Skip to content

Commit

Permalink
fix(KFLUXBUGS-1693): remove fail-unsigned param from task
Browse files Browse the repository at this point in the history
- Update task
- Add MIGRATION.md
- Update template version

Signed-off-by: Avi Biton <[email protected]>
  • Loading branch information
avi-biton authored and lcarva committed Oct 7, 2024
1 parent 118d049 commit 1398846
Show file tree
Hide file tree
Showing 12 changed files with 166 additions and 39 deletions.
5 changes: 2 additions & 3 deletions pipelines/docker-build-multi-platform-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,12 +153,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -252,7 +251,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand Down
9 changes: 4 additions & 5 deletions pipelines/docker-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,12 +150,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -201,9 +200,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
### buildah-oci-ta:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url|
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
Expand Down Expand Up @@ -249,7 +248,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand Down
9 changes: 4 additions & 5 deletions pipelines/docker-build-rhtap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,12 +78,11 @@
|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'|
|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'|
|skip-checks| Skip checks against built image| false| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -123,8 +122,8 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest ; acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest|
|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; rpms-signature-scan:0.1:image-url ; update-deployment:0.1:image|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest ; acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest|
|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; rpms-signature-scan:0.2:image-url ; update-deployment:0.1:image|
|SBOM_BLOB_URL| Link to the SBOM layer pushed to the registry as part of an OCI artifact.| |
### git-clone:0.1 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
Expand All @@ -137,7 +136,7 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|build| Defines if the image in param image-url should be built| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand Down
9 changes: 4 additions & 5 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -145,12 +145,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'|
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -199,9 +198,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
### buildah:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url|
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
Expand Down Expand Up @@ -241,7 +240,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand Down
9 changes: 4 additions & 5 deletions pipelines/fbc-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -115,12 +115,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|DOCKER_AUTH| unused, should be removed in next task version| | |
|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'|
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -157,9 +156,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
### buildah:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url|
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
Expand Down Expand Up @@ -193,7 +192,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|BASE_IMAGE| Base image source image is built from.| fbc-validate:0.1:BASE_IMAGE|
|BASE_IMAGE_REPOSITORY| Base image repository URL.| |
|TEST_OUTPUT| Tekton task test output.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand Down
9 changes: 4 additions & 5 deletions pipelines/java-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,12 +113,11 @@
|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'|
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -213,7 +212,7 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand All @@ -223,9 +222,9 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url|
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
### sast-snyk-check:0.2 task results
Expand Down
9 changes: 4 additions & 5 deletions pipelines/nodejs-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,12 +113,11 @@
|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'|
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -213,7 +212,7 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand All @@ -223,9 +222,9 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url|
|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url|
### sast-snyk-check:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
Expand Down
9 changes: 4 additions & 5 deletions pipelines/tekton-bundle-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,11 @@
|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'|
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### rpms-signature-scan:0.1 task parameters
### rpms-signature-scan:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| |
|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'|
|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| |
Expand Down Expand Up @@ -180,7 +179,7 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### rpms-signature-scan:0.1 task results
### rpms-signature-scan:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGES_PROCESSED| Images processed in the task.| |
Expand All @@ -193,9 +192,9 @@
### tkn-bundle:0.1 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest|
|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url|
|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url|

## Workspaces
|name|description|optional|used in tasks
Expand Down
2 changes: 1 addition & 1 deletion pipelines/template-build/template-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ spec:
- build-container
taskRef:
name: rpms-signature-scan
version: "0.1"
version: "0.2"
params:
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
Expand Down
5 changes: 5 additions & 0 deletions task/rpms-signature-scan/0.2/MIGRATION.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Migration from 0.1 to 0.2
The parameter `fail-unsigned` used by `rpms-signature-scan` task was removed.

## Action from users
Remove the `fail-unsigned` parameter from the `rpms-signature-scan` task in your pipeline
Loading

0 comments on commit 1398846

Please sign in to comment.