diff --git a/task/conftest/0.2/README.md b/task/conftest/0.2/README.md new file mode 100644 index 00000000..071c533e --- /dev/null +++ b/task/conftest/0.2/README.md @@ -0,0 +1,65 @@ +# Conftest + +These tasks make it possible to use [Conftest](https://github.com/instrumenta/conftest) within +your Tekton pipelines. Conftest is a tool for testing configuration files using [Open Policy Agent](https://openpolicyagent.org). + +## Installation + +In order to use Conftest with Tekton you need to first install the task. + +```console +kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/conftest/0.2/raw +``` + +## Platforms + +The Task can be run on `linux/amd64` platform. + +## Usage + +Once installed, the task can be used as follows: + +```yaml +apiVersion: tekton.dev/v1 +kind: TaskRun +metadata: + name: conftest-example +spec: + taskRef: + name: conftest + workspaces: + - name: source + persistentVolumeClaim: + claimName: my-source + params: + - name: files + value: examples/kubernetes/deployment.yaml + - name: policy + value: examples/kubernetes/policy +``` + +Note that the above repository contains both a configuration file we want to test (`examples/kubernetes/deployment.yaml`) and a directory (`examples/kubernetes/policy`) containing OPA policy files. When using the task you would provide the details of the repository you want to test. + +If you apply the above `TaskRun` you can see the output in the `taskrun` logs. For example: + +```console +$ tkn taskrun logs conftest-example -f +[git-source-source-6pt9g] {"level":"warn","ts":1566067534.0510817,"logger":"fallback-logger","caller":"logging/config.go:69","msg":"Fetch GitHub commit ID from kodata failed: \"ref: refs/heads/master\" is not a valid GitHub commit ID"} +[git-source-source-6pt9g] {"level":"info","ts":1566067534.989535,"logger":"fallback-logger","caller":"git/git.go:102","msg":"Successfully cloned https://github.com/instrumenta/conftest.git @ master in path /workspace/source"} +[conftest] FAIL - examples/kubernetes/deployment.yaml - Containers must not run as root in Deployment hello-kubernetes +[conftest] FAIL - examples/kubernetes/deployment.yaml - Deployment hello-kubernetes must provide app/release labels for pod selectors +[conftest] FAIL - examples/kubernetes/deployment.yaml - hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels + +container step-conftest has failed : Error +``` + +## Parameters + +* **files**: The files to test against the specified policies +* **policy**: Where to find the policies (_default:_ `policy`) +* **output**: Which output format to use (_default:_ `stdout`) +* **args**: An array of additional arguments to pass to Conftest (_default `[]`_) + +## Workspaces + +* **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build. diff --git a/task/conftest/0.2/conftest.yaml b/task/conftest/0.2/conftest.yaml new file mode 100644 index 00000000..904473e0 --- /dev/null +++ b/task/conftest/0.2/conftest.yaml @@ -0,0 +1,44 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: conftest + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.56.1" + tekton.dev/displayName: "conftest" + tekton.dev/categories: Developer Tools + tekton.dev/tags: jq + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + These tasks make it possible to use Conftest within your Tekton pipelines + + Conftest is a tool for testing configuration files using Open Policy Agent. + + workspaces: + - name: source + params: + - name: files + type: string + - name: policy + default: "policy" + - name: output + default: "stdout" + - name: args + type: array + default: [] + + steps: + - name: conftest + workingDir: $(workspaces.source.path) + image: docker.io/openpolicyagent/conftest:v0.54.0@sha256:094e3bc9af439d16d15379bff9fc3aec0d558936aa1ac1e0574c0dcfa1c43e86 #tag: v0.54.0 + command: + - conftest + - test + - $(params.files) + - -p + - $(params.policy) + - -o + - $(params.output) + - $(params.args)