apiVersion: tmax.io/v1 kind: ClusterTemplate metadata: labels: cicd-template-test: reviews name: tmaxcloud-platofrmps-template categories: - reviews imageUrl: >- https://static.wixstatic.com/media/adcb2b_6acdb885bf744458bf152ab5854621cd~mv2.jpg/v1/fill/w_562,h_528,al_c,lg_1,q_80,enc_auto/adcb2b_6acdb885bf744458bf152ab5854621cd~mv2.jpg longDescription: TmaxCloud CI/CD Test Sample markdownDescription: reviews-test-template objectKinds: - PersistentVolumeClaim - ConfigMap - Secret - IntegrationConfig objects: - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: 'cicd-pvc-${APP_NAME}' spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: '${STORAGE_CLASS}' - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: 'build-pvc-${APP_NAME}' spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: '${STORAGE_CLASS}' - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: 'image-pvc-${APP_NAME}' spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: '${STORAGE_CLASS}' - apiVersion: v1 kind: ConfigMap metadata: name: podmanconf data: storage.conf: | # This file is is the configuration file for all tools # that use the containers/storage library. # See man 5 containers-storage.conf for more information # The "container storage" table contains all of the server options. [storage] # Default Storage Driver, Must be set for proper operation. driver = "overlay" # Temporary storage location runroot = "/run/containers/storage" # Primary Read/Write location of container storage graphroot = "/root/containers" # Storage path for rootless users # # rootless_storage_path = "$HOME/.local/share/containers/storage" [storage.options] # Storage options to be passed to underlying storage drivers # AdditionalImageStores is used to pass paths to additional Read/Only image stores # Must be comma separated list. additionalimagestores = [ ] # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of # a container, to the UIDs/GIDs as they should appear outside of the container, # and the length of the range of UIDs/GIDs. Additional mapped sets can be # listed and will be heeded by libraries, but there are limits to the number of # mappings which the kernel will allow when you later attempt to run a # container. # # remap-uids = 0:1668442479:65536 # remap-gids = 0:1668442479:65536 # Remap-User/Group is a user name which can be used to look up one or more UID/GID # ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting # with an in-container ID of 0 and then a host-level ID taken from the lowest # range that matches the specified name, and using the length of that range. # Additional ranges are then assigned, using the ranges which specify the # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, # until all of the entries have been used for maps. # # remap-user = "containers" # remap-group = "containers" # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID # ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned # to containers configured to create automatically a user namespace. Containers # configured to automatically create a user namespace can still overlap with containers # having an explicit mapping set. # This setting is ignored when running as rootless. # root-auto-userns-user = "storage" # # Auto-userns-min-size is the minimum size for a user namespace created automatically. # auto-userns-min-size=1024 # # Auto-userns-max-size is the minimum size for a user namespace created automatically. # auto-userns-max-size=65536 [storage.options.overlay] # ignore_chown_errors can be set to allow a non privileged user running with # a single UID within a user namespace to run containers. The user can pull # and use any image even those with multiple uids. Note multiple UIDs will be # squashed down to the default uid in the container. These images will have no # separation between the users in the container. Only supported for the overlay # and vfs drivers. #ignore_chown_errors = "false" # Inodes is used to set a maximum inodes of the container image. # inodes = "" # Path to an helper program to use for mounting the file system instead of mounting it # directly. #mount_program = "/usr/bin/fuse-overlayfs" # mountopt specifies comma separated list of extra mount options mountopt = "nodev,metacopy=on" # Set to skip a PRIVATE bind mount on the storage home directory. # skip_mount_home = "false" # Size is used to set a maximum size of the container image. # size = "" # ForceMask specifies the permissions mask that is used for new files and # directories. # # The values "shared" and "private" are accepted. # Octal permission masks are also accepted. # # "": No value specified. # All files/directories, get set with the permissions identified within the # image. # "private": it is equivalent to 0700. # All files/directories get set with 0700 permissions. The owner has rwx # access to the files. No other users on the system can access the files. # This setting could be used with networked based homedirs. # "shared": it is equivalent to 0755. # The owner has rwx access to the files and everyone else can read, access # and execute them. This setting is useful for sharing containers storage # with other users. For instance have a storage owned by root but shared # to rootless users as an additional store. # NOTE: All files within the image are made readable and executable by any # user on the system. Even /etc/shadow within your image is now readable by # any user. # # OCTAL: Users can experiment with other OCTAL Permissions. # # Note: The force_mask Flag is an experimental feature, it could change in the # future. When "force_mask" is set the original permission mask is stored in # the "user.containers.override_stat" xattr and the "mount_program" option must # be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the # extended attribute permissions to processes within containers rather then the # "force_mask" permissions. # # force_mask = "" [storage.options.thinpool] # Storage Options for thinpool # autoextend_percent determines the amount by which pool needs to be # grown. This is specified in terms of % of pool size. So a value of 20 means # that when threshold is hit, pool will be grown by 20% of existing # pool size. # autoextend_percent = "20" # autoextend_threshold determines the pool extension threshold in terms # of percentage of pool size. For example, if threshold is 60, that means when # pool is 60% full, threshold has been hit. # autoextend_threshold = "80" # basesize specifies the size to use when creating the base device, which # limits the size of images and containers. # basesize = "10G" # blocksize specifies a custom blocksize to use for the thin pool. # blocksize="64k" # directlvm_device specifies a custom block storage device to use for the # thin pool. Required if you setup devicemapper. # directlvm_device = "" # directlvm_device_force wipes device even if device already has a filesystem. # directlvm_device_force = "True" # fs specifies the filesystem type to use for the base device. # fs="xfs" # log_level sets the log level of devicemapper. # 0: LogLevelSuppress 0 (Default) # 2: LogLevelFatal # 3: LogLevelErr # 4: LogLevelWarn # 5: LogLevelNotice # 6: LogLevelInfo # 7: LogLevelDebug # log_level = "7" # min_free_space specifies the min free space percent in a thin pool require for # new device creation to succeed. Valid values are from 0% - 99%. # Value 0% disables # min_free_space = "10%" # mkfsarg specifies extra mkfs arguments to be used when creating the base # device. # mkfsarg = "" # metadata_size is used to set the `pvcreate --metadatasize` options when # creating thin devices. Default is 128k # metadata_size = "" # Size is used to set a maximum size of the container image. # size = "" # use_deferred_removal marks devicemapper block device for deferred removal. # If the thinpool is in use when the driver attempts to remove it, the driver # tells the kernel to remove it as soon as possible. Note this does not free # up the disk space, use deferred deletion to fully remove the thinpool. # use_deferred_removal = "True" # use_deferred_deletion marks thinpool device for deferred deletion. # If the device is busy when the driver attempts to delete it, the driver # will attempt to delete device every 30 seconds until successful. # If the program using the driver exits, the driver will continue attempting # to cleanup the next time the driver is used. Deferred deletion permanently # deletes the device and all data stored in device will be lost. # use_deferred_deletion = "True" # xfs_nospace_max_retries specifies the maximum number of retries XFS should # attempt to complete IO when ENOSPC (no space) error is returned by # underlying storage device. # xfs_nospace_max_retries = "0" - apiVersion: v1 kind: ConfigMap metadata: name: argocd-env-configmap data: ARGOCD_SERVER: '${ARGOCD_URL}' - apiVersion: v1 kind: Secret metadata: name: argocd-env-secret data: ARGOCD_PASSWORD: '${ARGOPASS}' ARGOCD_USERNAME: '${ARGOUSER}' - apiVersion: v1 kind: Secret metadata: name: my-basic-auth-secret stringData: .git-credentials: | https://${GITID}:${GITPWD}@${GIT_API_URL} .gitconfig: | [credential] helper = store [user] name = Administrator email = admin@example.com [http] sslVerify = true type: Opaque - apiVersion: cicd.tmax.io/v1 kind: IntegrationConfig metadata: labels: app: '${APP_NAME}' name: '${APP_NAME}-config' spec: git: apiUrl: 'https://${GIT_API_URL}' repository: '${GIT_REPOSITORY}' token: valueFrom: secretKeyRef: key: token name: '${GIT_TOKEN_SECRET}' type: '${GIT_TYPE}' jobs: postSubmit: - name: git-clone tektonTask: params: - name: url stringVal: 'https://${GIT_API_URL}/${GIT_REPOSITORY}' - name: revision stringVal: '${GIT_BRANCH}' - name: deleteExisting stringVal: 'false' - name: sslVerify stringVal: 'true' taskRef: local: kind: ClusterTask name: git-clone workspaces: - name: output workspace: s2i notification: onSuccess: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 완료" onFailure: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 실패" - after: - git-clone name: sonarqube-scanner tektonTask: workspaces: - name: source workspace: s2i params: - name: SONAR_HOST_URL stringVal: '${SONARURL}' - name: SONAR_PROJECT_KEY stringVal: '${PROJECTKEY}' - name: PROJECT_VERSION stringVal: '${PROJECTVERSION}' - name: SOURCE_TO_SCAN stringVal: '${SOURCEDIR}' - name: SONAR_ORGANIZATION stringVal: "master" - name: SONAR_LOGIN_KEY stringVal: "admin" - name: SONAR_PASSWORD_KEY stringVal: "platformps" taskRef: local: kind: ClusterTask name: sonarqube-scanner notification: onSuccess: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 완료" onFailure: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 실패" - after: - sonarqube-scanner name: podman-build tektonTask: params: - name: url stringVal: '${IMAGE_URL}' - name: image stringVal: '${IMAGE_NAME}' - name: tag stringVal: $(tasks.git-clone.results.commit) - name: tls stringVal: 'false' taskRef: local: kind: ClusterTask name: buildtask workspaces: - name: source workspace: s2i - name: build-pvc workspace: build-pvc - name: image-pvc workspace: image-pvc - name: podmanconf workspace: podmanconf notification: onSuccess: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 완료" onFailure: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 실패" - after: - podman-build name: trivy-check tektonTask: params: - name: ARGS arrayVal: ["image"] - name: IMAGE_PATH stringVal: "${IMAGE_URL}/${IMAGE_NAME}:$(tasks.git-clone.results.commit)" workspaces: - name: manifest-dir workspace: trivy-db taskRef: local: kind: ClusterTask name: trivy-scanner notification: onSuccess: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 완료" onFailure: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 실패" - after: - podman-build name: argo-upload tektonTask: params: - name: GIT_USER_NAME stringVal: Administrator - name: GIT_USER_EMAIL stringVal: admin@example.com - name: GIT_SCRIPT stringVal: > git config --global http.sslVerify true git clone https://${GIT_API_URL}/${APP_REPOSITORY} cd ./appyaml/ rm -rf app.yaml cp app.yaml.template app.yaml sed -i "s@{{URL}}@${IMAGE_URL}/${IMAGE_NAME}:$(tasks.git-clone.results.commit)@" app.yaml ls -l git add * git status git commit -m "Images & Version Changed" git push cd $(workspaces.source.path) ls -l rm -rf ./appyaml rm -rf ./reviews/reviews-application/build rm -rf ./reviews/reviews-wlpcfg/servers/LibertyProjectServer/apps taskRef: local: kind: ClusterTask name: git-cli workspaces: - name: basic-auth workspace: basic-auth - name: source workspace: s2i notification: onSuccess: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 완료" onFailure: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 실패" - after: - trivy-check name: send-mail tektonTask: params: - name: server stringVal: server-secret - name: subject stringVal: "trivy 이미지 스캐닝 결과" - name: body stringVal: | $(tasks.trivy-check.results.scan) - name: sender stringVal: "" - name: recipients stringVal: "" taskRef: local: kind: ClusterTask name: sendmail - after: - argo-upload name: argo-sync tektonTask: params: - name: application-name stringVal: appyaml - name: flags stringVal: '--insecure' taskRef: local: kind: ClusterTask name: argocd-task-sync-and-wait notification: onSuccess: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 완료" onFailure: slack: url: https://hooks.slack.com/services/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 message: "현재 진행중인 PipelineRun : ($INTEGRATION_JOB_NAME)\n현재 단계 : $JOB_NAME\n상태 : 실패" secrets: - name: '${REGISTRY_SECRET_NAME}' tlsConfig: insecureSkipVerify: true workspaces: - name: basic-auth secret: secretName: my-basic-auth-secret - name: s2i persistentVolumeClaim: claimName: 'cicd-pvc-${APP_NAME}' - name: trivy-db persistentVolumeClaim: claimName: 'trivy-db' - name: build-pvc persistentVolumeClaim: claimName: 'build-pvc-${APP_NAME}' - name: image-pvc persistentVolumeClaim: claimName: 'image-pvc-${APP_NAME}' - name: podmanconf configmap: name: 'podmanconf' subpath: storage.conf parameters: - description: Application name displayName: AppName name: APP_NAME required: true value: testapp valueType: string - description: Git Type (gitlab or github) displayName: GitType name: GIT_TYPE required: true value: gitlab valueType: string - description: 'Git API URL (e.g., http://)' displayName: GitApiUrl name: GIT_API_URL required: false value: gitlab.jhcloud.kr valueType: string - description: 'Git Repo. (e.g., tmax-cloud/cicd-operator)' displayName: GitRepository name: GIT_REPOSITORY required: true value: root/bookinfo valueType: string - description: 'Git Repo. (e.g., tmax-cloud/cicd-operator)' displayName: AppYaml name: APP_REPOSITORY required: true value: root/appyaml valueType: string - description: 'Git Branch (e.g., master)' displayName: GitBranch name: GIT_BRANCH required: false value: master valueType: string - description: ARGOCD URL displayName: ArgoURL name: ARGOCD_URL required: true value: argocd.jhcloud.kr valueType: string - description: ARGOCD USER displayName: ArgoUSER name: ARGOUSER required: true value: YWRtaW4= valueType: string - description: ARGOCD PASSWORD displayName: ArgoPASS name: ARGOPASS required: true value: dG1heEAyM0A= valueType: string - description: Git Token Secret Name (with 'token' key) displayName: GitTokenSecret name: GIT_TOKEN_SECRET required: true value: gitlab valueType: string - description: Output Image URL displayName: ImageURL name: IMAGE_URL required: true value: 'harbor.jhcloud.kr' valueType: string - description: Output Image NAME displayName: ImageNAME name: IMAGE_NAME required: true value: 'reviews/reviews' valueType: string - description: Secret for accessing image registry displayName: RegistrySecret name: REGISTRY_SECRET_NAME required: false value: '' valueType: string - description: Storage class for ci workspace displayName: StorageClass name: STORAGE_CLASS required: true value: nfs valueType: string - description: REVIEWS Port displayName: 포트 name: REVIEWS_PORT required: true value: 9080 valueType: number - description: git-clone 단계에서 사용되는 git 아이디. displayName: GitID name: GITID required: true value: 'root' valueType: string - description: git-clone 단계에서 사용되는 git 패스워드. displayName: GitPWD name: GITPWD required: true value: 'platformps' valueType: string - description: 소스 코드 스캔을 수행할 sonarqube의 주소. displayName: URL name: SONARURL required: true value: 'http://sonarqube.jhcloud.kr/' valueType: string - description: 소스 코드 스캔을 수행할 Project의 Key. displayName: ProjectKey name: PROJECTKEY required: true value: 'cicd' valueType: string - description: 소스 코드 스캔을 수행할 Project의 Version. displayName: ProjectVersion name: PROJECTVERSION required: true value: '1.0' valueType: string - description: 스캔을 수행할 코드 경로 displayName: SourceDIR name: SOURCEDIR required: true value: './reviews/reviews-application/src/main/java/application/rest/' valueType: string - description: Deployment environment variable in JSON object form displayName: DeployEnvJson name: DEPLOY_ENV_JSON required: false value: '{}' valueType: string plans: - bindable: false description: CI/CD 테스트를 위한 템플릿입니다. reviews pod를 배포합니다. name: reviews-test provider: junghun_byeon recommend: false shortDescription: TmaxCloud CI/CD Test Sample urlDescription: 'https://www.tmax.co.kr/tmaxcloud'