From 2c318a4597308f18ffcae6faa884fce8b4ee045c Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Mon, 6 Jan 2025 14:38:17 -0500 Subject: [PATCH] Add Tekton task to configure sealights for Python. Signed-off-by: Adam Scerra --- docs/SUMMARY.md | 1 + .../python-instrumentation.md | 108 +++++++++++++ .../sealights/sealights-python/0.1/README.md | 3 + .../0.1/sealights-python.yaml | 144 ++++++++++++++++++ 4 files changed, 256 insertions(+) create mode 100644 docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md create mode 100644 tasks/sealights/sealights-python/0.1/README.md create mode 100644 tasks/sealights/sealights-python/0.1/sealights-python.yaml diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index 5a89423..d383696 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -20,3 +20,4 @@ - [yamllint](./qe-available-tasks/linters/yamllint.md) - Sealights - [Sealights Golang Instrumentation](./qe-available-tasks/sealights/go-instrumentation/go-instrumentation.md) + - [Sealights Python Instrumentation](./qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) diff --git a/docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md b/docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md new file mode 100644 index 0000000..996cda0 --- /dev/null +++ b/docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md @@ -0,0 +1,108 @@ +# Sealights Python Instrumentation Tekton Task + +This Tekton task automates the process of instrumenting python code with Sealights for quality analytics and testing. It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for sealights using vars from your pipeline run, scans all .py files that are not in the --exclude step above and reports scan to sealights, and stores results to be used later on in testing. The task can be triggered by either Pull Request or other events. + +## Overview + +This task performs the following steps: + +1. **Retrieves** the source code from a trusted artifact. +2. **Configures & Scans** the Python application using Sealights. + +The task can be triggered by different events (e.g., Pull Request, Push) and allows users to exclude specific Python packages from the configuration process. + +## Parameters + +| Name | Type | Default | Description | +|-----------------------|----------|---------------|-----------------------------------------------------------------------------------------------| +| `source-artifact` | `string` | - | The Trusted Artifact URI pointing to the source code. | +| `python-version` | `string` | - | The Python version to use with the 'ubi8/python' image, in the format (e.g., '311'). | +| `sealights-secret` | `string` | - | The name of the OpenShift secret containing Sealights credentials. | +| `component` | `string` | - | The name of the Konflux component associated with the integration tests. | +| `scm-provider` | `string` | `github` | The SCM provider (e.g., `github`, `gitlab`). | +| `packages-excluded` | `array` | `[]` | List of Go packages to exclude from instrumentation (e.g., `pkg1`, `github.com/lib/concurrent`). | +| `repository-url` | `string` | `""` | URL of the source code repository (e.g., `github.com/org/repo`). | +| `branch` | `string` | `main` | The Git branch to use (e.g., `main`, `feature-branch`). | +| `revision` | `string` | - | The Git revision (commit SHA). | +| `pull-request-number` | `string` | `""` | The Pull Request number. | +| `target-branch` | `string` | `main` | The target branch for the Pull Request (e.g., `main`, `develop`). | +| `oci-storage` | `string` | - | The OCI repository for storing the trusted artifacts. | + +## Results + +| Name | Type | Description | +|---------------------|----------|-----------------------------------------------------------------------------| +| `build-session-id` | `string` | A unique identifier for the Sealights build session. | +| `build-name` | `string` | A unique build name generated using the commit SHA and current date. | +| `source-artifact` | `string` | The URI of the trusted artifact with the application source code. | + +## Volumes + +| Name | Description | +|-----------------------|----------------------------------------------------------------| +| `sealights-credentials` | Stores Sealights credentials from the specified secret. | +| `workdir` | Temporary working directory for source code operations. | + +## Steps + +### 1. `use-trusted-artifact` + +Retrieves the source code from a trusted artifact. + +### 2. `sealights-python-instrumentation` + +Configures and Scans the Python application using Sealights. + +## Usage Instructions + +### Create the Sealights Secret + +Ensure you have a Kubernetes secret containing your Sealights credentials. For example: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: sealights-credentials +type: Opaque +data: + token: +``` + +### Example Pipeline + +Here's an example of how you can use the `sealights-python-instrumentation` task in a Tekton pipelinerun during Konflux CI build. + +```yaml + - name: sealights-instrumentation + runAfter: + - clone-repository + taskRef: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog.git + - name: revision + value: main + - name: pathInRepo + value: tasks/sealights/python-instrumentation/0.1/python-instrumentation.yaml + params: + - name: source-artifact + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: python-version + value: "311" + - name: sealights-secret + value: "sealights-credentials" + - name: component + value: '{{ repo_name }}' + - name: branch + value: '{{ source_branch }}' + - name: revision + value: '{{ revision }}' + - name: oci-storage + value: $(params.output-image).sealights.git + - name: packages-excluded + value: ['/app/source/tests/*'] + - name: scm-provider + value: "git" +``` diff --git a/tasks/sealights/sealights-python/0.1/README.md b/tasks/sealights/sealights-python/0.1/README.md new file mode 100644 index 0000000..e20fa53 --- /dev/null +++ b/tasks/sealights/sealights-python/0.1/README.md @@ -0,0 +1,3 @@ +# Tekton Task: Sealights Go Instrumentation + +Please read/update [test metadata docs](../../../../docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) from docs folder. \ No newline at end of file diff --git a/tasks/sealights/sealights-python/0.1/sealights-python.yaml b/tasks/sealights/sealights-python/0.1/sealights-python.yaml new file mode 100644 index 0000000..23bc45c --- /dev/null +++ b/tasks/sealights/sealights-python/0.1/sealights-python.yaml @@ -0,0 +1,144 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: sealights-python-instrumentation + labels: + konflux-ci/sealights: "true" + konflux-ci/sealights-language: "python" +spec: + description: >- + This Tekton task automates the process of configuring your Python application with Sealights for quality analytics and testing. + It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for sealights using + vars from your pipeline run, scans all .py files that are not in the --exclude step above and reports scan to sealights, and + stores results to be used later on in testing. The task can be triggered by either Pull Request or other events. + results: + - name: sealights-bsid + type: string + description: "A unique identifier generated for the current sealights build session." + - name: sealights-build-name + type: string + description: "A unique build name generated using the commit SHA and current date to prevent conflicts during test reruns." + - name: source-artifact + description: The Trusted Artifact URI pointing to the artifact with the application source code. + type: string + params: + - name: source-artifact + description: The Trusted Artifact URI pointing to the artifact with the application source code. + type: string + - name: python-version + type: string + description: "The Python version to use with the 'ubi8/python' image, in the format (e.g., '311')." + - name: sealights-secret + type: string + description: "The name of the Openshift secret containing Sealights credentials." + - name: component + type: string + description: "The name of the Konflux component associated with the integration tests." + - name: scm-provider + type: string + default: "github" + description: "The source control management (SCM) provider used for the project, such as 'github', 'gitlab'." + - name: packages-excluded + type: array + default: [] + description: "A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/tests/*','/app/examples/*')." + - name: repository-url + type: string + description: "The name or URL of the source code repository (e.g., 'github.com/org/repo')." + default: "" + - name: branch + type: string + description: "The name of the Git branch to use for the operation (e.g., 'main' or 'feature-branch')." + default: "main" + - name: revision + type: string + description: "The Git revision (commit SHA) from which the test pipeline is originating." + - name: pull-request-number + type: string + description: "The identifier number of the pull request/merge request." + default: "" + - name: target-branch + type: string + description: "The name of the target branch for the pull request, typically the branch into which the changes will be merged (e.g., 'main', 'develop')." + default: "main" + - name: oci-storage + description: The OCI repository where the Trusted Artifacts are stored. + type: string + volumes: + - name: sealights-credentials + secret: + secretName: sealights-credentials + - name: workdir + emptyDir: {} + stepTemplate: + volumeMounts: + - mountPath: /app + name: workdir + - name: sealights-credentials + mountPath: /usr/local/sealights-credentials + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af + args: + - use + - $(params.source-artifact)=/app/source + - name: sealights-python-instrumentation + image: registry.access.redhat.com/ubi8/python-$(params.python-version):latest + workingDir: /app/source + securityContext: + runAsUser: 0 + env: + - name: COMPONENT + value: $(params.component) + - name: SCM_PROVIDER + value: $(params.scm-provider) + - name: REPOSITORY_URL + value: $(params.repository-url) + - name: BRANCH + value: $(params.branch) + - name: REVISION + value: $(params.revision) + - name: PULL_REQUEST_NUMBER + value: $(params.pull-request-number) + - name: TARGET_BRANCH + value: $(params.target-branch) + - name: TEST_EVENT + valueFrom: + fieldRef: + fieldPath: metadata.labels['pipelinesascode.tekton.dev/event-type'] + args: ["$(params.packages-excluded[*])"] + script: | + #!/bin/sh + set -euo pipefail + + export SEALIGHTS_TOKEN BUILD_NAME BSID PACKAGES_EXCLUDED_ENUM + + SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)" + BUILD_NAME="${REVISION}_$(date +'%y%m%d.%H%M')" + PACKAGES_EXCLUDED_ENUM="$(IFS=,; echo "$(printf "%s," $@ | sed 's/,$//')")" + + # Installs Sealights Python agent. + pip install sealights-python-agent + + # In case build is coming from a /retest event then it's a pull_request + # if event type is not push and pull_request_number is not empty then is a pull_request + if [ "$TEST_EVENT" != "push" ] && [ -n "$PULL_REQUEST_NUMBER" ]; then + TEST_EVENT="pull_request" + fi + + # Configures the app for sealights using vars from your pipeline run. + if [[ -n "${TEST_EVENT}" && "${TEST_EVENT}" == "pull_request" ]]; then + echo "[INFO] Generate build session id from a Pull Request source code" + sl-python prConfig --appname "${COMPONENT}" --targetbranch "${TARGET_BRANCH}" \ + --pullrequestnumber "${PULL_REQUEST_NUMBER}" --latestcommit "${REVISION}" --repourl "${REPOSITORY_URL}" --buildname "${BUILD_NAME}" --exclude "${PACKAGES_EXCLUDED_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}" + else + echo "[INFO] Creating build session ID (BSID) for app: ${COMPONENT}, branch: ${BRANCH}, build: ${BUILD_NAME}..." + sl-python config --appname "${COMPONENT}" --branchname "${TARGET_BRANCH}" --buildname "${BUILD_NAME}" --exclude "${PACKAGES_EXCLUDED_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}" + fi + + # Scans all .py files that are not in the --exclude step above and reports scan to sealights. + sl-python scan --buildsessionidfile buildSessionId.txt --scm "${SCM_PROVIDER}" --token "${SEALIGHTS_TOKEN}" + + # Stores results to be used in future tasks for testing. + echo -n "$(cat buildSessionId.txt)" > $(results.sealights-bsid.path) + echo -n "$BUILD_NAME" > $(results.sealights-build-name.path)