Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add sign-image pipeline #192

Merged
merged 1 commit into from
Oct 1, 2024
Merged

feat: add sign-image pipeline #192

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions internal-services/catalog/sign-image-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: sign-image
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: >-
Tekton pipeline for image signing via RADAS
params:
- name: pipeline_image
description: An image with CLI tools needed for the signing.
default: quay.io/redhat-isv/operator-pipelines-images:released

- name: manifest_digest
description: Manifest digest for the signed content, usually in the format sha256:xxx

- name: reference
description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9

- name: requester
description: Name of the user that requested the signing, for auditing purposes

- name: config_map_name
description: A config map name with configuration
default: hacbs-signing-pipeline-config

workspaces:
- name: pipeline
tasks:
- name: set-env
taskRef:
name: set-env
params:
- name: config_map_name
value: $(params.config_map_name)

- name: request-signature
taskRef:
name: request-signature
bundle:
quay.io/redhat-isv/tkn-signing-bundle@sha256:72c94ed690baa0f892e69a893520b8089a1008c84f67ee47a19b2dcdd526849d
runAfter:
- set-env
params:
- name: pipeline_image
value: "$(params.pipeline_image)"
- name: manifest_digest
value: "$(params.manifest_digest)"
- name: reference
value: "$(params.reference)"
- name: requester
value: "$(params.requester)"
- name: sig_key_id
value: "$(tasks.set-env.results.sig_key_id)"
- name: sig_key_name
value: "$(tasks.set-env.results.sig_key_name)"
- name: umb_ssl_secret_name
value: "$(tasks.set-env.results.ssl_cert_secret_name)"
- name: umb_ssl_cert_secret_key
value: "$(tasks.set-env.results.ssl_cert_file_name)"
- name: umb_ssl_key_secret_key
value: "$(tasks.set-env.results.ssl_key_file_name)"
- name: umb_client_name
value: "$(tasks.set-env.results.umb_client_name)"
- name: umb_url
value: "$(tasks.set-env.results.umb_url)"
- name: umb_listen_topic
value: "$(tasks.set-env.results.umb_listen_topic)"
- name: umb_publish_topic
value: "$(tasks.set-env.results.umb_publish_topic)"
workspaces:
- name: source
workspace: pipeline
subPath: signing

- name: upload-signature
taskRef:
name: upload-signature
bundle:
quay.io/redhat-isv/tkn-signing-bundle@sha256:72c94ed690baa0f892e69a893520b8089a1008c84f67ee47a19b2dcdd526849d
runAfter:
- request-signature
params:
- name: pipeline_image
value: "$(params.pipeline_image)"
- name: signature_data_file
value: "$(tasks.request-signature.results.signature_data_file)"
- name: pyxis_ssl_secret_name
value: "$(tasks.set-env.results.ssl_cert_secret_name)"
- name: pyxis_ssl_cert_secret_key
value: "$(tasks.set-env.results.ssl_cert_file_name)"
- name: pyxis_ssl_key_secret_key
value: "$(tasks.set-env.results.ssl_key_file_name)"
- name: pyxis_url
value: "$(tasks.set-env.results.pyxis_url)"
- name: verify_signature
value: "false"
workspaces:
- name: source
workspace: pipeline
subPath: signing