrets/db/db.port + - --db-user-file=/secrets/db/db.user + - --db-password-file=/secrets/db/db.password + - --db-name-file=/secrets/db/db.name + - --db-sslmode=require + - --alsologtostderr + - -v=4 diff --git a/components/manifests/overlays/production/kustomization.yaml b/components/manifests/overlays/production/kustomization.yaml index 162a72e2b..dab7f6d71 100644 --- a/components/manifests/overlays/production/kustomization.yaml +++ b/components/manifests/overlays/production/kustomization.yaml @@ -46,6 +46,12 @@ patches: kind: Deployment name: ambient-api-server version: v1 +- path: ambient-api-server-migration-ssl-patch.yaml + target: + group: apps + kind: Deployment + name: ambient-api-server + version: v1 - path: ambient-api-server-service-ca-patch.yaml target: kind: Service From 6e36009bce8f7dfc08671c17948ffd0e6040d939 Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Wed, 15 Apr 2026 12:20:10 -0600 Subject: [PATCH 16/38] fix: disable OpenTelemetry metrics export in operator MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disables OTEL metrics export by commenting out OTEL_EXPORTER_OTLP_ENDPOINT environment variable in operator deployment manifests. The operator was configured to send metrics to otel-collector.ambient-code.svc:4317, but this service does not exist in the cluster, causing repeated gRPC connection failures every 30 seconds with error: "failed to upload metrics: context deadline exceeded: rpc error: code = Unavailable desc = name resolver error: produced zero addresses" With OTEL_EXPORTER_OTLP_ENDPOINT unset, InitMetrics() will skip metrics export and log "metrics export disabled" instead of throwing connection errors. Changes: - Comment out OTEL_EXPORTER_OTLP_ENDPOINT in base operator deployment - Comment out OTEL_EXPORTER_OTLP_ENDPOINT in OpenShift template - Add clarifying comment about re-enabling when collector is deployed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- components/manifests/base/core/operator-deployment.yaml | 5 +++-- components/manifests/templates/template-operator.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/components/manifests/base/core/operator-deployment.yaml b/components/manifests/base/core/operator-deployment.yaml index 30aad69c0..ff12ef651 100644 --- a/components/manifests/base/core/operator-deployment.yaml +++ b/components/manifests/base/core/operator-deployment.yaml @@ -123,8 +123,9 @@ spec: # - name: DEFAULT_INACTIVITY_TIMEOUT # value: "86400" # Default inactivity timeout in seconds (24h). Set to 0 to disable. # OpenTelemetry configuration - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "otel-collector.ambient-code.svc:4317" # Deploy OTel collector separately + # Disabled: OTel collector not deployed. Uncomment when collector is available. + # - name: OTEL_EXPORTER_OTLP_ENDPOINT + # value: "otel-collector.ambient-code.svc:4317" # Deploy OTel collector separately - name: DEPLOYMENT_ENV value: "production" - name: VERSION diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml index d56a367fd..67205f2c5 100644 --- a/components/manifests/templates/template-operator.yaml +++ b/components/manifests/templates/template-operator.yaml @@ -1296,8 +1296,9 @@ objects: value: http://minio.ambient-code.svc:9000 - name: S3_BUCKET value: ambient-sessions - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: otel-collector.ambient-code.svc:4317 + # Disabled: OTel collector not deployed. Uncomment when collector is available. + # - name: OTEL_EXPORTER_OTLP_ENDPOINT + # value: otel-collector.ambient-code.svc:4317 - name: DEPLOYMENT_ENV value: production - name: VERSION From 71683a598b99a972c070b8b429e78b031af29088 Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Wed, 15 Apr 2026 15:06:12 -0600 Subject: [PATCH 17/38] enabling ssl mode for rds --- components/manifests/templates/template-services.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index c16b9b1ba..bef063fe4 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -232,7 +232,8 @@ objects: - --api-server-bindaddress=:8000 - --metrics-server-bindaddress=:4433 - --health-check-server-bindaddress=:4434 - - --db-sslmode=disable + # SSL required: Using external AWS RDS database + - --db-sslmode=require - --db-max-open-connections=50 - --enable-db-debug=false - --enable-metrics-https=false @@ -309,6 +310,7 @@ objects: - --db-user-file=/secrets/db/db.user - --db-password-file=/secrets/db/db.password - --db-name-file=/secrets/db/db.name + - --db-sslmode=require - --alsologtostderr - -v=4 image: ${IMAGE_AMBIENT_API_SERVER}:${IMAGE_TAG} From 97ebefacb69ae6b28fdab03c7340a5021312de17 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Fri, 17 Apr 2026 16:39:16 -0400 Subject: [PATCH 18/38] Add OAuth proxy and SSL/TLS configuration for app-interface overlay Changes: - Add oauth-proxy component to frontend deployment (dashboard-ui port on 8443) - Enable SSL for ambient-api-server RDS connection (db-sslmode=require) - Set AMBIENT_ENV to 'stage' for ambient-api-server - Enable OpenShift service-ca for ambient-api-server TLS cert provisioning - Regenerate templates with new oauth-proxy and api-server patches This enables: - Authenticated access to frontend via OpenShift OAuth - Secure connections to external RDS database - Automatic TLS certificate rotation for ambient-api-server Co-Authored-By: Claude Sonnet 4.5 --- .../ambient-api-server-env-patch.yaml | 13 + .../ambient-api-server-service-ca-patch.yaml | 7 + .../ambient-api-server-ssl-patch.yaml | 52 ++ .../overlays/app-interface/kustomization.yaml | 18 + .../templates/template-operator.yaml | 62 +- .../templates/template-services.yaml | 552 ++++++++++++++++-- 6 files changed, 643 insertions(+), 61 deletions(-) create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-service-ca-patch.yaml create mode 100644 components/manifests/overlays/app-interface/ambient-api-server-ssl-patch.yaml diff --git a/components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml b/components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml new file mode 100644 index 000000000..5d4b42235 --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml @@ -0,0 +1,13 @@ +# App-interface: set environment to stage +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ambient-api-server +spec: + template: + spec: + containers: + - name: api-server + env: + - name: AMBIENT_ENV + value: stage diff --git a/components/manifests/overlays/app-interface/ambient-api-server-service-ca-patch.yaml b/components/manifests/overlays/app-interface/ambient-api-server-service-ca-patch.yaml new file mode 100644 index 000000000..514502c18 --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-service-ca-patch.yaml @@ -0,0 +1,7 @@ +# OpenShift service-ca: auto-provision and rotate TLS certs for ambient-api-server +apiVersion: v1 +kind: Service +metadata: + name: ambient-api-server + annotations: + service.beta.openshift.io/serving-cert-secret-name: ambient-api-server-tls diff --git a/components/manifests/overlays/app-interface/ambient-api-server-ssl-patch.yaml b/components/manifests/overlays/app-interface/ambient-api-server-ssl-patch.yaml new file mode 100644 index 000000000..f75596a96 --- /dev/null +++ b/components/manifests/overlays/app-interface/ambient-api-server-ssl-patch.yaml @@ -0,0 +1,52 @@ +# App-interface (stage): enable SSL for external RDS connection +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ambient-api-server +spec: + template: + spec: + # Migration init container: add SSL mode + initContainers: + - name: migration + command: + - /usr/local/bin/ambient-api-server + - migrate + - --db-host-file=/secrets/db/db.host + - --db-port-file=/secrets/db/db.port + - --db-user-file=/secrets/db/db.user + - --db-password-file=/secrets/db/db.password + - --db-name-file=/secrets/db/db.name + - --db-sslmode=require + - --alsologtostderr + - -v=4 + # API server container: add SSL mode + containers: + - name: api-server + command: + - /usr/local/bin/ambient-api-server + - serve + - --db-host-file=/secrets/db/db.host + - --db-port-file=/secrets/db/db.port + - --db-user-file=/secrets/db/db.user + - --db-password-file=/secrets/db/db.password + - --db-name-file=/secrets/db/db.name + - --enable-jwt=true + - --enable-authz=false + - --jwk-cert-file=/configs/authentication/jwks.json + - --enable-https=false + - --api-server-bindaddress=:8000 + - --metrics-server-bindaddress=:4433 + - --health-check-server-bindaddress=:4434 + - --db-sslmode=require + - --db-max-open-connections=50 + - --enable-db-debug=false + - --enable-metrics-https=false + - --http-read-timeout=5s + - --http-write-timeout=30s + - --cors-allowed-origins=* + - --cors-allowed-headers=X-Ambient-Project + - --enable-grpc=true + - --grpc-server-bindaddress=:9000 + - --alsologtostderr + - -v=4 diff --git a/components/manifests/overlays/app-interface/kustomization.yaml b/components/manifests/overlays/app-interface/kustomization.yaml index 73c504ba9..6ecc5baad 100644 --- a/components/manifests/overlays/app-interface/kustomization.yaml +++ b/components/manifests/overlays/app-interface/kustomization.yaml @@ -16,6 +16,10 @@ resources: - ambient-api-server-route.yaml - operator-config-openshift.yaml +# Components (optional features) +components: +- ../../components/oauth-proxy + # Patches to configure external resources patches: # Update operator to use Konflux runner image @@ -63,6 +67,20 @@ patches: kind: Secret name: ambient-code-rds +# Ambient API Server: enable SSL for RDS, set environment, enable service-ca TLS +- path: ambient-api-server-ssl-patch.yaml + target: + kind: Deployment + name: ambient-api-server +- path: ambient-api-server-env-patch.yaml + target: + kind: Deployment + name: ambient-api-server +- path: ambient-api-server-service-ca-patch.yaml + target: + kind: Service + name: ambient-api-server + # Konflux image overrides (redhat-services-prod) images: - name: quay.io/ambient_code/vteam_operator diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml index 67205f2c5..9dd730de2 100644 --- a/components/manifests/templates/template-operator.yaml +++ b/components/manifests/templates/template-operator.yaml @@ -3,7 +3,8 @@ kind: Template metadata: name: ambient-code-operator annotations: - description: Ambient Code Platform - Platform components (CRDs, RBAC, Operator) + description: Ambient Code Platform - Operator and CRDs + tags: ambient-code,operator parameters: - name: IMAGE_TAG description: Image tag to deploy (auto-generated from git commit) @@ -11,11 +12,9 @@ parameters: - name: IMAGE_OPERATOR description: Operator image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main - required: true - name: IMAGE_AMBIENT_RUNNER - description: Ambient Runner image + description: Ambient runner image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main - required: true objects: - apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -348,6 +347,30 @@ objects: metadata: name: agentic-operator namespace: ambient-code +- apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app: ambient-api-server + name: ambient-api-server + namespace: ambient-code +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: backend-api + namespace: ambient-code +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: frontend + namespace: ambient-code +- apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app: public-api + name: public-api + namespace: ambient-code - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1162,18 +1185,34 @@ objects: namespace: ambient-code - apiVersion: v1 data: - agent-registry.json: "[\n {\n \"id\": \"claude-agent-sdk\",\n \"displayName\": \"Claude Code\",\n \"description\": \"Anthropic Claude with full coding capabilities\",\n \"framework\": \"claude-agent-sdk\",\n \"provider\": \"anthropic\",\n \"container\": {\n \"image\": \"${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}\",\n \"port\": 8001,\n \"env\": {\n \"RUNNER_TYPE\": \"claude-agent-sdk\",\n \"RUNNER_STATE_DIR\": \".claude\"\n },\n \"resources\": {\n \"requests\": {\"cpu\": \"500m\", \"memory\": \"512Mi\"},\n \"limits\": {\"cpu\": \"2\", \"memory\": \"8Gi\"}\n }\n },\n \"sandbox\": {\n \"stateDir\": \".claude\",\n \"stateSyncImage\": \"quay.io/ambient_code/vteam_state_sync:latest\",\n \"persistence\": \"s3\",\n \"workspaceSize\": \"10Gi\",\n \"terminationGracePeriod\": 60,\n \"seed\": {\"cloneRepos\": true, \"hydrateState\": true}\n },\n \"auth\": {\n \"requiredSecretKeys\"\ - : [\"ANTHROPIC_API_KEY\"],\n \"secretKeyLogic\": \"any\",\n \"vertexSupported\": true\n },\n \"featureGate\": \"\"\n },\n {\n \"id\": \"gemini-cli\",\n \"displayName\": \"Gemini CLI\",\n \"description\": \"Google Gemini coding agent with built-in file, bash, and search tools\",\n \"framework\": \"gemini-cli\",\n \"provider\": \"google\",\n \"container\": {\n \"image\": \"${IMAGE_AMBIENT_RUNNER}:${IMAGE_TAG}\",\n \"port\": 8001,\n \"env\": {\n \"RUNNER_TYPE\": \"gemini-cli\",\n \"RUNNER_STATE_DIR\": \".gemini\"\n }\n },\n \"sandbox\": {\n \"stateDir\": \".gemini\",\n \"stateSyncImage\": \"quay.io/ambient_code/vteam_state_sync:latest\",\n \"persistence\": \"s3\",\n \"workspaceSize\": \"10Gi\",\n \"terminationGracePeriod\": 60,\n \"seed\": {\"cloneRepos\": true, \"hydrateState\": true}\n },\n \"auth\": {\n \"requiredSecretKeys\": [\"GEMINI_API_KEY\", \"GOOGLE_API_KEY\"\ - ],\n \"secretKeyLogic\": \"any\",\n \"vertexSupported\": true\n },\n \"featureGate\": \"runner.gemini-cli.enabled\"\n }\n]\n" + agent-registry.json: "[\n {\n \"id\": \"claude-agent-sdk\",\n \"displayName\": \"Claude Code\",\n \"description\": \"Anthropic Claude with full coding capabilities\",\n \"framework\": \"claude-agent-sdk\",\n \"provider\": \"anthropic\",\n \"container\": {\n \"image\": \"quay.io/ambient_code/vteam_claude_runner:latest\",\n \"port\": 8001,\n \"env\": {\n \"RUNNER_TYPE\": \"claude-agent-sdk\",\n \"RUNNER_STATE_DIR\": \".claude\"\n },\n \"resources\": {\n \"requests\": {\"cpu\": \"500m\", \"memory\": \"512Mi\"},\n \"limits\": {\"cpu\": \"2\", \"memory\": \"8Gi\"}\n }\n },\n \"sandbox\": {\n \"stateDir\": \".claude\",\n \"stateSyncImage\": \"quay.io/ambient_code/vteam_state_sync:latest\",\n \"persistence\": \"s3\",\n \"workspaceSize\": \"10Gi\",\n \"terminationGracePeriod\": 60,\n \"seed\": {\"cloneRepos\": true, \"hydrateState\": true}\n },\n \"auth\": {\n \"requiredSecretKeys\": [\"ANTHROPIC_API_KEY\"],\n \"secretKeyLogic\": \"any\",\n \"vertexSupported\": true\n },\n \"featureGate\": \"\"\n },\n {\n \"id\": \"gemini-cli\",\n \"displayName\": \"Gemini CLI\",\n \"description\": \"Google Gemini coding agent with built-in file, bash, and search tools\",\n \"framework\": \"gemini-cli\",\n \"provider\": \"google\",\n \"container\": {\n \"image\": \"quay.io/ambient_code/vteam_claude_runner:latest\",\n \"port\": 8001,\n \"env\": {\n \"RUNNER_TYPE\": \"gemini-cli\",\n \"RUNNER_STATE_DIR\": \".gemini\"\n }\n },\n \"sandbox\": {\n \"stateDir\": \".gemini\",\n \"stateSyncImage\": \"quay.io/ambient_code/vteam_state_sync:latest\",\n \"persistence\": \"s3\",\n \"workspaceSize\": \"10Gi\",\n \"terminationGracePeriod\": 60,\n \"seed\": {\"cloneRepos\": true, \"hydrateState\": true}\n },\n \"auth\": {\n \"requiredSecretKeys\": [\"GEMINI_API_KEY\", \"GOOGLE_API_KEY\"],\n \"secretKeyLogic\": \"any\",\n \"vertexSupported\": true\n },\n \"featureGate\": \"runner.gemini-cli.enabled\"\n }\n]\n" kind: ConfigMap metadata: name: ambient-agent-registry namespace: ambient-code - apiVersion: v1 data: - models.json: "{\n \"version\": 2,\n \"defaultModel\": \"claude-sonnet-4-5\",\n \"providerDefaults\": {\n \"anthropic\": \"claude-sonnet-4-5\",\n \"google\": \"gemini-2.5-flash\"\n },\n \"models\": [\n {\n \"id\": \"claude-sonnet-4-5\",\n \"label\": \"Claude Sonnet 4.5\",\n \"vertexId\": \"claude-sonnet-4-5@20250929\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-opus-4-6\",\n \"label\": \"Claude Opus 4.6\",\n \"vertexId\": \"claude-opus-4-6@default\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"claude-opus-4-5\",\n \"label\": \"Claude Opus 4.5\",\n \"vertexId\": \"claude-opus-4-5@20251101\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-haiku-4-5\",\n \"label\": \"Claude Haiku\ - \ 4.5\",\n \"vertexId\": \"claude-haiku-4-5@20251001\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-sonnet-4-6\",\n \"label\": \"Claude Sonnet 4.6\",\n \"vertexId\": \"claude-sonnet-4-6@default\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash\",\n \"label\": \"Gemini 2.5 Flash\",\n \"vertexId\": \"gemini-2.5-flash@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"gemini-2.5-pro\",\n \"label\": \"Gemini 2.5 Pro\",\n \"vertexId\": \"gemini-2.5-pro@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash-lite\",\n \"label\": \"Gemini 2.5 Flash Lite\",\n \"vertexId\": \"gemini-2.5-flash-lite@default\"\ - ,\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash-preview-04-17\",\n \"label\": \"Gemini 2.5 Flash Preview 04.17\",\n \"vertexId\": \"gemini-2.5-flash-preview-04-17@default\",\n \"provider\": \"google\",\n \"available\": false,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-3.1-flash-image-preview\",\n \"label\": \"Gemini 3.1 Flash Image Preview\",\n \"vertexId\": \"gemini-3.1-flash-image-preview@default\",\n \"provider\": \"google\",\n \"available\": false,\n \"featureGated\": true\n }\n ]\n}\n" + acl.yml: "- claim: email\n pattern: ^.*@(redhat\\.com|ambient\\.code)$\n" + jwks.json: '{"keys":[]} + + ' + kind: ConfigMap + metadata: + labels: + app: ambient-api-server + component: auth + name: ambient-api-server-auth + namespace: ambient-code +- apiVersion: v1 + data: + flags.json: "{\n \"flags\": [\n {\n \"name\": \"runner.gemini-cli.enabled\",\n \"description\": \"Enable Gemini CLI runner type for session creation\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"ldap.autocomplete.enabled\",\n \"description\": \"Enable LDAP user and group autocomplete for workspace sharing\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"scheduled-session.reuse.enabled\",\n \"description\": \"Enable reuse last session option for scheduled sessions\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"jira-write\",\n \"description\": \"Allow Jira MCP server to perform write operations in new sessions\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n }\n ]\n}\n" + kind: ConfigMap + metadata: + name: ambient-flags + namespace: ambient-code +- apiVersion: v1 + data: + models.json: "{\n \"version\": 2,\n \"defaultModel\": \"claude-sonnet-4-5\",\n \"providerDefaults\": {\n \"anthropic\": \"claude-sonnet-4-5\",\n \"google\": \"gemini-2.5-flash\"\n },\n \"models\": [\n {\n \"id\": \"claude-sonnet-4-5\",\n \"label\": \"Claude Sonnet 4.5\",\n \"vertexId\": \"claude-sonnet-4-5@20250929\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-opus-4-6\",\n \"label\": \"Claude Opus 4.6\",\n \"vertexId\": \"claude-opus-4-6@default\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"claude-opus-4-5\",\n \"label\": \"Claude Opus 4.5\",\n \"vertexId\": \"claude-opus-4-5@20251101\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-haiku-4-5\",\n \"label\": \"Claude Haiku 4.5\",\n \"vertexId\": \"claude-haiku-4-5@20251001\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"claude-sonnet-4-6\",\n \"label\": \"Claude Sonnet 4.6\",\n \"vertexId\": \"claude-sonnet-4-6@default\",\n \"provider\": \"anthropic\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash\",\n \"label\": \"Gemini 2.5 Flash\",\n \"vertexId\": \"gemini-2.5-flash@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": false\n },\n {\n \"id\": \"gemini-2.5-pro\",\n \"label\": \"Gemini 2.5 Pro\",\n \"vertexId\": \"gemini-2.5-pro@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash-lite\",\n \"label\": \"Gemini 2.5 Flash Lite\",\n \"vertexId\": \"gemini-2.5-flash-lite@default\",\n \"provider\": \"google\",\n \"available\": true,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-2.5-flash-preview-04-17\",\n \"label\": \"Gemini 2.5 Flash Preview 04.17\",\n \"vertexId\": \"gemini-2.5-flash-preview-04-17@default\",\n \"provider\": \"google\",\n \"available\": false,\n \"featureGated\": true\n },\n {\n \"id\": \"gemini-3.1-flash-image-preview\",\n \"label\": \"Gemini 3.1 Flash Image Preview\",\n \"vertexId\": \"gemini-3.1-flash-image-preview@default\",\n \"provider\": \"google\",\n \"available\": false,\n \"featureGated\": true\n }\n ]\n}\n" kind: ConfigMap metadata: name: ambient-models @@ -1296,9 +1335,6 @@ objects: value: http://minio.ambient-code.svc:9000 - name: S3_BUCKET value: ambient-sessions - # Disabled: OTel collector not deployed. Uncomment when collector is available. - # - name: OTEL_EXPORTER_OTLP_ENDPOINT - # value: otel-collector.ambient-code.svc:4317 - name: DEPLOYMENT_ENV value: production - name: VERSION diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index bef063fe4..a7833ac57 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -3,7 +3,8 @@ kind: Template metadata: name: ambient-code-services annotations: - description: Ambient Code Platform - Application services + description: Ambient Code Platform - Application Services + tags: ambient-code,services parameters: - name: IMAGE_TAG description: Image tag to deploy (auto-generated from git commit) @@ -11,81 +12,60 @@ parameters: - name: IMAGE_BACKEND description: Backend API image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main - required: true - name: IMAGE_FRONTEND description: Frontend image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main - required: true - name: IMAGE_PUBLIC_API description: Public API image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main - required: true - name: IMAGE_AMBIENT_API_SERVER description: Ambient API Server image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main - required: true objects: - apiVersion: v1 - kind: ServiceAccount + kind: Namespace metadata: + annotations: + app.kubernetes.io/name: ambient-code + app.kubernetes.io/part-of: ambient-code labels: - app: ambient-api-server - name: ambient-api-server - namespace: ambient-code + app: vteam + name: ambient-code + name: ambient-code - apiVersion: v1 - kind: ServiceAccount - metadata: - name: backend-api - namespace: ambient-code -- apiVersion: v1 - kind: ServiceAccount - metadata: - name: frontend - namespace: ambient-code -- apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app: public-api - name: public-api - namespace: ambient-code -- apiVersion: v1 - data: - acl.yml: "- claim: email\n pattern: ^.*@(redhat\\.com|ambient\\.code)$\n" - jwks.json: '{"keys":[]} - - ' - kind: ConfigMap + kind: Secret metadata: labels: app: ambient-api-server - component: auth - name: ambient-api-server-auth - namespace: ambient-code -- apiVersion: v1 - data: - flags.json: "{\n \"flags\": [\n {\n \"name\": \"runner.gemini-cli.enabled\",\n \"description\": \"Enable Gemini CLI runner type for session creation\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"ldap.autocomplete.enabled\",\n \"description\": \"Enable LDAP user and group autocomplete for workspace sharing\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"scheduled-session.reuse.enabled\",\n \"description\": \"Enable reuse last session option for scheduled sessions\",\n \"tags\": [\n {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n },\n {\n \"name\": \"jira-write\",\n \"description\": \"Allow Jira MCP server to perform write operations in new sessions\",\n \"tags\": [\n \ - \ {\n \"type\": \"scope\",\n \"value\": \"workspace\"\n }\n ]\n }\n ]\n}\n" - kind: ConfigMap - metadata: - name: ambient-flags + component: api + name: ambient-api-server namespace: ambient-code + stringData: + sentry.key: '' + type: Opaque - apiVersion: v1 kind: Secret metadata: + annotations: + qontract.recycle: 'true' labels: app: ambient-api-server - component: api - name: ambient-api-server + component: database + name: ambient-code-rds namespace: ambient-code stringData: - sentry.key: '' + db.host: VAULT_INJECTED + db.name: ambient_code + db.password: VAULT_INJECTED + db.port: '5432' + db.user: VAULT_INJECTED type: Opaque - apiVersion: v1 kind: Service metadata: annotations: description: Exposes the ambient-api-server REST API + service.beta.openshift.io/serving-cert-secret-name: ambient-api-server-tls labels: app: ambient-api-server component: api @@ -112,6 +92,24 @@ objects: selector: app: ambient-api-server component: api +- apiVersion: v1 + kind: Service + metadata: + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db + namespace: ambient-code + spec: + ports: + - name: postgresql + port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: ambient-api-server + component: database + type: ClusterIP - apiVersion: v1 kind: Service metadata: @@ -131,12 +129,18 @@ objects: - apiVersion: v1 kind: Service metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: dashboard-proxy-tls labels: app: frontend name: frontend-service namespace: ambient-code spec: ports: + - name: dashboard-ui + port: 8443 + protocol: TCP + targetPort: dashboard-ui - name: http port: 3000 protocol: TCP @@ -144,6 +148,42 @@ objects: selector: app: frontend type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + labels: + app: minio + name: minio + namespace: ambient-code + spec: + ports: + - name: api + port: 9000 + protocol: TCP + targetPort: 9000 + - name: console + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app: minio + type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + labels: + app: postgresql + app.kubernetes.io/name: postgresql + name: postgresql + namespace: ambient-code + spec: + ports: + - name: postgresql + port: 5432 + targetPort: postgresql + selector: + app: postgresql + type: ClusterIP - apiVersion: v1 kind: Service metadata: @@ -160,6 +200,22 @@ objects: selector: app: public-api type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + labels: + app: unleash + app.kubernetes.io/name: unleash + name: unleash + namespace: ambient-code + spec: + ports: + - name: http + port: 4242 + targetPort: 4242 + selector: + app: unleash + type: ClusterIP - apiVersion: v1 kind: LimitRange metadata: @@ -177,6 +233,20 @@ objects: cpu: 250m memory: 256Mi type: Container +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db-data + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi - apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -191,6 +261,34 @@ objects: resources: requests: storage: 5Gi +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: minio + name: minio-data + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 500Gi +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app: postgresql + app.kubernetes.io/component: database + app.kubernetes.io/name: postgresql + name: postgresql-data + namespace: ambient-code + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi - apiVersion: apps/v1 kind: Deployment metadata: @@ -232,7 +330,6 @@ objects: - --api-server-bindaddress=:8000 - --metrics-server-bindaddress=:4433 - --health-check-server-bindaddress=:4434 - # SSL required: Using external AWS RDS database - --db-sslmode=require - --db-max-open-connections=50 - --enable-db-debug=false @@ -247,7 +344,7 @@ objects: - -v=4 env: - name: AMBIENT_ENV - value: development + value: stage image: ${IMAGE_AMBIENT_API_SERVER}:${IMAGE_TAG} imagePullPolicy: Always livenessProbe: @@ -336,6 +433,77 @@ objects: - configMap: name: ambient-api-server-auth name: auth-config +- apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: ambient-api-server + component: database + name: ambient-api-server-db + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: ambient-api-server + component: database + strategy: + type: Recreate + template: + metadata: + labels: + app: ambient-api-server + component: database + spec: + containers: + - env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + key: db.user + name: ambient-code-rds + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: ambient-code-rds + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + key: db.name + name: ambient-code-rds + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + image: postgres:16 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: ambient-api-server-db-data + volumes: + - name: ambient-api-server-db-data + persistentVolumeClaim: + claimName: ambient-api-server-db-data - apiVersion: apps/v1 kind: Deployment metadata: @@ -668,6 +836,208 @@ objects: port: http initialDelaySeconds: 5 periodSeconds: 5 + resources: + limits: + cpu: 1000m + memory: 2Gi + requests: + cpu: 200m + memory: 512Mi + - args: + - --http-address=:8443 + - --https-address= + - --provider=openshift + - --upstream=http://localhost:3000 + - --client-id=ambient-frontend + - --client-secret-file=/etc/oauth/config/client-secret + - --cookie-secret-file=/etc/oauth/config/cookie_secret + - --cookie-expire=23h0m0s + - --pass-access-token + - --scope=user:full + - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}} + - --skip-auth-regex=^/metrics + image: quay.io/openshift/origin-oauth-proxy:4.14 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /oauth/healthz + port: dashboard-ui + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + name: oauth-proxy + ports: + - containerPort: 8443 + name: dashboard-ui + readinessProbe: + failureThreshold: 3 + httpGet: + path: /oauth/healthz + port: dashboard-ui + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 50m + memory: 256Mi + volumeMounts: + - mountPath: /etc/oauth/config + name: oauth-config + - mountPath: /etc/tls/private + name: proxy-tls + serviceAccountName: frontend + volumes: + - name: oauth-config + secret: + secretName: frontend-oauth-config + - name: proxy-tls + secret: + secretName: dashboard-proxy-tls +- apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: minio + name: minio + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: minio + template: + metadata: + labels: + app: minio + spec: + containers: + - args: + - server + - /data + - --console-address + - :9001 + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + key: root-user + name: minio-credentials + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: root-password + name: minio-credentials + image: quay.io/minio/minio:latest + livenessProbe: + failureThreshold: 5 + httpGet: + path: /minio/health/live + port: 9000 + initialDelaySeconds: 60 + periodSeconds: 15 + timeoutSeconds: 5 + name: minio + ports: + - containerPort: 9000 + name: api + protocol: TCP + - containerPort: 9001 + name: console + protocol: TCP + readinessProbe: + failureThreshold: 5 + httpGet: + path: /minio/health/ready + port: 9000 + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: 6000m + memory: 12Gi + requests: + cpu: 3000m + memory: 6Gi + volumeMounts: + - mountPath: /data + name: data + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-data +- apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: postgresql + app.kubernetes.io/component: database + app.kubernetes.io/name: postgresql + name: postgresql + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: postgresql + strategy: + type: Recreate + template: + metadata: + labels: + app: postgresql + app.kubernetes.io/name: postgresql + spec: + containers: + - env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + key: db.user + name: postgresql-credentials + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: postgresql-credentials + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + key: db.name + name: postgresql-credentials + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + image: postgres:16 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + name: postgresql + ports: + - containerPort: 5432 + name: postgresql + readinessProbe: + exec: + command: + - /bin/sh + - -c + - pg_isready -U "$POSTGRES_USER" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 resources: limits: cpu: 500m @@ -675,7 +1045,13 @@ objects: requests: cpu: 100m memory: 256Mi - serviceAccountName: frontend + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: data + volumes: + - name: data + persistentVolumeClaim: + claimName: postgresql-data - apiVersion: apps/v1 kind: Deployment metadata: @@ -741,6 +1117,86 @@ objects: readOnlyRootFilesystem: true runAsNonRoot: true serviceAccountName: public-api +- apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: unleash + app.kubernetes.io/component: server + app.kubernetes.io/name: unleash + name: unleash + namespace: ambient-code + spec: + replicas: 0 + selector: + matchLabels: + app: unleash + template: + metadata: + labels: + app: unleash + app.kubernetes.io/name: unleash + spec: + containers: + - env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + key: database-url + name: unleash-credentials + - name: DATABASE_SSL + valueFrom: + secretKeyRef: + key: database-ssl + name: unleash-credentials + - name: LOG_LEVEL + value: info + - name: INIT_ADMIN_API_TOKENS + valueFrom: + secretKeyRef: + key: admin-api-token + name: unleash-credentials + - name: INIT_CLIENT_API_TOKENS + valueFrom: + secretKeyRef: + key: client-api-token + name: unleash-credentials + - name: INIT_FRONTEND_API_TOKENS + valueFrom: + secretKeyRef: + key: frontend-api-token + name: unleash-credentials + - name: UNLEASH_DEFAULT_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: default-admin-password + name: unleash-credentials + image: unleashorg/unleash-server:5.11.3 + livenessProbe: + httpGet: + path: /health + port: 4242 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 + name: unleash + ports: + - containerPort: 4242 + name: http + readinessProbe: + httpGet: + path: /health + port: 4242 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi - apiVersion: policy/v1 kind: PodDisruptionBudget metadata: From 79ed385f1f41688e5559c203db4a675075b9f032 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Fri, 17 Apr 2026 16:54:14 -0400 Subject: [PATCH 19/38] Remove in-cluster services from template-services.yaml Remove postgresql, minio, unleash, and ambient-api-server-db resources from the services template. These services are scaled to 0 via kustomize patches because we use external RDS and S3 instead. Including them in the template causes app-interface to try deploying them, which fails imagePattern validation and wastes resources. Excluded resources: - Deployment/postgresql, Service/postgresql - Deployment/minio, Service/minio, PVC/minio-data - Deployment/unleash, Service/unleash - Deployment/ambient-api-server-db, Service/ambient-api-server-db Template now has 21 service resources (down from 30). Co-Authored-By: Claude Sonnet 4.5 --- .../templates/template-services.yaml | 385 ------------------ 1 file changed, 385 deletions(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index a7833ac57..bb85bbb9f 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -92,24 +92,6 @@ objects: selector: app: ambient-api-server component: api -- apiVersion: v1 - kind: Service - metadata: - labels: - app: ambient-api-server - component: database - name: ambient-api-server-db - namespace: ambient-code - spec: - ports: - - name: postgresql - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - app: ambient-api-server - component: database - type: ClusterIP - apiVersion: v1 kind: Service metadata: @@ -148,42 +130,6 @@ objects: selector: app: frontend type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - labels: - app: minio - name: minio - namespace: ambient-code - spec: - ports: - - name: api - port: 9000 - protocol: TCP - targetPort: 9000 - - name: console - port: 9001 - protocol: TCP - targetPort: 9001 - selector: - app: minio - type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - labels: - app: postgresql - app.kubernetes.io/name: postgresql - name: postgresql - namespace: ambient-code - spec: - ports: - - name: postgresql - port: 5432 - targetPort: postgresql - selector: - app: postgresql - type: ClusterIP - apiVersion: v1 kind: Service metadata: @@ -200,22 +146,6 @@ objects: selector: app: public-api type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - labels: - app: unleash - app.kubernetes.io/name: unleash - name: unleash - namespace: ambient-code - spec: - ports: - - name: http - port: 4242 - targetPort: 4242 - selector: - app: unleash - type: ClusterIP - apiVersion: v1 kind: LimitRange metadata: @@ -261,19 +191,6 @@ objects: resources: requests: storage: 5Gi -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - labels: - app: minio - name: minio-data - namespace: ambient-code - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 500Gi - apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -433,77 +350,6 @@ objects: - configMap: name: ambient-api-server-auth name: auth-config -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: ambient-api-server - component: database - name: ambient-api-server-db - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: ambient-api-server - component: database - strategy: - type: Recreate - template: - metadata: - labels: - app: ambient-api-server - component: database - spec: - containers: - - env: - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: db.user - name: ambient-code-rds - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: ambient-code-rds - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: db.name - name: ambient-code-rds - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - image: postgres:16 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - name: postgresql - ports: - - containerPort: 5432 - name: postgresql - readinessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: ambient-api-server-db-data - volumes: - - name: ambient-api-server-db-data - persistentVolumeClaim: - claimName: ambient-api-server-db-data - apiVersion: apps/v1 kind: Deployment metadata: @@ -901,157 +747,6 @@ objects: - name: proxy-tls secret: secretName: dashboard-proxy-tls -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: minio - name: minio - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: minio - template: - metadata: - labels: - app: minio - spec: - containers: - - args: - - server - - /data - - --console-address - - :9001 - env: - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - key: root-user - name: minio-credentials - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: root-password - name: minio-credentials - image: quay.io/minio/minio:latest - livenessProbe: - failureThreshold: 5 - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 60 - periodSeconds: 15 - timeoutSeconds: 5 - name: minio - ports: - - containerPort: 9000 - name: api - protocol: TCP - - containerPort: 9001 - name: console - protocol: TCP - readinessProbe: - failureThreshold: 5 - httpGet: - path: /minio/health/ready - port: 9000 - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: 6000m - memory: 12Gi - requests: - cpu: 3000m - memory: 6Gi - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: minio-data -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: postgresql - app.kubernetes.io/component: database - app.kubernetes.io/name: postgresql - name: postgresql - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: postgresql - strategy: - type: Recreate - template: - metadata: - labels: - app: postgresql - app.kubernetes.io/name: postgresql - spec: - containers: - - env: - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: db.user - name: postgresql-credentials - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: postgresql-credentials - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: db.name - name: postgresql-credentials - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - image: postgres:16 - livenessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - name: postgresql - ports: - - containerPort: 5432 - name: postgresql - readinessProbe: - exec: - command: - - /bin/sh - - -c - - pg_isready -U "$POSTGRES_USER" - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: data - volumes: - - name: data - persistentVolumeClaim: - claimName: postgresql-data - apiVersion: apps/v1 kind: Deployment metadata: @@ -1117,86 +812,6 @@ objects: readOnlyRootFilesystem: true runAsNonRoot: true serviceAccountName: public-api -- apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: unleash - app.kubernetes.io/component: server - app.kubernetes.io/name: unleash - name: unleash - namespace: ambient-code - spec: - replicas: 0 - selector: - matchLabels: - app: unleash - template: - metadata: - labels: - app: unleash - app.kubernetes.io/name: unleash - spec: - containers: - - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - key: database-url - name: unleash-credentials - - name: DATABASE_SSL - valueFrom: - secretKeyRef: - key: database-ssl - name: unleash-credentials - - name: LOG_LEVEL - value: info - - name: INIT_ADMIN_API_TOKENS - valueFrom: - secretKeyRef: - key: admin-api-token - name: unleash-credentials - - name: INIT_CLIENT_API_TOKENS - valueFrom: - secretKeyRef: - key: client-api-token - name: unleash-credentials - - name: INIT_FRONTEND_API_TOKENS - valueFrom: - secretKeyRef: - key: frontend-api-token - name: unleash-credentials - - name: UNLEASH_DEFAULT_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: default-admin-password - name: unleash-credentials - image: unleashorg/unleash-server:5.11.3 - livenessProbe: - httpGet: - path: /health - port: 4242 - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - name: unleash - ports: - - containerPort: 4242 - name: http - readinessProbe: - httpGet: - path: /health - port: 4242 - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - apiVersion: policy/v1 kind: PodDisruptionBudget metadata: From a81ec1f29fd8e6759b678f5c8f6fa95b920d940c Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 12:02:28 -0400 Subject: [PATCH 20/38] Fix OAuth proxy configuration to use OpenShift service account auth Switch from custom vault secrets to OpenShift service account-based OAuth: - Use Red Hat's official ose-oauth-proxy-rhel9 image - Use service account token for cookie secret (no vault needed) - Enable HTTPS on OAuth proxy with OpenShift service-ca auto-generated certs - Add system:auth-delegator ClusterRoleBinding for OAuth delegation - Add OAuth redirect reference annotation to frontend ServiceAccount - Fix service account reference from 'nginx' to 'frontend' - Add missing NAMESPACE and UPSTREAM_TIMEOUT parameters Benefits: - No manual vault secret management - Automatic TLS cert rotation via service-ca - Standard OpenShift OAuth integration pattern - Follows app-interface team recommendations Files changed: - frontend-rbac.yaml: Added OAuth annotations and auth-delegator binding - oauth-proxy component patches: Updated to new configuration - Templates: Regenerated with OAuth fixes (27 operator, 21 service resources) Co-Authored-By: Claude Sonnet 4.5 --- .../manifests/base/rbac/frontend-rbac.yaml | 15 +++++ .../frontend-oauth-deployment-patch.yaml | 51 +++++++------- .../frontend-oauth-service-patch.yaml | 4 +- .../templates/template-operator.yaml | 21 ++++-- .../templates/template-services.yaml | 67 +++++++++---------- 5 files changed, 89 insertions(+), 69 deletions(-) diff --git a/components/manifests/base/rbac/frontend-rbac.yaml b/components/manifests/base/rbac/frontend-rbac.yaml index 3ec6af7cb..df37d79a1 100644 --- a/components/manifests/base/rbac/frontend-rbac.yaml +++ b/components/manifests/base/rbac/frontend-rbac.yaml @@ -3,6 +3,8 @@ kind: ServiceAccount metadata: name: frontend namespace: ambient-code + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend"}}' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -28,3 +30,16 @@ subjects: - kind: ServiceAccount name: frontend namespace: ambient-code +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ambient-frontend-oauth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: frontend + namespace: ambient-code diff --git a/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml b/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml index 5d13b56a9..50cfe5d78 100644 --- a/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml +++ b/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml @@ -1,5 +1,6 @@ # Patch for production frontend deployment -# - Adds OAuth proxy sidecar for authentication +# - Adds OAuth proxy sidecar for authentication using OpenShift OAuth +# - Uses service account token for cookie secret (no vault secret needed) # - Overrides resource limits to prevent OOMKills (sawtooth memory pattern) apiVersion: apps/v1 kind: Deployment @@ -20,19 +21,18 @@ spec: cpu: 1000m # OAuth proxy sidecar - name: oauth-proxy - image: quay.io/openshift/origin-oauth-proxy:4.14 + image: registry.redhat.io/openshift4/ose-oauth-proxy-rhel9:v4.18.0-202506230505.p0.gcbd44ad.assembly.stream.el9 + imagePullPolicy: IfNotPresent args: - - --http-address=:8443 - - --https-address= + - --https-address=:8443 - --provider=openshift + - --openshift-service-account=frontend - --upstream=http://localhost:3000 - - --client-id=ambient-frontend - - --client-secret-file=/etc/oauth/config/client-secret - - --cookie-secret-file=/etc/oauth/config/cookie_secret - - --cookie-expire=23h0m0s - - --pass-access-token - - --scope=user:full - - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}} + - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - --upstream-timeout=5m - --skip-auth-regex=^/metrics ports: - containerPort: 8443 @@ -41,38 +41,33 @@ spec: httpGet: path: /oauth/healthz port: dashboard-ui - scheme: HTTP - initialDelaySeconds: 30 + scheme: HTTPS + initialDelaySeconds: 10 timeoutSeconds: 1 - periodSeconds: 5 + periodSeconds: 10 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /oauth/healthz port: dashboard-ui - scheme: HTTP - initialDelaySeconds: 5 + scheme: HTTPS + initialDelaySeconds: 10 timeoutSeconds: 1 - periodSeconds: 5 + periodSeconds: 10 successThreshold: 1 failureThreshold: 3 resources: requests: - memory: 256Mi - cpu: 50m + memory: 50Mi + cpu: 10m limits: - memory: 512Mi + memory: 200Mi cpu: 200m volumeMounts: - - mountPath: /etc/oauth/config - name: oauth-config - mountPath: /etc/tls/private - name: proxy-tls + name: frontend-proxy-tls volumes: - - name: oauth-config - secret: - secretName: frontend-oauth-config - - name: proxy-tls + - name: frontend-proxy-tls secret: - secretName: dashboard-proxy-tls + secretName: frontend-proxy-tls diff --git a/components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml b/components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml index 747fc04db..d5fb613a5 100644 --- a/components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml +++ b/components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml @@ -1,10 +1,12 @@ # Patch to add OAuth port to frontend service +# - Adds HTTPS port for OAuth proxy sidecar +# - Uses service.alpha annotation for auto-generated TLS cert apiVersion: v1 kind: Service metadata: name: frontend-service annotations: - service.beta.openshift.io/serving-cert-secret-name: dashboard-proxy-tls + service.alpha.openshift.io/serving-cert-secret-name: frontend-proxy-tls spec: ports: - port: 8443 diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml index 9dd730de2..142aa6982 100644 --- a/components/manifests/templates/template-operator.yaml +++ b/components/manifests/templates/template-operator.yaml @@ -3,17 +3,14 @@ kind: Template metadata: name: ambient-code-operator annotations: - description: Ambient Code Platform - Operator and CRDs - tags: ambient-code,operator + description: Ambient Code Platform - Operator parameters: - name: IMAGE_TAG - description: Image tag to deploy (auto-generated from git commit) + description: Image tag required: true - name: IMAGE_OPERATOR - description: Operator image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-operator-main - name: IMAGE_AMBIENT_RUNNER - description: Ambient runner image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-runner-main objects: - apiVersion: apiextensions.k8s.io/v1 @@ -362,6 +359,8 @@ objects: - apiVersion: v1 kind: ServiceAccount metadata: + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend"}}' name: frontend namespace: ambient-code - apiVersion: v1 @@ -1159,6 +1158,18 @@ objects: - kind: ServiceAccount name: frontend namespace: ambient-code +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ambient-frontend-oauth-delegator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator + subjects: + - kind: ServiceAccount + name: frontend + namespace: ambient-code - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index bb85bbb9f..ebb301a56 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -3,24 +3,27 @@ kind: Template metadata: name: ambient-code-services annotations: - description: Ambient Code Platform - Application Services - tags: ambient-code,services + description: Ambient Code Platform - Services parameters: - name: IMAGE_TAG - description: Image tag to deploy (auto-generated from git commit) + description: Image tag required: true - name: IMAGE_BACKEND - description: Backend API image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-backend-main - name: IMAGE_FRONTEND - description: Frontend image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-frontend-main - name: IMAGE_PUBLIC_API - description: Public API image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-public-api-main - name: IMAGE_AMBIENT_API_SERVER - description: Ambient API Server image value: quay.io/redhat-services-prod/hcm-eng-prod-tenant/ambient-code-main/ambient-code-ambient-api-server-main +- name: OAUTH_PROXY_IMAGE_NAME + value: registry.redhat.io/openshift4/ose-oauth-proxy-rhel9 +- name: OAUTH_PROXY_IMAGE_TAG + value: v4.18.0-202506230505.p0.gcbd44ad.assembly.stream.el9 +- name: NAMESPACE + value: ambient-code +- name: UPSTREAM_TIMEOUT + value: 5m objects: - apiVersion: v1 kind: Namespace @@ -112,7 +115,7 @@ objects: kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: dashboard-proxy-tls + service.alpha.openshift.io/serving-cert-secret-name: frontend-proxy-tls labels: app: frontend name: frontend-service @@ -690,27 +693,26 @@ objects: cpu: 200m memory: 512Mi - args: - - --http-address=:8443 - - --https-address= + - --https-address=:8443 - --provider=openshift + - --openshift-service-account=frontend - --upstream=http://localhost:3000 - - --client-id=ambient-frontend - - --client-secret-file=/etc/oauth/config/client-secret - - --cookie-secret-file=/etc/oauth/config/cookie_secret - - --cookie-expire=23h0m0s - - --pass-access-token - - --scope=user:full - - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}} + - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - --upstream-timeout=5m - --skip-auth-regex=^/metrics - image: quay.io/openshift/origin-oauth-proxy:4.14 + image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} + imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /oauth/healthz port: dashboard-ui - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 5 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: oauth-proxy @@ -722,31 +724,26 @@ objects: httpGet: path: /oauth/healthz port: dashboard-ui - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 200m - memory: 512Mi + memory: 200Mi requests: - cpu: 50m - memory: 256Mi + cpu: 10m + memory: 50Mi volumeMounts: - - mountPath: /etc/oauth/config - name: oauth-config - mountPath: /etc/tls/private - name: proxy-tls + name: frontend-proxy-tls serviceAccountName: frontend volumes: - - name: oauth-config - secret: - secretName: frontend-oauth-config - - name: proxy-tls + - name: frontend-proxy-tls secret: - secretName: dashboard-proxy-tls + secretName: frontend-proxy-tls - apiVersion: apps/v1 kind: Deployment metadata: From 2d400d70401c6c192562a22a46fe07e4b4af977e Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 12:35:12 -0400 Subject: [PATCH 21/38] Exclude ambient-code-rds secret from services template The RDS credentials secret should not be in the OpenShift template - it's provided by the external resource provider (terraform) in app-interface. The namespace's externalResources section already defines: - provider: rds output_resource_name: ambient-code-rds This automatically creates the secret with the correct RDS credentials. Including the secret in the template with VAULT_INJECTED placeholders caused deployment failures. Changes: - Excluded ambient-code-rds secret from template generation - Template now has 20 service resources (down from 21) - Deployment still references the secret via volumeMount (correct) Co-Authored-By: Claude Sonnet 4.5 --- .../manifests/templates/template-services.yaml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index ebb301a56..74818b31f 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -46,23 +46,6 @@ objects: stringData: sentry.key: '' type: Opaque -- apiVersion: v1 - kind: Secret - metadata: - annotations: - qontract.recycle: 'true' - labels: - app: ambient-api-server - component: database - name: ambient-code-rds - namespace: ambient-code - stringData: - db.host: VAULT_INJECTED - db.name: ambient_code - db.password: VAULT_INJECTED - db.port: '5432' - db.user: VAULT_INJECTED - type: Opaque - apiVersion: v1 kind: Service metadata: From 67d4d13f302a0034e9a8b87d3b4d78f312b3cd46 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 15:50:48 -0400 Subject: [PATCH 22/38] fix: fix frontent route termination Signed-off-by: Chris Mitchell --- components/manifests/templates/template-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 74818b31f..4bffa728c 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -871,7 +871,7 @@ objects: targetPort: dashboard-ui tls: insecureEdgeTerminationPolicy: Redirect - termination: edge + termination: reencrypt to: kind: Service name: frontend-service From f89514d65b3360e0d4f7eaf1d245eaa3c32fbb37 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 16:10:09 -0400 Subject: [PATCH 23/38] fix: revert https changes for oauth pods Signed-off-by: Chris Mitchell --- components/manifests/templates/template-services.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 4bffa728c..4b11cc692 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -676,7 +676,8 @@ objects: cpu: 200m memory: 512Mi - args: - - --https-address=:8443 + - --http-address=:8443 + - --https-address= - --provider=openshift - --openshift-service-account=frontend - --upstream=http://localhost:3000 From 5ce42d3848338880e20fb64f2660c846029152eb Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 16:16:31 -0400 Subject: [PATCH 24/38] Change TLS termination from reencrypt to edge --- components/manifests/templates/template-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 4b11cc692..a3077b4f2 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -872,7 +872,7 @@ objects: targetPort: dashboard-ui tls: insecureEdgeTerminationPolicy: Redirect - termination: reencrypt + termination: edge to: kind: Service name: frontend-service From 6ca642c576fa6f1661b12cba7c647c27346390f5 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 16:19:14 -0400 Subject: [PATCH 25/38] Change health check scheme from HTTPS to HTTP --- components/manifests/templates/template-services.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index a3077b4f2..92d109c77 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -694,7 +694,7 @@ objects: httpGet: path: /oauth/healthz port: dashboard-ui - scheme: HTTPS + scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 @@ -708,7 +708,7 @@ objects: httpGet: path: /oauth/healthz port: dashboard-ui - scheme: HTTPS + scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 From 2ae85d0ae2d295031a6a4842b96355ad70548b87 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 16:23:32 -0400 Subject: [PATCH 26/38] Update upstream URL to use frontend service --- components/manifests/templates/template-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 92d109c77..7ef0f6710 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -680,7 +680,7 @@ objects: - --https-address= - --provider=openshift - --openshift-service-account=frontend - - --upstream=http://localhost:3000 + - --upstream=http://frontend-service:3000 - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key From f15ada3da21998dbb63edf6f6a948ac6fbd5f7a9 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 16:42:57 -0400 Subject: [PATCH 27/38] Enable request logging in OAuth proxy configuration --- components/manifests/templates/template-services.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 7ef0f6710..fb6f67a47 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -687,6 +687,7 @@ objects: - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - --upstream-timeout=5m - --skip-auth-regex=^/metrics + - --request-logging image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} imagePullPolicy: IfNotPresent livenessProbe: From 22229ce62ffa8a94e34bc6a8001a4563cf6d464c Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Mon, 20 Apr 2026 16:51:22 -0400 Subject: [PATCH 28/38] Update OAuth redirect reference for frontend service account --- components/manifests/templates/template-operator.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml index 142aa6982..e2f1c831c 100644 --- a/components/manifests/templates/template-operator.yaml +++ b/components/manifests/templates/template-operator.yaml @@ -360,7 +360,7 @@ objects: kind: ServiceAccount metadata: annotations: - serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend"}}' + serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend-route"}}' name: frontend namespace: ambient-code - apiVersion: v1 From 88d060460f9b922dd0953a7095c6916ad657e403 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 14:43:09 -0400 Subject: [PATCH 29/38] Update Vertex AI credentials to use app-interface Vault secret Changes GCP service account configuration to align with app-interface deployment where credentials are provided via Vault. Changes: - template-services.yaml: Update backend vertex-credentials secret name from 'ambient-vertex' to 'stage-gcp-creds' (matches Vault secret) - template-operator.yaml: Update GOOGLE_APPLICATION_CREDENTIALS path to match Vault secret key name 'itpc-gcp-hcm-pe-eng.json' The secret is provided by app-interface via: path: engineering-productivity/ambient-code/stage-gcp-creds This allows the backend and operator to use Vertex AI for Claude and Gemini API calls with the service account configured with roles/aiplatform.user permissions. Co-Authored-By: Claude Sonnet 4.5 Signed-off-by: Chris Mitchell --- components/manifests/templates/template-operator.yaml | 2 +- components/manifests/templates/template-services.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/components/manifests/templates/template-operator.yaml b/components/manifests/templates/template-operator.yaml index e2f1c831c..fd4c0172f 100644 --- a/components/manifests/templates/template-operator.yaml +++ b/components/manifests/templates/template-operator.yaml @@ -1232,7 +1232,7 @@ objects: data: ANTHROPIC_VERTEX_PROJECT_ID: ambient-code-platform CLOUD_ML_REGION: global - GOOGLE_APPLICATION_CREDENTIALS: /app/vertex/ambient-code-key.json + GOOGLE_APPLICATION_CREDENTIALS: /app/vertex/itpc-gcp-hcm-pe-eng.json USE_VERTEX: '1' kind: ConfigMap metadata: diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index fb6f67a47..417ff9fdd 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -597,7 +597,7 @@ objects: - name: vertex-credentials secret: optional: true - secretName: ambient-vertex + secretName: stage-gcp-creds - configMap: name: ambient-models optional: true From c8c52ad5b982f2e21e75e94a963a7488e2e0facb Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 15:15:07 -0400 Subject: [PATCH 30/38] Fix OAuth proxy to pass access token to backend API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Configure OAuth proxy sidecar to inject authentication token into forwarded requests, fixing 401 errors on /api/projects endpoints. Changes: - Add --pass-access-token=true flag to inject X-Forwarded-Access-Token header - Change upstream from frontend-service:3000 to localhost:3000 (correct sidecar pattern) - Remove --request-logging to reduce log noise Backend logs showed: tokenSource=none hasAuthHeader=false hasFwdToken=false The backend expects the X-Forwarded-Access-Token header, which is now injected by the OAuth proxy for all authenticated requests. Flow: 1. User authenticates via OpenShift OAuth ✓ 2. OAuth proxy injects token header ✓ (new) 3. Frontend forwards token to backend API ✓ (fixed) This resolves the 401 authentication errors while maintaining the working OpenShift OAuth integration. Co-Authored-By: Claude Sonnet 4.5 --- components/manifests/templates/template-services.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 417ff9fdd..a92ecc6ae 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -680,14 +680,14 @@ objects: - --https-address= - --provider=openshift - --openshift-service-account=frontend - - --upstream=http://frontend-service:3000 + - --upstream=http://localhost:3000 - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - --upstream-timeout=5m - --skip-auth-regex=^/metrics - - --request-logging + - --pass-access-token=true image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} imagePullPolicy: IfNotPresent livenessProbe: From f7a43e7ce88bb7cae22d93930736201ad5a22694 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 15:26:25 -0400 Subject: [PATCH 31/38] Update OAuth proxy configuration options --- components/manifests/templates/template-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index a92ecc6ae..b0d5f8f61 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -687,7 +687,7 @@ objects: - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - --upstream-timeout=5m - --skip-auth-regex=^/metrics - - --pass-access-token=true + - --set-authorization-header=true image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} imagePullPolicy: IfNotPresent livenessProbe: From 4e5efe3c1e3e7a10e5924bcfade23cd2a605ea39 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 15:29:40 -0400 Subject: [PATCH 32/38] Remove authorization header setting from template Removed the '--set-authorization-header=true' option from the configuration. --- components/manifests/templates/template-services.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index b0d5f8f61..6f2116c42 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -687,7 +687,6 @@ objects: - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - --upstream-timeout=5m - --skip-auth-regex=^/metrics - - --set-authorization-header=true image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} imagePullPolicy: IfNotPresent livenessProbe: From 26825fb1715954efcc98d1c32d53f5bc071013aa Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Tue, 21 Apr 2026 13:47:52 -0600 Subject: [PATCH 33/38] updating ambient env to production --- components/manifests/templates/template-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 6f2116c42..88250193e 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -247,7 +247,7 @@ objects: - -v=4 env: - name: AMBIENT_ENV - value: stage + value: production image: ${IMAGE_AMBIENT_API_SERVER}:${IMAGE_TAG} imagePullPolicy: Always livenessProbe: From 868e653c5473f7a7fb8e3846c60a85e74980e73f Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 16:08:44 -0400 Subject: [PATCH 34/38] Add pass-user-bearer-token option to template-services.yaml --- components/manifests/templates/template-services.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 88250193e..a2a30b02d 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -687,6 +687,7 @@ objects: - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - --upstream-timeout=5m - --skip-auth-regex=^/metrics + - --pass-user-bearer-token image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} imagePullPolicy: IfNotPresent livenessProbe: From ef594bf49cff0c951342bb64d08eacc83712ecb9 Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 16:20:46 -0400 Subject: [PATCH 35/38] Update template-services.yaml --- components/manifests/templates/template-services.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index a2a30b02d..88250193e 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -687,7 +687,6 @@ objects: - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - --upstream-timeout=5m - --skip-auth-regex=^/metrics - - --pass-user-bearer-token image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} imagePullPolicy: IfNotPresent livenessProbe: From 5f59d1b50b6bb9906a71b28e885c2a61751d4eeb Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 17:08:00 -0400 Subject: [PATCH 36/38] Fix OAuth proxy to forward user tokens to frontend/backend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Use proper 32-byte cookie secret from Vault instead of service account token - Add --pass-access-token to forward user's OAuth token to upstream - Add --scope=user:full to request full user permissions - Mount stage-cookie-secret at /etc/oauth-cookie Problem: OAuth proxy was authenticating users but not forwarding tokens to the Next.js frontend. When frontend made backend API calls, it had no token to forward, resulting in 401 errors. Root cause: The service account token (1618 bytes) is too large for AES cipher when --pass-access-token is enabled, which requires 16/24/32 byte secrets. Solution: Use a proper 32-byte cookie secret from Vault (matching UAT config), enabling --pass-access-token to forward the authenticated user's token through the chain: OAuth proxy → Next.js → Backend. Co-Authored-By: Claude Sonnet 4.5 Signed-off-by: Chris Mitchell --- components/manifests/templates/template-services.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 88250193e..99f17dcd3 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -684,7 +684,9 @@ objects: - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - --cookie-secret-file=/etc/oauth-cookie/cookie_secret + - --pass-access-token + - --scope=user:full - --upstream-timeout=5m - --skip-auth-regex=^/metrics image: ${OAUTH_PROXY_IMAGE_NAME}:${OAUTH_PROXY_IMAGE_TAG} @@ -723,11 +725,16 @@ objects: volumeMounts: - mountPath: /etc/tls/private name: frontend-proxy-tls + - mountPath: /etc/oauth-cookie + name: oauth-cookie-secret serviceAccountName: frontend volumes: - name: frontend-proxy-tls secret: secretName: frontend-proxy-tls + - name: oauth-cookie-secret + secret: + secretName: stage-cookie-secret - apiVersion: apps/v1 kind: Deployment metadata: From 130db34d41ec607617722e5459b5882ef5d1aa4f Mon Sep 17 00:00:00 2001 From: Chris Mitchell Date: Tue, 21 Apr 2026 17:33:11 -0400 Subject: [PATCH 37/38] Update openshift-delegate-urls configuration --- components/manifests/templates/template-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index 99f17dcd3..f37ed789f 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -681,7 +681,7 @@ objects: - --provider=openshift - --openshift-service-account=frontend - --upstream=http://localhost:3000 - - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} + - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}} - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret-file=/etc/oauth-cookie/cookie_secret From f0472895723eef62f32c0561ae64f999b833fcc3 Mon Sep 17 00:00:00 2001 From: Matthew Knop Date: Tue, 21 Apr 2026 16:02:46 -0600 Subject: [PATCH 38/38] removing openshift-delegate-urls --- .../components/oauth-proxy/frontend-oauth-deployment-patch.yaml | 1 - .../manifests/overlays/production/frontend-oauth-patch.yaml | 1 - components/manifests/templates/template-services.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml b/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml index 50cfe5d78..e7e925403 100644 --- a/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml +++ b/components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml @@ -28,7 +28,6 @@ spec: - --provider=openshift - --openshift-service-account=frontend - --upstream=http://localhost:3000 - - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}} - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token diff --git a/components/manifests/overlays/production/frontend-oauth-patch.yaml b/components/manifests/overlays/production/frontend-oauth-patch.yaml index 8a465326a..3ab178e27 100644 --- a/components/manifests/overlays/production/frontend-oauth-patch.yaml +++ b/components/manifests/overlays/production/frontend-oauth-patch.yaml @@ -21,7 +21,6 @@ spec: - --cookie-expire=23h0m0s - --pass-access-token - --scope=user:full - - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}} - --skip-auth-regex=^/metrics ports: - containerPort: 8443 diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml index f37ed789f..0e27bea02 100644 --- a/components/manifests/templates/template-services.yaml +++ b/components/manifests/templates/template-services.yaml @@ -681,7 +681,6 @@ objects: - --provider=openshift - --openshift-service-account=frontend - --upstream=http://localhost:3000 - - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}} - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret-file=/etc/oauth-cookie/cookie_secret