Merge branch 'main' into sbom_json_check

konflux-ci · Apr 4, 2024 · 21b1a67 · 21b1a67
2 parents 3565342 + c000d54
commit 21b1a67
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 27 deletions.
diff --git a/.tekton/push.yaml b/.tekton/push.yaml
@@ -132,40 +132,25 @@ spec:
           steps:
             - name: build-bundles
               image: quay.io/redhat-appstudio/appstudio-utils:{{ revision }}
+              workingDir: $(workspaces.artifacts.path)/source
+              env:
+              - name: REVISION
+                value: "$(params.revision)"
+              - name: GIT_URL
+                value: "$(params.git-url)"
               # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
               # the cluster will set imagePullPolicy to IfNotPresent
               # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
               script: |-
                 #!/usr/bin/env bash
-                set -euo pipefail
 
-                BUNDLES=(
+                export BUNDLES=(
                   $(workspaces.artifacts.path)/source/task-bundle-list
                   $(workspaces.artifacts.path)/source/pipeline-bundle-list
                 )
-                touch ${BUNDLES[@]}
-                echo "Bundles to be added:"
-                cat ${BUNDLES[@]}
-                BUNDLES_PARAM=($(cat ${BUNDLES[@]} | awk '{ print "--bundle=" $0 }'))
-
-                # The OPA data bundle is tagged with the current timestamp. This has two main
-                # advantages. First, it prevents the image from accidentally not having any tags,
-                # and getting garbage collected. Second, it helps us create a timeline of the
-                # changes done to the data over time.
-                TAG="$(date '+%s')"
-                DATA_BUNDLE_REPO='quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles'
 
-                # Update the OPA data bundle.
-                ec track bundle --debug \
-                  --input "oci:${DATA_BUNDLE_REPO}:latest" \
-                  --output "oci:${DATA_BUNDLE_REPO}:${TAG}" \
-                  --timeout "15m0s" \
-                  --freshen \
-                  --prune \
-                  ${BUNDLES_PARAM[@]}
+                .tekton/scripts/build-acceptable-bundles.sh
 
-                # To facilitate usage in some contexts, tag the image with the floating "latest" tag.
-                skopeo copy "docker://${DATA_BUNDLE_REPO}:${TAG}" "docker://${DATA_BUNDLE_REPO}:latest"
               volumeMounts:
                 - mountPath: /root/.docker/config.json
                   subPath: .dockerconfigjson

diff --git a/.tekton/scripts/build-acceptable-bundles.sh b/.tekton/scripts/build-acceptable-bundles.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# helps with debugging
+DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles}"
+BUNDLES=${BUNDLES:-()}
+
+# store a list of changed task files
+task_records=()
+# loop over all changed files
+for path in $(git diff-tree -c --name-only --no-commit-id -r ${REVISION}); do
+    # check that the file modified is the task file
+    if [[ "${path}" == task/*/*/*.yaml ]]; then
+    IFS='/' read -r -a path_array <<< "${path}"
+    dir_name_after_task="${path_array[1]}"
+    file_name=$(basename "${path_array[-1]}" ".yaml")
+
+    if [[ "${dir_name_after_task}" == "${file_name}" ]]; then
+        # GIT_URL is the repo_url from PAC (https://hostname/org/repo)
+        task_records+=("git+${GIT_URL}.git//${path}@${REVISION}")
+    fi
+    fi
+done
+
+echo "${task_records[@]}"
+
+touch ${BUNDLES[@]}
+echo "Bundles to be added:"
+cat ${BUNDLES[@]}
+
+# The OPA data bundle is tagged with the current timestamp. This has two main
+# advantages. First, it prevents the image from accidentally not having any tags,
+# and getting garbage collected. Second, it helps us create a timeline of the
+# changes done to the data over time.
+TAG="$(date '+%s')"
+
+# task_records can be empty if a task wasn't changed
+TASK_PARAM=()
+if [ "${#task_records[@]}" -gt 0 ]; then
+    TASK_PARAM=($(printf "%s\n" "${task_records[@]}" | awk '{ print "--git=" $0 }'))
+fi
+
+BUNDLES_PARAM=($(cat ${BUNDLES[@]} | awk '{ print "--bundle=" $0 }'))
+
+PARAMS=("${TASK_PARAM[@]}" "${BUNDLES_PARAM[@]}")
+ec track bundle --debug \
+    --input "oci:${DATA_BUNDLE_REPO}:latest" \
+    --output "oci:${DATA_BUNDLE_REPO}:${TAG}" \
+    --timeout "15m0s" \
+    --freshen \
+    --prune \
+    ${PARAMS[@]}
+
+# To facilitate usage in some contexts, tag the image with the floating "latest" tag.
+skopeo copy "docker://${DATA_BUNDLE_REPO}:${TAG}" "docker://${DATA_BUNDLE_REPO}:latest"
diff --git a/hack/build-and-push.sh b/hack/build-and-push.sh
@@ -116,17 +116,17 @@ do
     repository=${TEST_REPO_NAME:-task-${task_name}}
     tag=${TEST_REPO_NAME:+${task_name}-}${task_version}
     task_bundle=quay.io/$MY_QUAY_USER/${repository}:${tag}
-    digest=$(curl -s https://quay.io/api/v1/repository/$MY_QUAY_USER/$repository/tag/?specificTag=${tag}-${task_file_sha} | yq '.tags[0].manifest_digest')
-    if [ "$digest" == "null" ]; then
+
+    if digest=$(skopeo inspect --no-tags --format='{{.Digest}}' docker://"${task_bundle}-${task_file_sha}" 2>/dev/null); then
+      task_bundle_with_digest=${task_bundle}@${digest}
+    else
       output=$(tkn_bundle_push -f "$prepared_task_file" "$task_bundle" | save_ref "$task_bundle" "$OUTPUT_TASK_BUNDLE_LIST")
       echo "$output"
       task_bundle_with_digest="${output##*$'\n'}"
 
       # copy task to new tag pointing to commit where the file was changed lastly, so that image persists
       # even when original tag is updated
       skopeo copy "docker://${task_bundle}" "docker://${task_bundle}-${task_file_sha}"
-    else
-      task_bundle_with_digest=${task_bundle}@${digest}
     fi
     # version placeholder is removed naturally by the substitution.
     real_task_name=$(yq e '.metadata.name' "$prepared_task_file")

diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -294,6 +294,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
       buildah push "$IMAGE" oci:rhtap-final-image
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
@@ -434,6 +437,17 @@ spec:
     securityContext:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
+  - computeResources: {}
+    env:
+    - name: BASE_IMAGES_DIGESTS_PATH
+      value: $(results.BASE_IMAGES_DIGESTS.path)
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
+    name: create-base-images-sbom
+    script: |
+      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
+    securityContext:
+      runAsUser: 0
+    workingDir: $(workspaces.source.path)
   - computeResources: {}
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: inject-sbom-and-push

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -245,6 +245,9 @@ spec:
         fi
       done
 
+      # Needed to generate base images SBOM
+      echo "$BASE_IMAGES" > /workspace/base_images_from_dockerfile
+
     securityContext:
       capabilities:
         add:
@@ -350,6 +353,17 @@ spec:
     securityContext:
       runAsUser: 0
 
+  - name: create-base-images-sbom
+    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
+    env:
+    - name: BASE_IMAGES_DIGESTS_PATH
+      value: $(results.BASE_IMAGES_DIGESTS.path)
+    script: |
+      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=/workspace/base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
+    workingDir: $(workspaces.source.path)
+    securityContext:
+      runAsUser: 0
+
   - name: inject-sbom-and-push
     image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     computeResources: {}

diff --git a/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
@@ -1,4 +1,11 @@
 ---
+# IMPORTANT: This Task definition exists in this repository as a means to facilitate integration
+# with RHTAP. It is NOT meant to be used in Konflux. If you are debugging EC failures in Konflux,
+# this is NOT the file you are looking for. Do NOT directly modify this file. Any change should
+# first be done in the https://github.com/enterprise-contract/ec-cli repository then synced to this
+# repository. Any pull request that modifies anything other than this comment in this file and is
+# not a sync from the ec-cli repository will be immediately closed. See
+# https://github.com/enterprise-contract/ec-cli/blob/main/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
 apiVersion: tekton.dev/v1
 kind: Task
 metadata: