Skip to content

Commit

Permalink
feat(KFLUXDP-94): Add Tekton task to configure sealights for Python.
Browse files Browse the repository at this point in the history 
Signed-off-by: Adam Scerra <ascerra@redhat.com>
  • Loading branch information
@ascerra
ascerra committed Jan 22, 2025
1 parent 7dd4c70 commit 1bc9d3d
Show file tree
Hide file tree
Showing 4 changed files with 259 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@
- [yamllint](./qe-available-tasks/linters/yamllint.md)
- Sealights
- [Sealights Golang Instrumentation](./qe-available-tasks/sealights/go-instrumentation/go-instrumentation.md)
- [Sealights Python Instrumentation](./qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md)
115 changes: 115 additions & 0 deletions docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
# Sealights Python Instrumentation Tekton Task

This Tekton task automates the process of instrumenting python code with Sealights for quality analytics and testing. It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for Sealights using vars from your PipelineRun, scans all .py files, reports scan to Sealights, and stores results to be used later on in testing. The task can be triggered by either Pull Request or other events.

## Overview

This task performs the following steps:

1. **Retrieves** the source code from a trusted artifact.
2. **Configures & Scans** the Python application using Sealights.

The task can be triggered by different events (e.g., Pull Request, Push) and allows users to exclude specific paths from the configuration process.

## Parameters

| Name | Type | Default | Description |
|-----------------------|----------|---------------|-----------------------------------------------------------------------------------------------|
| `source-artifact` | `string` | - | The Trusted Artifact URI pointing to the source code. |
| `python-version` | `string` | - | The Python version to use with the 'ubi8/python' image, in the format (e.g., '311'). | |
| `component` | `string` | - | The name of the Konflux component associated with the integration tests. |
| `scm-provider` | `string` | `Github` | The SCM provider (e.g., `Github`). |
| `exclude` | `array` | `[]` | A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/source/tests/*','/app/examples/*'). |
| `repository-url` | `string` | `""` | URL of the source code repository (e.g., `github.com/org/repo`). |
| `branch` | `string` | `main` | The Git branch to use (e.g., `main`, `feature-branch`). |
| `revision` | `string` | - | The Git revision (commit SHA). |
| `pull-request-number` | `string` | `""` | The Pull Request number. |
| `target-branch` | `string` | `main` | The target branch for the Pull Request (e.g., `main`, `develop`). |
| `workspace-path` | `string` | `/app` | The path to the root of your repository. |


## Results

| Name | Type | Description |
|---------------------|----------|-----------------------------------------------------------------------------|
| `sealights-bsid` | `string` | A unique identifier for the Sealights build session. |
| `sealights-build-name` | `string` | A unique build name generated using the commit SHA and current date. |

## Volumes

| Name | Description |
|-----------------------|----------------------------------------------------------------|
| `sealights-credentials` | Stores Sealights credentials from the specified secret. |
| `workdir` | Temporary working directory for source code operations. |

## Steps

### 1. `use-trusted-artifact`

Retrieves the source code from a trusted artifact.

### 2. `sealights-python-instrumentation`

Configures and Scans the Python application using Sealights.

## Usage Instructions

### Create the Sealights Secret (REQUIRED)

Ensure you have a Kubernetes secret named **sealights-credentials** containing your Sealights agent token.

We assign the SEALIGHTS_TOKEN var in the script with this command.
```SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)"```
>NOTE: you must name the value of the secret **token**.
For example:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: sealights-credentials
type: Opaque
data:
token: <BASE64_ENCODED_SEALIGHTS_TOKEN>
```
### Example Pipeline
Here's an example of how you can use the `sealights-python-instrumentation` task in a Tekton pipelinerun during Konflux CI build.

```yaml
- name: sealights-instrumentation
runAfter:
- clone-repository
taskRef:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/tekton-integration-catalog.git
- name: revision
value: main
- name: pathInRepo
value: tasks/sealights/python-instrumentation/0.1/python-instrumentation.yaml
params:
- name: source-artifact
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: python-version
value: "311"
- name: component
value: '{{ repo_name }}'
- name: branch
value: '{{ source_branch }}'
- name: revision
value: '{{ revision }}'
- name: repository-url
value: '{{ repo_url }}'
- name: pull-request-number
value: '{{ pull_request_number }}'
- name: exclude
value: ['/app/source/tests/*']
- name: scm-provider
value: "Github"
- name: workspace-path
value: "/app"
```
3 changes: 3 additions & 0 deletions tasks/sealights/sealights-python/0.1/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Tekton Task: Sealights Python Instrumentation

Please read/update [test metadata docs](../../../../docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) from docs folder.
140 changes: 140 additions & 0 deletions tasks/sealights/sealights-python/0.1/sealights-python.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: sealights-python-instrumentation
labels:
konflux-ci/sealights: "true"
konflux-ci/sealights-language: "python"
spec:
description: >-
This Tekton task automates the process of configuring your Python application with Sealights for quality analytics and testing.
It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for Sealights using
vars from your PipelineRun, scans all .py files, reports scan to Sealights, and stores results to be used later on in testing.
The task can be triggered by either Pull Request or other events.
results:
- name: sealights-bsid
type: string
description: "A unique identifier generated for the current Sealights build session."
- name: sealights-build-name
type: string
description: "A unique build name generated using the commit SHA and current date to prevent conflicts during test reruns."
params:
- name: source-artifact
description: The Trusted Artifact URI pointing to the artifact with the application source code.
type: string
- name: python-version
type: string
description: "The Python version to use with the 'ubi8/python' image, in the format (e.g., '311')."
- name: component
type: string
description: "The name of the Konflux component associated with the integration tests."
- name: scm-provider
type: string
default: "github"
description: "The source control management (SCM) provider used for the project, such as 'Github', 'Gitlab'."
- name: exclude
type: array
default: []
description: "A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/source/tests/*','/app/examples/*')."
- name: repository-url
type: string
description: "The name or URL of the source code repository (e.g., 'github.com/org/repo')."
default: ""
- name: branch
type: string
description: "The name of the Git branch to use for the operation (e.g., 'main' or 'feature-branch')."
default: "main"
- name: revision
type: string
description: "The Git revision (commit SHA) from which the test pipeline is originating."
- name: pull-request-number
type: string
description: "The identifier number of the pull request/merge request."
default: ""
- name: target-branch
type: string
description: "The name of the target branch for the pull request, typically the branch into which the changes will be merged (e.g., 'main', 'develop')."
default: "main"
- name: workspace-path
type: string
description: "The path to the root of your repository."
volumes:
- name: sealights-credentials
secret:
secretName: sealights-credentials
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /app
name: workdir
- name: sealights-credentials
mountPath: /usr/local/sealights-credentials
steps:
- name: use-trusted-artifact
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
args:
- use
- $(params.source-artifact)=/app/source
- name: sealights-python-instrumentation
image: registry.access.redhat.com/ubi8/python-$(params.python-version):latest
workingDir: /app/source
securityContext:
runAsUser: 0
env:
- name: COMPONENT
value: $(params.component)
- name: SCM_PROVIDER
value: $(params.scm-provider)
- name: REPOSITORY_URL
value: $(params.repository-url)
- name: BRANCH
value: $(params.branch)
- name: REVISION
value: $(params.revision)
- name: PULL_REQUEST_NUMBER
value: $(params.pull-request-number)
- name: TARGET_BRANCH
value: $(params.target-branch)
- name: WORKSPACE_PATH
value: $(params.workspace-path)
- name: TEST_EVENT
valueFrom:
fieldRef:
fieldPath: metadata.labels['pipelinesascode.tekton.dev/event-type']
args: ["$(params.exclude[*])"]
script: |
#!/bin/sh
set -euo pipefail
export SEALIGHTS_TOKEN BUILD_NAME EXCLUDE_ENUM
SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)"
BUILD_NAME="${REVISION}_$(date +'%y%m%d.%H%M')"
EXCLUDE_ENUM="$(IFS=,; echo "$(printf "%s," $@ | sed 's/,$//')")"
# Installs Sealights Python agent.
pip install sealights-python-agent
# In case build is coming from a /retest event then it's a pull_request
# if event type is not push and pull_request_number is not empty then is a pull_request
if [ "$TEST_EVENT" != "push" ] && [ -n "$PULL_REQUEST_NUMBER" ]; then
TEST_EVENT="pull_request"
fi
# Configures the app for sealights using vars from your pipeline run.
if [[ -n "${TEST_EVENT}" && "${TEST_EVENT}" == "pull_request" ]]; then
echo "[INFO] Generate build session id from a Pull Request source code"
sl-python prConfig --appname "${COMPONENT}" --targetbranch "${TARGET_BRANCH}" \
--pullrequestnumber "${PULL_REQUEST_NUMBER}" --latestcommit "${REVISION}" --repourl "${REPOSITORY_URL}" --buildname "${BUILD_NAME}" --exclude "${EXCLUDE_ENUM}" --workspacepath "${WORKSPACE_PATH}" --token "${SEALIGHTS_TOKEN}"
else
echo "[INFO] Creating build session ID (BSID) for app: ${COMPONENT}, branch: ${BRANCH}, build: ${BUILD_NAME}..."
sl-python config --appname "${COMPONENT}" --branchname "${TARGET_BRANCH}" --buildname "${BUILD_NAME}" --exclude "${EXCLUDE_ENUM}" --workspacepath "${WORKSPACE_PATH}" --token "${SEALIGHTS_TOKEN}"
fi
# Scans all .py files that are not in the --exclude step above and reports scan to sealights.
sl-python scan --buildsessionidfile buildSessionId.txt --scmprovider "${SCM_PROVIDER}" --token "${SEALIGHTS_TOKEN}"
# Stores results to be used in future tasks for testing.
echo -n "$(cat buildSessionId.txt)" > $(results.sealights-bsid.path)
echo -n "$BUILD_NAME" > $(results.sealights-build-name.path)

0 comments on commit 1bc9d3d

Please sign in to comment.