feat: add sample pipeline specification

pipeline-spec/oci-registry/oci-registry-creds.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-credentials
+data:
+  config.json: <base64data>

pipeline-spec/scan-pipeline/pipeline-scan.yaml

@@ -0,0 +1,67 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: demo-tekton-pipeline-scan
+spec:
+  description: |
+    The Pipeline clones the repository, builds the demo-app container image, scans it with Trivy, and pushes it to the OCI registry (e.g. Docker Hub) if no HIGH or CRITICAL vulnerabilities are found. 
+  params:
+  - name: repo-url
+    type: string
+  - name: image-reference
+    type: string
+  - name: app-path
+    type: string
+  workspaces:
+  - name: shared-data
+  - name: docker-credentials
+  tasks:
+  - name: fetch-source
+    taskRef:
+      name: git-clone
+    workspaces:
+    - name: output
+      workspace: shared-data
+    params:
+    - name: url
+      value: $(params.repo-url)
+  - name: build-only
+    runAfter: ["fetch-source"]
+    taskRef:
+      name: kaniko
+    workspaces:
+    - name: source
+      workspace: shared-data
+    - name: dockerconfig
+      workspace: docker-credentials
+    params:
+    - name: IMAGE
+      value: $(params.image-reference)
+    - name: CONTEXT
+      value: $(params.app-path)
+    - name: EXTRA_ARGS
+      value: ["--no-push", "--tarPath=image.tar"]
+  - name: scan
+    runAfter: ["build-only"]
+    taskRef:
+      name: scanner
+    workspaces:
+    - name: source
+      workspace: shared-data
+    params:
+    - name: IMAGE_TAR
+      value: image.tar
+  - name: build-push
+    runAfter: ["scan"]
+    taskRef:
+      name: kaniko
+    workspaces:
+    - name: source
+      workspace: shared-data
+    - name: dockerconfig
+      workspace: docker-credentials
+    params:
+    - name: IMAGE
+      value: $(params.image-reference)
+    - name: CONTEXT
+      value: $(params.app-path)

pipeline-spec/scan-pipeline/pipelinerun-scan.yaml

@@ -0,0 +1,24 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: demo-tekton-pipeline-
+spec:
+  pipelineRef:
+    name: demo-tekton-pipeline-scan
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
+  workspaces:
+  - name: shared-data
+    persistentVolumeClaim:
+      claimName: tekton-pvc
+  - name: docker-credentials
+    secret:
+      secretName: docker-credentials
+  params:
+  - name: repo-url
+    value: <demo tekton pipeline forked source repository>
+  - name: image-reference
+    value: index.docker.io/<your dockerhub username>/demo-app:1.0.0
+  - name: app-path
+    value: ./app-spec/

pipeline-spec/scan-pipeline/task-scan.yaml

@@ -0,0 +1,18 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: scanner
+spec:
+  description: Scan container image with Trivy
+  workspaces:
+  - name: source
+  params:
+    - name: IMAGE_TAR
+      description: Kaniko tar image to be scanned
+      type: string
+  steps:
+  - name: scan
+    image: docker.io/aquasec/trivy
+    script: | 
+      #!/usr/bin/env sh
+      trivy image --severity HIGH, CRITICAL --exit-code 1 --input $(workspaces.source.path)/$(params.IMAGE_TAR)

pipeline-spec/simple-pipeline/pipeline.yaml

@@ -0,0 +1,41 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: demo-tekton-pipeline
+spec:
+  description: |
+    The Pipeline clones the repository, builds the demo-app container image and pushes it to the target OCI registry (e.g. Docker Hub). 
+  params:
+  - name: repo-url
+    type: string
+  - name: image-reference
+    type: string
+  - name: app-path
+    type: string
+  workspaces:
+  - name: shared-data
+  - name: docker-credentials
+  tasks:
+  - name: fetch-source
+    taskRef:
+      name: git-clone
+    workspaces:
+    - name: output
+      workspace: shared-data
+    params:
+    - name: url
+      value: $(params.repo-url)
+  - name: build-push
+    runAfter: ["fetch-source"]
+    taskRef:
+      name: kaniko
+    workspaces:
+    - name: source
+      workspace: shared-data
+    - name: dockerconfig
+      workspace: docker-credentials
+    params:
+    - name: IMAGE
+      value: $(params.image-reference)
+    - name: CONTEXT
+      value: $(params.app-path)

pipeline-spec/simple-pipeline/pipelinerun.yaml

@@ -0,0 +1,24 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: demo-tekton-pipeline-
+spec:
+  pipelineRef:
+    name: demo-tekton-pipeline
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
+  workspaces:
+  - name: shared-data
+    persistentVolumeClaim:
+      claimName: tekton-pvc
+  - name: docker-credentials
+    secret:
+      secretName: docker-credentials
+  params:
+  - name: repo-url
+    value: <demo tekton pipeline forked source repository>
+  - name: image-reference
+    value: index.docker.io/<your dockerhub username>/demo-app:1.0.0
+  - name: app-path
+    value: ./app-spec/

pipeline-spec/volumes/pv.yaml

@@ -0,0 +1,14 @@
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: tekton-pv
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/mnt/tekton"

pipeline-spec/volumes/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: tekton-pvc
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi