The StoneSoup Build System is composed of the following components:
- OpenShift Pipelines
- Tekton Chains
- Tekton Results
- Pipelines as Code
- App Studio Build Service
- HACBS JVM Build Service
- PVC Cleaner
This repository installs all the components and includes a set of example scripts that simplify usage and provide examples of a working system. There are no additional components needed to use the build system API, however some utilities and scripts are provided to demonstrate functionality.
Quickstart
To try out a pre-configured, follow these steps.
| Steps | |
|---|---|
| 1. Create project for your pipelines execution. This can be run as any non-admin user (or admin) and is needed to hold your execution pipelines. | oc new-project demo |
| 2. Run build-deploy example with a quarkus app. | ./hack/build/build-via-appstudio.sh https://github.com/devfile-samples/devfile-sample-code-with-quarkus src/main/docker/Dockerfile.jvm.staged |
| 3. View your build on the OpenShift Console under the pipelines page or view the logs via CLI. | tkn pipelinerun logs |
Tests via RHTAP
To validate execution via RHTAP you can run ./hack/build/build-via-appstudio.sh script which sets credentials and RHTAP application and components. Without parameters it creates example components.
To build specific repository, pass its URL and path to repository’s Dockerfile as arguments as shown below:
./hack/build/build-via-appstudio.sh https://github.com/devfile-samples/devfile-sample-java-springboot-basic docker/Dockerfile
To enable PipelineAsCode integration you need to set PIPELINESASCODE env variable to 1 and also have to have set GitHub credentials in your ./hack/preview.env.
One may use GitHub PipelineAsCode application or webhook.
To use GitHub application set PAC_GITHUB_APP_PRIVATE_KEY and PAC_GITHUB_APP_ID in your ./hack/preview.env.
Alternatively, to use GitHub webhook set PAC_GITHUB_TOKEN with required permissions or make sure that MY_GITHUB_TOKEN set and has the required permissions.
Then run:
PIPELINESASCODE=1 ./hack/build/build-via-appstudio.sh https://github.com/Michkov/devfile-sample-go-basic docker/Dockerfile
Change of default pipeline bundle
Pipeline bundles are generated by build-definitions.
By default, the bundle is defined in components/build-service/base/build-pipeline-config/build-pipeline-config.yaml.
Stage Cluster integration prerequisites
Before creating component in Stage cluster it’s necessary install GitHub application AppStudio Staging CI into managed repository or into whole GitHub organization.
Repository secrets
The secret must be linked secret to appstudio-pipeline service account in the execution namespace
Build Service secrets
List of secrets:
| Name | Source | Description |
|---|---|---|
| pipelines-as-code-secret | appsre vault | Secret containg ‘github-application-id’, ‘github-private-key’ and ‘webhook.secret’ of GitHub Application used by Build service for creating pull-requests |
Rotation rule: Secrets must be rotated within 7 days after someone with access leaves the organization. Secrets older than one year should be rotated.
Instructions for rotation of pipelines-as-code-secret
The secret is shared and is managed by Pipeline Service team. We load the secret from the Pipeline Service vault. We don’t need to take any steps for rotation. After they rotate the secret it will be updated automatically on next external secret sync-up.