feat: Konflux configuration as code

.tekton/deploy-konflux-config-pull-request.yaml

@@ -0,0 +1,51 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/osmman/pipelines?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "main" && ( "konflux-configs/***".pathChanged() || ".tekton/deploy-konflux-config-pull-request.yaml".pathChanged()
+      || "pipelines/deploy-konflux-config.yaml".pathChanged() || "tasks/apply-manifest.yaml".pathChanged()
+      )
+    pipelinesascode.tekton.dev/pipeline: pipelines/deploy-konflux-config.yaml
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: pipelines
+    appstudio.openshift.io/component: deploy-konflux-config
+    pipelines.appstudio.openshift.io/type: build
+  name: deploy-konflux-config-on-pull-request
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: kustomize-path
+    value: konflux-configs/overlay/prod
+  - name: apply-changes
+    value: "false"
+  pipelineRef:
+    name: deploy-konflux-config
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-deploy-konflux-config
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

.tekton/deploy-konflux-config-push.yaml

@@ -0,0 +1,50 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/osmman/pipelines?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
+      == "main" && ( "konflux-configs/***".pathChanged() || ".tekton/deploy-konflux-config-push.yaml".pathChanged()
+      || "pipelines/deploy-konflux-config.yaml".pathChanged() || "tasks/apply-manifest.yaml".pathChanged()
+      )
+    pipelinesascode.tekton.dev/pipeline: pipelines/deploy-konflux-config.yaml
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: pipelines
+    appstudio.openshift.io/component: deploy-konflux-config
+    pipelines.appstudio.openshift.io/type: build
+  name: deploy-konflux-config-on-push
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: kustomize-path
+    value: konflux-configs/overlay/prod
+  - name: apply-changes
+    value: "true"
+  pipelineRef:
+    name: deploy-konflux-config
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-deploy-konflux-config
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

konflux-configs/README.md

@@ -0,0 +1,11 @@
+## Previewing Changes
+To preview your changes, use the Kustomize CLI:
+```
+kustomize build overlay/prod
+```
+
+## Applying configuration to cluster
+Before applying changes, ensure you have access to the Konflux cluster. Then, execute the following command:
+```
+oc apply -k overlay/prod
+```

konflux-configs/base/application/konflux/base/application.yaml

@@ -0,0 +1,6 @@
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: Application
+metadata:
+  name: konflux
+spec:
+  displayName: Konflux

konflux-configs/base/application/konflux/base/component.yaml

@@ -0,0 +1,17 @@
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: Component
+metadata:
+  annotations:
+    build.appstudio.openshift.io/request: configure-pac
+    build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}'
+  name: configuration-as-code
+  namespace: tturek-tenant
+spec:
+  application: konflux
+  componentName: configuration-as-code
+  containerImage: quay.io/securesign/configuration-as-code
+  resources: {}
+  source:
+    git:
+      revision: konflux-configuration-as-code
+      url: https://github.com/securesign/pipelines

konflux-configs/base/application/konflux/base/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - application.yaml
+  - component.yaml

konflux-configs/base/application/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - konflux/base

konflux-configs/base/project/ansible/base/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - project.yaml
+  - template.yaml

konflux-configs/base/project/ansible/base/project.yaml

@@ -0,0 +1,8 @@
+apiVersion: projctl.konflux.dev/v1beta1
+kind: Project
+metadata:
+  name: ansible
+spec:
+  displayName: "Red Hat Trusted Artifact Signer Ansible"
+  description: |
+    Ansible collections to automate the deployment of the Red Hat Trusted Artifact Signer (RHTAS) service on Red Hat Enterprise Linux (RHEL).

konflux-configs/base/project/ansible/base/template.yaml

@@ -0,0 +1,24 @@
+apiVersion: projctl.konflux.dev/v1beta1
+kind: ProjectDevelopmentStreamTemplate
+metadata:
+  name: ansible-template
+spec:
+  project: ansible
+  variables:
+    - name: version
+      description: A version number for a new development stream
+    - name: branch
+      description: Git branch
+      defaultValue: "main"
+    - name: nameSuffix
+      description: A suffix which will be added to K8s resource name
+      defaultValue: "-{{hyphenize .version}}"
+  resources:
+    - apiVersion: appstudio.redhat.com/v1alpha1
+      kind: Application
+      metadata:
+        annotations:
+          application.thumbnail: "9"
+        name: "ansible{{.nameSuffix}}"
+      spec:
+        displayName: "ansible ({{.version}})"

konflux-configs/base/project/ansible/overlay/collection-patch.yaml

@@ -0,0 +1,19 @@
+- op: add
+  path: /spec/resources/-
+  value:
+    apiVersion: appstudio.redhat.com/v1alpha1
+    kind: Component
+    metadata:
+      annotations:
+        build.appstudio.openshift.io/pipeline: '{"name":"docker-build","bundle":"latest"}'
+        build.appstudio.openshift.io/status: '{"pac":{"state":"enabled","merge-url":"https://github.com/securesign/artifact-signer-ansible/pull/259","configuration-time":"Wed, 07 Aug 2024 08:59:18 UTC"},"message":"done"}'
+      name: "artifact-signer-ansible{{.nameSuffix}}"
+    spec:
+      application: "ansible{{.nameSuffix}}"
+      componentName: "artifact-signer-ansible{{.nameSuffix}}"
+      source:
+        git:
+          context: ./
+          dockerfileUrl: Dockerfile
+          revision: "{{.branch}}"
+          url: https://github.com/securesign/artifact-signer-ansible

konflux-configs/base/project/ansible/overlay/ec-patch.yaml

@@ -0,0 +1,21 @@
+- op: add
+  path: /spec/resources/-
+  value:
+    apiVersion: appstudio.redhat.com/v1beta2
+    kind: IntegrationTestScenario
+    metadata:
+      annotations:
+        test.appstudio.openshift.io/kind: enterprise-contract
+      name: "ansible{{.nameSuffix}}-enterprise-contract"
+    spec:
+      application: "ansible{{.nameSuffix}}"
+      resolverRef:
+        params:
+          - name: url
+            value: https://github.com/konflux-ci/build-definitions
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: pipelines/enterprise-contract.yaml
+        resolver: git
+        resourceKind: pipeline

konflux-configs/base/project/ansible/overlay/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../base
+
+patches:
+  - target:
+      name: ansible-template
+      kind: ProjectDevelopmentStreamTemplate
+    path: collection-patch.yaml
+  - target:
+      name: ansible-template
+      kind: ProjectDevelopmentStreamTemplate
+    path: ec-patch.yaml

konflux-configs/base/project/fbc/base/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - project.yaml
+  - template.yaml

konflux-configs/base/project/fbc/base/project.yaml

@@ -0,0 +1,8 @@
+apiVersion: projctl.konflux.dev/v1beta1
+kind: Project
+metadata:
+  name: fbc
+spec:
+  displayName: "Multi-version fbc project"
+  description: |
+    Multi-version fbc project.

konflux-configs/base/project/fbc/base/template.yaml

@@ -0,0 +1,30 @@
+apiVersion: projctl.konflux.dev/v1beta1
+kind: ProjectDevelopmentStreamTemplate
+metadata:
+  name: fbc-project-template
+spec:
+  project: fbc
+  variables:
+    - name: version
+      description: A version number for a new development stream
+    - name: ocpVersion
+      description: OCP version number e.g 4.18
+    - name: gitRevision
+      description: The git revision we want to onboard
+    - name: gitContext
+      description: The git context we want to use
+    - name: baseName
+      description: FBC version number e.g fbc-v4-18
+      defaultValue: "fbc-v{{hyphenize .ocpVersion}}"
+    - name: nameSuffix
+      description: A suffix which will be added to K8s resource name
+      defaultValue: "-{{hyphenize .version}}"
+  resources:
+    - apiVersion: appstudio.redhat.com/v1alpha1
+      kind: Application
+      metadata:
+        annotations:
+          application.thumbnail: "9"
+        name: "{{.baseName}}{{.nameSuffix}}"
+      spec:
+        displayName: "{{.baseName}} ({{.version}})"

konflux-configs/base/project/fbc/overlay/component-patch.yaml

@@ -0,0 +1,19 @@
+- op: add
+  path: /spec/resources/-
+  value:
+    apiVersion: appstudio.redhat.com/v1alpha1
+    kind: Component
+    metadata:
+      annotations:
+        build.appstudio.openshift.io/pipeline: '{"name":"fbc-builder","bundle":"latest"}'
+        build.appstudio.openshift.io/status: '{"pac":{"state":"enabled","merge-url":"https://github.com/securesign/fbc/pull/97","configuration-time":"Thu,27 Mar 2025 12:35:34 UTC"},"message":"done"}'
+      name: "{{.baseName}}{{.nameSuffix}}"
+    spec:
+      application: "{{.baseName}}{{.nameSuffix}}"
+      componentName: "{{.baseName}}{{.nameSuffix}}"
+      source:
+        git:
+          context: "{{ .gitContext }}"
+          dockerfileUrl: catalog.Dockerfile
+          revision: "{{.gitRevision}}"
+          url: https://github.com/securesign/fbc

konflux-configs/base/project/fbc/overlay/e2e-patch.yaml

@@ -0,0 +1,27 @@
+- op: add
+  path: /spec/resources/-
+  value:
+    apiVersion: appstudio.redhat.com/v1beta2
+    kind: IntegrationTestScenario
+    metadata:
+      labels:
+        test.appstudio.openshift.io/optional: "true"
+      name: "{{.baseName}}{{.nameSuffix}}-e2e"
+    spec:
+      application: "{{.baseName}}{{.nameSuffix}}"
+      contexts:
+        - description: execute the integration test in all cases - this would be the default state
+          name: application
+      params:
+        - name: OCP_VERSION
+          value: "{{.ocpVersion}}"
+      resolverRef:
+        params:
+          - name: url
+            value: https://github.com/securesign/pipelines.git
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: pipelines/rhtas-operator-e2e.yaml
+        resolver: git
+        resourceKind: pipeline

konflux-configs/base/project/fbc/overlay/ec-patch.yaml

@@ -0,0 +1,27 @@
+- op: add
+  path: /spec/resources/-
+  value:
+    apiVersion: appstudio.redhat.com/v1beta2
+    kind: IntegrationTestScenario
+    metadata:
+      annotations:
+        test.appstudio.openshift.io/kind: enterprise-contract
+      name: "{{.baseName}}{{.nameSuffix}}-enterprise-contract"
+    spec:
+      application: "{{.baseName}}{{.nameSuffix}}"
+      contexts:
+        - description: Application testing
+          name: application
+      params:
+        - name: POLICY_CONFIGURATION
+          value: rhtap-releng-tenant/fbc-standard
+      resolverRef:
+        params:
+          - name: url
+            value: https://github.com/redhat-appstudio/build-definitions
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: pipelines/enterprise-contract.yaml
+        resolver: git
+        resourceKind: pipeline

konflux-configs/base/project/fbc/overlay/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../base
+
+patches:
+  - target:
+      name: fbc-project-template
+      kind: ProjectDevelopmentStreamTemplate
+    path: component-patch.yaml
+  - target:
+      name: fbc-project-template
+      kind: ProjectDevelopmentStreamTemplate
+    path: ec-patch.yaml
+  - target:
+      name: fbc-project-template
+      kind: ProjectDevelopmentStreamTemplate
+    path: e2e-patch.yaml