Skip to content

Commit

Permalink
Add Tekton task to configure sealights for Python.
Browse files Browse the repository at this point in the history
Signed-off-by: Adam Scerra <ascerra@redhat.com>
  • Loading branch information
ascerra committed Jan 8, 2025
1 parent 7dd4c70 commit 2c318a4
Show file tree
Hide file tree
Showing 4 changed files with 256 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@
- [yamllint](./qe-available-tasks/linters/yamllint.md)
- Sealights
- [Sealights Golang Instrumentation](./qe-available-tasks/sealights/go-instrumentation/go-instrumentation.md)
- [Sealights Python Instrumentation](./qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md)
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Sealights Python Instrumentation Tekton Task

This Tekton task automates the process of instrumenting python code with Sealights for quality analytics and testing. It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for sealights using vars from your pipeline run, scans all .py files that are not in the --exclude step above and reports scan to sealights, and stores results to be used later on in testing. The task can be triggered by either Pull Request or other events.

## Overview

This task performs the following steps:

1. **Retrieves** the source code from a trusted artifact.
2. **Configures & Scans** the Python application using Sealights.

The task can be triggered by different events (e.g., Pull Request, Push) and allows users to exclude specific Python packages from the configuration process.

## Parameters

| Name | Type | Default | Description |
|-----------------------|----------|---------------|-----------------------------------------------------------------------------------------------|
| `source-artifact` | `string` | - | The Trusted Artifact URI pointing to the source code. |
| `python-version` | `string` | - | The Python version to use with the 'ubi8/python' image, in the format (e.g., '311'). |
| `sealights-secret` | `string` | - | The name of the OpenShift secret containing Sealights credentials. |
| `component` | `string` | - | The name of the Konflux component associated with the integration tests. |
| `scm-provider` | `string` | `github` | The SCM provider (e.g., `github`, `gitlab`). |
| `packages-excluded` | `array` | `[]` | List of Go packages to exclude from instrumentation (e.g., `pkg1`, `github.com/lib/concurrent`). |
| `repository-url` | `string` | `""` | URL of the source code repository (e.g., `github.com/org/repo`). |
| `branch` | `string` | `main` | The Git branch to use (e.g., `main`, `feature-branch`). |
| `revision` | `string` | - | The Git revision (commit SHA). |
| `pull-request-number` | `string` | `""` | The Pull Request number. |
| `target-branch` | `string` | `main` | The target branch for the Pull Request (e.g., `main`, `develop`). |
| `oci-storage` | `string` | - | The OCI repository for storing the trusted artifacts. |

## Results

| Name | Type | Description |
|---------------------|----------|-----------------------------------------------------------------------------|
| `build-session-id` | `string` | A unique identifier for the Sealights build session. |
| `build-name` | `string` | A unique build name generated using the commit SHA and current date. |
| `source-artifact` | `string` | The URI of the trusted artifact with the application source code. |

## Volumes

| Name | Description |
|-----------------------|----------------------------------------------------------------|
| `sealights-credentials` | Stores Sealights credentials from the specified secret. |
| `workdir` | Temporary working directory for source code operations. |

## Steps

### 1. `use-trusted-artifact`

Retrieves the source code from a trusted artifact.

### 2. `sealights-python-instrumentation`

Configures and Scans the Python application using Sealights.

## Usage Instructions

### Create the Sealights Secret

Ensure you have a Kubernetes secret containing your Sealights credentials. For example:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: sealights-credentials
type: Opaque
data:
token: <BASE64_ENCODED_SEALIGHTS_TOKEN>
```
### Example Pipeline
Here's an example of how you can use the `sealights-python-instrumentation` task in a Tekton pipelinerun during Konflux CI build.

```yaml
- name: sealights-instrumentation
runAfter:
- clone-repository
taskRef:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/tekton-integration-catalog.git
- name: revision
value: main
- name: pathInRepo
value: tasks/sealights/python-instrumentation/0.1/python-instrumentation.yaml
params:
- name: source-artifact
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: python-version
value: "311"
- name: sealights-secret
value: "sealights-credentials"
- name: component
value: '{{ repo_name }}'
- name: branch
value: '{{ source_branch }}'
- name: revision
value: '{{ revision }}'
- name: oci-storage
value: $(params.output-image).sealights.git
- name: packages-excluded
value: ['/app/source/tests/*']
- name: scm-provider
value: "git"
```
3 changes: 3 additions & 0 deletions tasks/sealights/sealights-python/0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Tekton Task: Sealights Go Instrumentation

Please read/update [test metadata docs](../../../../docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) from docs folder.
144 changes: 144 additions & 0 deletions tasks/sealights/sealights-python/0.1/sealights-python.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: sealights-python-instrumentation
labels:
konflux-ci/sealights: "true"
konflux-ci/sealights-language: "python"
spec:
description: >-
This Tekton task automates the process of configuring your Python application with Sealights for quality analytics and testing.
It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for sealights using
vars from your pipeline run, scans all .py files that are not in the --exclude step above and reports scan to sealights, and
stores results to be used later on in testing. The task can be triggered by either Pull Request or other events.
results:
- name: sealights-bsid
type: string
description: "A unique identifier generated for the current sealights build session."
- name: sealights-build-name
type: string
description: "A unique build name generated using the commit SHA and current date to prevent conflicts during test reruns."
- name: source-artifact
description: The Trusted Artifact URI pointing to the artifact with the application source code.
type: string
params:
- name: source-artifact
description: The Trusted Artifact URI pointing to the artifact with the application source code.
type: string
- name: python-version
type: string
description: "The Python version to use with the 'ubi8/python' image, in the format (e.g., '311')."
- name: sealights-secret
type: string
description: "The name of the Openshift secret containing Sealights credentials."
- name: component
type: string
description: "The name of the Konflux component associated with the integration tests."
- name: scm-provider
type: string
default: "github"
description: "The source control management (SCM) provider used for the project, such as 'github', 'gitlab'."
- name: packages-excluded
type: array
default: []
description: "A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/tests/*','/app/examples/*')."
- name: repository-url
type: string
description: "The name or URL of the source code repository (e.g., 'github.com/org/repo')."
default: ""
- name: branch
type: string
description: "The name of the Git branch to use for the operation (e.g., 'main' or 'feature-branch')."
default: "main"
- name: revision
type: string
description: "The Git revision (commit SHA) from which the test pipeline is originating."
- name: pull-request-number
type: string
description: "The identifier number of the pull request/merge request."
default: ""
- name: target-branch
type: string
description: "The name of the target branch for the pull request, typically the branch into which the changes will be merged (e.g., 'main', 'develop')."
default: "main"
- name: oci-storage
description: The OCI repository where the Trusted Artifacts are stored.
type: string
volumes:
- name: sealights-credentials
secret:
secretName: sealights-credentials
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /app
name: workdir
- name: sealights-credentials
mountPath: /usr/local/sealights-credentials
steps:
- name: use-trusted-artifact
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
args:
- use
- $(params.source-artifact)=/app/source
- name: sealights-python-instrumentation
image: registry.access.redhat.com/ubi8/python-$(params.python-version):latest
workingDir: /app/source
securityContext:
runAsUser: 0
env:
- name: COMPONENT
value: $(params.component)
- name: SCM_PROVIDER
value: $(params.scm-provider)
- name: REPOSITORY_URL
value: $(params.repository-url)
- name: BRANCH
value: $(params.branch)
- name: REVISION
value: $(params.revision)
- name: PULL_REQUEST_NUMBER
value: $(params.pull-request-number)
- name: TARGET_BRANCH
value: $(params.target-branch)
- name: TEST_EVENT
valueFrom:
fieldRef:
fieldPath: metadata.labels['pipelinesascode.tekton.dev/event-type']
args: ["$(params.packages-excluded[*])"]
script: |
#!/bin/sh
set -euo pipefail
export SEALIGHTS_TOKEN BUILD_NAME BSID PACKAGES_EXCLUDED_ENUM
SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)"
BUILD_NAME="${REVISION}_$(date +'%y%m%d.%H%M')"
PACKAGES_EXCLUDED_ENUM="$(IFS=,; echo "$(printf "%s," $@ | sed 's/,$//')")"
# Installs Sealights Python agent.
pip install sealights-python-agent
# In case build is coming from a /retest event then it's a pull_request
# if event type is not push and pull_request_number is not empty then is a pull_request
if [ "$TEST_EVENT" != "push" ] && [ -n "$PULL_REQUEST_NUMBER" ]; then
TEST_EVENT="pull_request"
fi
# Configures the app for sealights using vars from your pipeline run.
if [[ -n "${TEST_EVENT}" && "${TEST_EVENT}" == "pull_request" ]]; then
echo "[INFO] Generate build session id from a Pull Request source code"
sl-python prConfig --appname "${COMPONENT}" --targetbranch "${TARGET_BRANCH}" \
--pullrequestnumber "${PULL_REQUEST_NUMBER}" --latestcommit "${REVISION}" --repourl "${REPOSITORY_URL}" --buildname "${BUILD_NAME}" --exclude "${PACKAGES_EXCLUDED_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}"
else
echo "[INFO] Creating build session ID (BSID) for app: ${COMPONENT}, branch: ${BRANCH}, build: ${BUILD_NAME}..."
sl-python config --appname "${COMPONENT}" --branchname "${TARGET_BRANCH}" --buildname "${BUILD_NAME}" --exclude "${PACKAGES_EXCLUDED_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}"
fi
# Scans all .py files that are not in the --exclude step above and reports scan to sealights.
sl-python scan --buildsessionidfile buildSessionId.txt --scm "${SCM_PROVIDER}" --token "${SEALIGHTS_TOKEN}"
# Stores results to be used in future tasks for testing.
echo -n "$(cat buildSessionId.txt)" > $(results.sealights-bsid.path)
echo -n "$BUILD_NAME" > $(results.sealights-build-name.path)

0 comments on commit 2c318a4

Please sign in to comment.