From 90222d32cc8a147018ef024c68187dade2523ae1 Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Mon, 6 Jan 2025 14:38:17 -0500 Subject: [PATCH] feat(KFLUXDP-94): Add Tekton task to configure sealights for Python. Signed-off-by: Adam Scerra --- docs/SUMMARY.md | 1 + .../python-instrumentation.md | 109 +++++++++++++ .../sealights/sealights-python/0.1/README.md | 3 + .../0.1/sealights-python.yaml | 148 ++++++++++++++++++ 4 files changed, 261 insertions(+) create mode 100644 docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md create mode 100644 tasks/sealights/sealights-python/0.1/README.md create mode 100644 tasks/sealights/sealights-python/0.1/sealights-python.yaml diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index 5a89423..d383696 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -20,3 +20,4 @@ - [yamllint](./qe-available-tasks/linters/yamllint.md) - Sealights - [Sealights Golang Instrumentation](./qe-available-tasks/sealights/go-instrumentation/go-instrumentation.md) + - [Sealights Python Instrumentation](./qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) diff --git a/docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md b/docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md new file mode 100644 index 0000000..1758ac1 --- /dev/null +++ b/docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md @@ -0,0 +1,109 @@ +# Sealights Python Instrumentation Tekton Task + +This Tekton task automates the process of instrumenting python code with Sealights for quality analytics and testing. It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for Sealights using vars from your PipelineRun, scans all .py files, reports scan to Sealights, and stores results to be used later on in testing. The task can be triggered by either Pull Request or other events. + +## Overview + +This task performs the following steps: + +1. **Retrieves** the source code from a trusted artifact. +2. **Configures & Scans** the Python application using Sealights. + +The task can be triggered by different events (e.g., Pull Request, Push) and allows users to exclude specific paths from the configuration process. + +## Parameters + +| Name | Type | Default | Description | +|-----------------------|----------|---------------|-----------------------------------------------------------------------------------------------| +| `source-artifact` | `string` | - | The Trusted Artifact URI pointing to the source code. | +| `python-version` | `string` | - | The Python version to use with the 'ubi8/python' image, in the format (e.g., '311'). | | +| `component` | `string` | - | The name of the Konflux component associated with the integration tests. | +| `scm-provider` | `string` | `Github` | The SCM provider (e.g., `Github`). | +| `exclude` | `array` | `[]` | A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/source/tests/*','/app/examples/*'). | +| `repository-url` | `string` | `""` | URL of the source code repository (e.g., `github.com/org/repo`). | +| `branch` | `string` | `main` | The Git branch to use (e.g., `main`, `feature-branch`). | +| `revision` | `string` | - | The Git revision (commit SHA). | +| `pull-request-number` | `string` | `""` | The Pull Request number. | +| `target-branch` | `string` | `main` | The target branch for the Pull Request (e.g., `main`, `develop`). | + +## Results + +| Name | Type | Description | +|---------------------|----------|-----------------------------------------------------------------------------| +| `sealights-bsid` | `string` | A unique identifier for the Sealights build session. | +| `sealights-build-name` | `string` | A unique build name generated using the commit SHA and current date. | + +## Volumes + +| Name | Description | +|-----------------------|----------------------------------------------------------------| +| `sealights-credentials` | Stores Sealights credentials from the specified secret. | +| `workdir` | Temporary working directory for source code operations. | + +## Steps + +### 1. `use-trusted-artifact` + +Retrieves the source code from a trusted artifact. + +### 2. `sealights-python-instrumentation` + +Configures and Scans the Python application using Sealights. + +## Usage Instructions + +### Create the Sealights Secret (REQUIRED) + +Ensure you have a Kubernetes secret named **sealights-credentials** containing your Sealights agent token. + +We assign the SEALIGHTS_TOKEN var in the script with this command. +```SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)"``` +>NOTE: you must name the value of the secret **token**. + +For example: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: sealights-credentials +type: Opaque +data: + token: +``` + +### Example Pipeline + +Here's an example of how you can use the `sealights-python-instrumentation` task in a Tekton pipelinerun during Konflux CI build. + +```yaml + - name: sealights-instrumentation + runAfter: + - clone-repository + taskRef: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog.git + - name: revision + value: main + - name: pathInRepo + value: tasks/sealights/python-instrumentation/0.1/python-instrumentation.yaml + params: + - name: source-artifact + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: python-version + value: "311" + - name: sealights-secret + value: "sealights-credentials" + - name: component + value: '{{ repo_name }}' + - name: branch + value: '{{ source_branch }}' + - name: revision + value: '{{ revision }}' + - name: exclude + value: ['/app/source/tests/*'] + - name: scm-provider + value: "Github" +``` diff --git a/tasks/sealights/sealights-python/0.1/README.md b/tasks/sealights/sealights-python/0.1/README.md new file mode 100644 index 0000000..50c08d9 --- /dev/null +++ b/tasks/sealights/sealights-python/0.1/README.md @@ -0,0 +1,3 @@ +# Tekton Task: Sealights Python Instrumentation + +Please read/update [test metadata docs](../../../../docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) from docs folder. \ No newline at end of file diff --git a/tasks/sealights/sealights-python/0.1/sealights-python.yaml b/tasks/sealights/sealights-python/0.1/sealights-python.yaml new file mode 100644 index 0000000..dd113ff --- /dev/null +++ b/tasks/sealights/sealights-python/0.1/sealights-python.yaml @@ -0,0 +1,148 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: sealights-python-instrumentation + labels: + konflux-ci/sealights: "true" + konflux-ci/sealights-language: "python" +spec: + description: >- + This Tekton task automates the process of configuring your Python application with Sealights for quality analytics and testing. + It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for Sealights using + vars from your PipelineRun, scans all .py files, reports scan to Sealights, and stores results to be used later on in testing. + The task can be triggered by either Pull Request or other events. + results: + - name: sealights-bsid + type: string + description: "A unique identifier generated for the current Sealights build session." + - name: sealights-build-name + type: string + description: "A unique build name generated using the commit SHA and current date to prevent conflicts during test reruns." + params: + - name: source-artifact + description: The Trusted Artifact URI pointing to the artifact with the application source code. + type: string + - name: python-version + type: string + description: "The Python version to use with the 'ubi8/python' image, in the format (e.g., '311')." + - name: component + type: string + description: "The name of the Konflux component associated with the integration tests." + - name: scm-provider + type: string + default: "github" + description: "The source control management (SCM) provider used for the project, such as 'Github', 'Gitlab'." + - name: exclude + type: array + default: [] + description: "A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/source/tests/*','/app/examples/*')." + - name: repository-url + type: string + description: "The name or URL of the source code repository (e.g., 'github.com/org/repo')." + default: "" + - name: branch + type: string + description: "The name of the Git branch to use for the operation (e.g., 'main' or 'feature-branch')." + default: "main" + - name: revision + type: string + description: "The Git revision (commit SHA) from which the test pipeline is originating." + - name: pull-request-number + type: string + description: "The identifier number of the pull request/merge request." + default: "" + - name: target-branch + type: string + description: "The name of the target branch for the pull request, typically the branch into which the changes will be merged (e.g., 'main', 'develop')." + default: "main" + volumes: + - name: sealights-credentials + secret: + secretName: sealights-credentials + - name: workdir + emptyDir: {} + stepTemplate: + volumeMounts: + - mountPath: /app + name: workdir + - name: sealights-credentials + mountPath: /usr/local/sealights-credentials + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af + args: + - use + - $(params.source-artifact)=/app/source + - name: sealights-python-instrumentation + image: registry.access.redhat.com/ubi8/python-$(params.python-version):latest + workingDir: /app/source + securityContext: + runAsUser: 0 + env: + - name: COMPONENT + value: $(params.component) + - name: SCM_PROVIDER + value: $(params.scm-provider) + - name: REPOSITORY_URL + valueFrom: + fieldRef: + fieldPath: metadata.labels['pipelinesascode.tekton.dev/url-repository'] + - name: BRANCH + value: $(params.branch) + - name: REVISION + value: $(params.revision) + - name: PULL_REQUEST_NUMBER + valueFrom: + fieldRef: + fieldPath: metadata.labels['pipelinesascode.tekton.dev/pull-request'] + - name: TARGET_BRANCH + value: $(params.target-branch) + - name: TEST_EVENT + valueFrom: + fieldRef: + fieldPath: metadata.labels['pipelinesascode.tekton.dev/event-type'] + args: ["$(params.exclude[*])"] + script: | + #!/bin/sh + set -euo pipefail + + export SEALIGHTS_TOKEN BUILD_NAME EXCLUDE_ENUM + + SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)" + BUILD_NAME="${REVISION}_$(date +'%y%m%d.%H%M')" + EXCLUDE_ENUM="$(IFS=,; echo "$(printf "%s," $@ | sed 's/,$//')")" + + # Installs Sealights Python agent. + pip install sealights-python-agent + + # In case build is coming from a /retest event then it's a pull_request + # if event type is not push and pull_request_number is not empty then is a pull_request + if [ "$TEST_EVENT" != "push" ] && [ -n "$PULL_REQUEST_NUMBER" ]; then + TEST_EVENT="pull_request" + fi + + echo "${COMPONENT}" + echo "${TARGET_BRANCH}" + echo "${PULL_REQUEST_NUMBER}" + echo "${REVISION}" + echo "${REPOSITORY_URL}" + echo "${BUILD_NAME}" + echo "${EXCLUDE_ENUM}" + + + # Configures the app for sealights using vars from your pipeline run. + if [[ -n "${TEST_EVENT}" && "${TEST_EVENT}" == "pull_request" ]]; then + echo "[INFO] Generate build session id from a Pull Request source code" + sl-python prConfig --appname "${COMPONENT}" --targetbranch "${TARGET_BRANCH}" \ + --pullrequestnumber "${PULL_REQUEST_NUMBER}" --latestcommit "${REVISION}" --repourl "${REPOSITORY_URL}" --buildname "${BUILD_NAME}" --exclude "${EXCLUDE_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}" + else + echo "[INFO] Creating build session ID (BSID) for app: ${COMPONENT}, branch: ${BRANCH}, build: ${BUILD_NAME}..." + sl-python config --appname "${COMPONENT}" --branchname "${TARGET_BRANCH}" --buildname "${BUILD_NAME}" --exclude "${EXCLUDE_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}" + fi + + # Scans all .py files that are not in the --exclude step above and reports scan to sealights. + sl-python scan --buildsessionidfile buildSessionId.txt --scmprovider "${SCM_PROVIDER}" --token "${SEALIGHTS_TOKEN}" + + # Stores results to be used in future tasks for testing. + echo -n "$(cat buildSessionId.txt)" > $(results.sealights-bsid.path) + echo -n "$BUILD_NAME" > $(results.sealights-build-name.path)