verify-definition task used to run ec validate definition (conforma#545)

* create verify-definition task to run validate definition
* remove bash based task tests
* all task tests are in acceptance tests

Author: joejstuart

.github/workflows/checks.yaml

@@ -92,31 +92,4 @@ jobs:
         with:
           files: ./coverage-acceptance.out
           flags: acceptance
-
-  Task:
-    runs-on: ubuntu-latest
-    env:
-      TASK_BUNDLE_REF: registry.image-registry.svc.cluster.local:5000/ec-task-bundle
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Restore Cache
-        uses: actions/cache/restore@v3
-        with:
-          key: main
-          path: '**'
-
-      - name: Setup Go environment
-        uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          cache: false
-
-      - name: Setup Tekton Test environment
-        run: hack/setup-test-environment.sh
-
-      - name: Testing ec task
-        env:
-          TASK_VERSION: 0.1
-        run: tasks/verify-enterprise-contract/tests/run.sh
+          

.github/workflows/release.yaml

@@ -34,7 +34,6 @@ jobs:
     env:
       IMAGE_REPO: quay.io/hacbs-contract/ec-cli
       TAG: ${{ github.sha }}
-      TASK: tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
 
     steps:
       - name: Checkout repository
@@ -108,4 +107,6 @@ jobs:
         run: make dist-image-push IMAGE_TAG=$TAG IMAGE_REPO=$IMAGE_REPO ADD_IMAGE_TAG=snapshot
 
       - name: Create and push the tekton bundle
+        env:
+          TASK: "tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml,tasks/verify-definition/0.1/verify-definition.yaml"
         run: make task-bundle-snapshot TASK_TAG=$TAG TASK=<( yq e ".spec.steps[].image? = \"$IMAGE_REPO:$TAG\"" $TASK)

acceptance/kubernetes/kind/image.go

@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -54,74 +53,78 @@ func (k *kindCluster) buildCliImage(ctx context.Context) error {
 // only the task of a particular version. The image reference to the ec-cli
 // image is replaced with the image reference from buildCliImage.
 func (k *kindCluster) buildTaskBundleImage(ctx context.Context) error {
-	versions, err := filepath.Glob(path.Join("tasks/verify-enterprise-contract", "*.*"))
+	taskBundles := make(map[string][]string)
+
+	basePath := "tasks/"
+	taskDirs, err := os.ReadDir(basePath)
 	if err != nil {
 		return err
 	}
 
-	for _, version := range versions {
-		if info, err := os.Stat(version); err != nil {
-			return err
-		} else if !info.IsDir() {
+	for _, task := range taskDirs {
+		if !task.IsDir() {
 			continue
 		}
-
-		// we expect a file called `verify-enterprise-contract.yaml` in each
-		// version containing the Tekton Task definition
-		taskFile := path.Join(version, "verify-enterprise-contract.yaml")
-
-		if info, err := os.Stat(taskFile); err != nil {
-			if errors.Is(err, os.ErrNotExist) {
-				continue
-			}
-
+		// once all the directories under tasks/ are collected, gather all the versions
+		versions, err := filepath.Glob(filepath.Join(basePath, task.Name(), "*.*"))
+		if err != nil {
 			return err
-		} else if info.IsDir() {
-			continue
 		}
+		for _, versionPath := range versions {
+			pathSplit := strings.Split(versionPath, "/")
+			// there should only be versions under the task path i.e. tasks/verify-definition/0.1
+			version := pathSplit[len(pathSplit)-1]
+			// assume the task definition file is named the same as the task directory
+			fileName := filepath.Join(versionPath, fmt.Sprintf("%s.yaml", task.Name()))
+			if _, err := os.Stat(fileName); err != nil {
+				if errors.Is(err, os.ErrNotExist) {
+					continue
+				}
+				return err
+			}
+			var bytes []byte
+			if bytes, err = os.ReadFile(fileName); err != nil {
+				return err
+			}
 
-		var bytes []byte
-		if bytes, err = os.ReadFile(taskFile); err != nil {
-			return err
-		}
+			var taskDefinition v1beta1.Task
+			if err := yaml.Unmarshal(bytes, &taskDefinition); err != nil {
+				return err
+			}
 
-		var taskDefinition v1beta1.Task
-		if err := yaml.Unmarshal(bytes, &taskDefinition); err != nil {
-			return err
-		}
+			// using registry.image-registry.svc.cluster.local instead of 127.0.0.1
+			// leads to "dial tcp: lookup registry.image-registry.svc.cluster.local:
+			// Temporary failure in name resolution" in Tekton Pipeline controller
+			img := fmt.Sprintf("127.0.0.1:%d/ec-cli:latest-%s-%s", k.registryPort, runtime.GOOS, runtime.GOARCH)
+			steps := taskDefinition.Spec.Steps
+			for i, step := range steps {
+				if strings.Contains(step.Image, "/ec-cli:") {
+					steps[i].Image = img
+				}
+			}
 
-		// using registry.image-registry.svc.cluster.local instead of 127.0.0.1
-		// leads to "dial tcp: lookup registry.image-registry.svc.cluster.local:
-		// Temporary failure in name resolution" in Tekton Pipeline controller
-		img := fmt.Sprintf("127.0.0.1:%d/ec-cli:latest-%s-%s", k.registryPort, runtime.GOOS, runtime.GOARCH)
-		steps := taskDefinition.Spec.Steps
-		for i, step := range steps {
-			if strings.Contains(step.Image, "/ec-cli:") {
-				steps[i].Image = img
+			out, err := yaml.Marshal(taskDefinition)
+			if err != nil {
+				return err
 			}
-		}
 
-		out, err := yaml.Marshal(taskDefinition)
-		if err != nil {
-			return err
-		}
+			task, err := os.CreateTemp("", "v-e-c-*.yaml")
+			if err != nil {
+				return err
+			}
+			defer os.Remove(task.Name())
 
-		task, err := os.CreateTemp("", "v-e-c-*.yaml")
-		if err != nil {
-			return err
-		}
-		defer os.Remove(task.Name())
+			if _, err = task.Write(out); err != nil {
+				return err
+			}
 
-		if _, err = task.Write(out); err != nil {
-			return err
+			taskBundles[version] = append(taskBundles[version], task.Name())
 		}
+	}
 
-		// given a path like task/0.1 is `0.1` which gives us the version of the
-		// Task by the directory layout convention for the Tekton/Artifact Hub
-		ver := path.Base(version)
-
-		cmd := exec.CommandContext(ctx, "make", "task-bundle", fmt.Sprintf("TASK_REPO=localhost:%d/ec-task-bundle", k.registryPort), fmt.Sprintf("TASK=%s", task.Name()), fmt.Sprintf("TASK_TAG=%s", ver))
-
+	for version, tasks := range taskBundles {
+		tasksPath := strings.Join(tasks, ",")
+		cmd := exec.CommandContext(ctx, "make", "task-bundle", fmt.Sprintf("TASK_REPO=localhost:%d/ec-task-bundle", k.registryPort), fmt.Sprintf("TASK=%s", tasksPath), fmt.Sprintf("TASK_TAG=%s", version))
 		if out, err := cmd.CombinedOutput(); err != nil {
 			fmt.Print(string(out))
 			return err

acceptance/kubernetes/kind/kubernetes.go

@@ -243,7 +243,7 @@ func stringParam(name, value string, t *testState) tknv1beta1.Param {
 
 // RunTask creates a TaskRun with a random name running the Task from the Tekton
 // Bundle of a specific version with the provided parameters
-func (k *kindCluster) RunTask(ctx context.Context, version string, params map[string]string) error {
+func (k *kindCluster) RunTask(ctx context.Context, version, name, workspace string, params map[string]string) error {
 	t := testenv.FetchState[testState](ctx)
 
 	tkn, err := tekton.NewForConfig(k.config)
@@ -261,19 +261,28 @@ func (k *kindCluster) RunTask(ctx context.Context, version string, params map[st
 		return err
 	}
 
+	var wkspace []tknv1beta1.WorkspaceBinding
+	if workspace != "" {
+		wkspace = append(wkspace, tknv1beta1.WorkspaceBinding{
+			Name:     workspace,
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		})
+	}
+
 	tr, err := tkn.TaskRuns(t.namespace).Create(ctx, &tknv1beta1.TaskRun{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "acceptance-taskrun-",
 		},
 		Spec: tknv1beta1.TaskRunSpec{
+			Workspaces:         wkspace,
 			Params:             tknParams,
 			ServiceAccountName: "default",
 			TaskRef: &tknv1beta1.TaskRef{
 				ResolverRef: tknv1beta1.ResolverRef{
 					Resolver: "bundles",
 					Params: []tknv1beta1.Param{
 						stringParam("bundle", fmt.Sprintf("registry.image-registry.svc.cluster.local:%d/ec-task-bundle:%s", k.registryPort, version), t),
-						stringParam("name", "verify-enterprise-contract", t),
+						stringParam("name", name, t),
 						stringParam("kind", "task", t),
 					},
 				},

acceptance/kubernetes/kubernetes.go

@@ -133,7 +133,11 @@ func createPolicy(ctx context.Context, specification *godog.DocString) error {
 	return c.cluster.CreatePolicy(ctx, specification.Content)
 }
 
-func runTask(ctx context.Context, version string, params *godog.Table) error {
+func runTask(ctx context.Context, version, name string, params *godog.Table) error {
+	return runTaskWithWorkspace(ctx, version, name, "", params)
+}
+
+func runTaskWithWorkspace(ctx context.Context, version, name, workspace string, params *godog.Table) error {
 	c := testenv.FetchState[ClusterState](ctx)
 
 	if err := mustBeUp(ctx, *c); err != nil {
@@ -145,7 +149,7 @@ func runTask(ctx context.Context, version string, params *godog.Table) error {
 		taskParams[row.Cells[0].Value] = row.Cells[1].Value
 	}
 
-	return c.cluster.RunTask(ctx, version, taskParams)
+	return c.cluster.RunTask(ctx, version, name, workspace, taskParams)
 }
 
 func theTaskShouldSucceed(ctx context.Context) error {
@@ -229,7 +233,8 @@ func AddStepsTo(sc *godog.ScenarioContext) {
 	sc.Step(`^a working namespace$`, createNamespace)
 	sc.Step(`^policy configuration named "([^"]*)" with specification$`, createNamedPolicy)
 	sc.Step(`^a cluster policy with content:$`, createPolicy)
-	sc.Step(`^version ([\d.]+) of the task is run with parameters:$`, runTask)
+	sc.Step(`^version ([\d.]+) of the task named "([^"]*)" is run with parameters:$`, runTask)
+	sc.Step(`^version ([\d.]+) of the task named "([^"]*)" with workspace "([^"]*)" is run with parameters:$`, runTaskWithWorkspace)
 	sc.Step(`^the task should succeed$`, theTaskShouldSucceed)
 	sc.Step(`^an Snapshot named "([^"]*)" with specification$`, createNamedSnapshot)
 	// stops the cluster unless the environment is persisted, the cluster state

acceptance/kubernetes/stub/stub.go

@@ -107,7 +107,7 @@ func (s stubCluster) CreatePolicy(_ context.Context, _ string) error {
 	return errors.New("use `Given policy configuration named \"<name>\" with specification` when using the stub Kubernetes")
 }
 
-func (s stubCluster) RunTask(_ context.Context, _ string, _ map[string]string) error {
+func (s stubCluster) RunTask(_ context.Context, _, _, _ string, _ map[string]string) error {
 	return errors.New("can't run tasks when using the stub Kubernetes")
 }
 

acceptance/kubernetes/types/types.go

@@ -27,7 +27,7 @@ type Cluster interface {
 	CreateNamespace(context.Context) (context.Context, error)
 	CreateNamedPolicy(context.Context, string, string) error
 	CreatePolicy(context.Context, string) error
-	RunTask(context.Context, string, map[string]string) error
+	RunTask(context.Context, string, string, string, map[string]string) error
 	AwaitUntilTaskIsDone(context.Context) (bool, error)
 	TaskInfo(context.Context) (*TaskInfo, error)
 	CreateNamedSnapshot(context.Context, string, string) error

features/task_validate_definition.feature

@@ -0,0 +1,14 @@
+Feature: Verify Enterprise Contract Tekton Tasks
+  The Verify Enterprise Contract Tekton task verification against a set of golden images
+
+  Background:
+    Given a cluster running
+
+  Scenario: Verifying a simple task definition
+    Given a working namespace
+  
+    When version 0.1 of the task named "verify-definition" with workspace "output" is run with parameters:
+      | DEFINITION    | {"kind": "Task"}                                        |
+      | POLICY_SOURCE | git::github.com/hacbs-contract/ec-policies//policy/task |
+      | NAMESPACE     | policy.task.kind                                        |
+    Then the task should succeed

features/task.feature features/task_validate_image.featurefeatures/task.feature renamed to features/task_validate_image.feature

@@ -1,4 +1,4 @@
-Feature: Verify Enterprise Contract Tekton Task
+Feature: Verify Enterprise Contract Tekton Tasks
   The Verify Enterprise Contract Tekton task verification against a set of golden images
 
   Background:
@@ -24,7 +24,7 @@ Feature: Verify Enterprise Contract Tekton Task
         }
       }
       ```
-    When version 0.1 of the task is run with parameters:
+    When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
       | IMAGES               | {"components": [{"containerImage": "quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d"}]} |
       | POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME}                                                                                                                                  |
       | STRICT               | true                                                                                                                                                         |

tasks/verify-definition/0.1/README.md

@@ -0,0 +1,53 @@
+# Verify Definition Task
+
+This task is used to verify any valid YAML or JSON
+
+## Install the task
+kubectl apply -f https://raw.githubusercontent.com/hacbs-contract/ec-cli/main/tasks/verify-definition/0.1/verify-definition.yaml
+
+## Parameters
+### Required
+* **DEFINITION**: The definition(s) to validate. This can be a yaml or json file, the files' contents
+        or a directory containing the definition files. 
+* **POLICY_SOURCE**: The source containing the policy files.
+### Optional
+* **NAMESPACE**: An optional policy package namespace.
+* **POLICY_LIB**: The source containing the policy files libraries.
+* **POLICY_DATA**: The source containing the policy files configuration data.
+* **HOMEDIR**: Value for the HOME environment variable.
+
+## Usage
+This TaskRun runs the Task to verify the JSON string '{"kind": "Task"}'.
+
+```yaml
+---
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  generateName: verify-definition-run-
+spec:
+  params:
+  - name: HOMEDIR
+    value: /tekton/home
+  - name: DEFINITION
+    value: '{"kind": "Task"}'
+  - name: NAMESPACE
+    value: policy.task.kind
+  - name: POLICY_SOURCE
+    value: git::github.com/hacbs-contract/ec-policies//policy/task
+  resources: {}
+  serviceAccountName: default
+  taskRef:
+    resolver: bundles
+    params:
+    - name: bundle
+      value: ${TASK_BUNDLE_REF}
+    - name: name
+      value: verify-definition
+    - name: kind
+      value: task
+  timeout: 10m
+```
+
+
+