From 636be69616d0366fdeecaf6f5ad75c3555e6bc15 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Sun, 28 Jul 2024 08:47:53 -0400 Subject: [PATCH 1/5] Add S3 bucket authentication to oci-copy --- task/oci-copy/0.1/README.md | 1 + task/oci-copy/0.1/oci-copy.yaml | 57 ++++++++++++++++++++++++++++----- 2 files changed, 50 insertions(+), 8 deletions(-) diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index ce8b1cef73..51daee2400 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -14,6 +14,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| ## Results diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index d6e27d5ea5..979502dd71 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -25,6 +25,12 @@ spec: different taskruns and therefore different oci artifacts must be used. type: string default: "does-not-exist" + - name: AWS_SECRET_NAME + description: >- + Name of a secret which will be made available to the build to construct Authorization headers for requests to + Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. + type: string + default: "does-not-exist" results: - description: Digest of the artifact just pushed name: IMAGE_DIGEST @@ -47,6 +53,7 @@ spec: - name: prepare image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430 script: | + #!/bin/bash set -eu set -o pipefail @@ -89,17 +96,47 @@ spec: name: $(params.BEARER_TOKEN_SECRET_NAME) key: token optional: true + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: $(params.AWS_SECRET_NAME) + key: aws_access_key_id + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: $(params.AWS_SECRET_NAME) + key: aws_secret_access_key + optional: true script: | + #!/bin/bash set -e set -o pipefail - CURL_ARGS=() - if [ -n "${BEARER_TOKEN}" ]; then - echo "Found bearer token. Using it for authentication." - CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") - else - echo "Proceeding with anonymous requests" - fi + download() { + url="$1" + file="$2" + method="GET" + + curl_args=(--fail --silent --show-error) + if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then + echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + path=$(echo "$url" | cut -d/ -f4-) + echo "Bucket path is $path" + date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" + printf -v string_to_sign "%s\n\n\n%s\n%s" "$method" "$date" "/$path" + echo "String to sign is $string_to_sign" + signature=$(echo -n "$string_to_sign" | openssl dgst -sha1 -binary -hmac "${AWS_SECRET_ACCESS_KEY}" | openssl base64) + authorization="AWS ${AWS_ACCESS_KEY_ID}:${signature}" + curl "${curl_args[@]}" -H "Date: ${date}" -H "Authorization: ${authorization}" --location "$url" -o "$file" + elif [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + curl "${curl_args[@]}" -H "Authorization: Bearer ${BEARER_TOKEN}" --location "$url" -o "$file" + else + echo "Proceeding with anonymous requests" + curl "${curl_args[@]}" --location "$url" -o "$file" + fi + } set -u @@ -139,6 +176,7 @@ spec: for varfile in /var/workdir/vars/*; do echo echo "Reading $varfile" + # shellcheck source=/dev/null source $varfile echo "Checking to see if blob $OCI_ARTIFACT_DIGEST exists" @@ -147,7 +185,7 @@ spec: else echo "Blob for ${OCI_FILENAME} does not yet exist in the registry at ${REPO}@sha256:${OCI_ARTIFACT_DIGEST}." echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl "${CURL_ARGS[@]}" --fail --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + download "$OCI_SOURCE" "$OCI_FILENAME" echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check @@ -188,6 +226,7 @@ spec: - name: sbom-generate image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430 script: | + #!/bin/bash cat >sbom-cyclonedx.json < Date: Sun, 28 Jul 2024 09:41:43 -0400 Subject: [PATCH 2/5] chore: ./hack/generate-ta-tasks.sh --- task/oci-copy-oci-ta/0.1/README.md | 1 + task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 57 ++++++++++++++++--- 2 files changed, 50 insertions(+), 8 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 65162767f5..15e9b788a8 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,6 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index f07ca37760..77d79427c7 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -13,6 +13,12 @@ spec: description: Given a file in the user's source directory, copy content from arbitrary urls into the OCI registry. params: + - name: AWS_SECRET_NAME + description: Name of a secret which will be made available to the build + to construct Authorization headers for requests to Amazon S3. If specified, + this will take precedence over BEARER_TOKEN_SECRET_NAME. + type: string + default: does-not-exist - name: BEARER_TOKEN_SECRET_NAME description: Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers @@ -69,6 +75,7 @@ spec: image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430 workingDir: /var/workdir script: | + #!/bin/bash set -eu set -o pipefail @@ -104,17 +111,47 @@ spec: key: token name: $(params.BEARER_TOKEN_SECRET_NAME) optional: true + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: aws_access_key_id + name: $(params.AWS_SECRET_NAME) + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: aws_secret_access_key + name: $(params.AWS_SECRET_NAME) + optional: true script: | + #!/bin/bash set -e set -o pipefail - CURL_ARGS=() - if [ -n "${BEARER_TOKEN}" ]; then - echo "Found bearer token. Using it for authentication." - CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") - else - echo "Proceeding with anonymous requests" - fi + download() { + url="$1" + file="$2" + method="GET" + + curl_args=(--fail --silent --show-error) + if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then + echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + path=$(echo "$url" | cut -d/ -f4-) + echo "Bucket path is $path" + date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" + printf -v string_to_sign "%s\n\n\n%s\n%s" "$method" "$date" "/$path" + echo "String to sign is $string_to_sign" + signature=$(echo -n "$string_to_sign" | openssl dgst -sha1 -binary -hmac "${AWS_SECRET_ACCESS_KEY}" | openssl base64) + authorization="AWS ${AWS_ACCESS_KEY_ID}:${signature}" + curl "${curl_args[@]}" -H "Date: ${date}" -H "Authorization: ${authorization}" --location "$url" -o "$file" + elif [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + curl "${curl_args[@]}" -H "Authorization: Bearer ${BEARER_TOKEN}" --location "$url" -o "$file" + else + echo "Proceeding with anonymous requests" + curl "${curl_args[@]}" --location "$url" -o "$file" + fi + } set -u @@ -154,6 +191,7 @@ spec: for varfile in /var/workdir/vars/*; do echo echo "Reading $varfile" + # shellcheck source=/dev/null source $varfile echo "Checking to see if blob $OCI_ARTIFACT_DIGEST exists" @@ -162,7 +200,7 @@ spec: else echo "Blob for ${OCI_FILENAME} does not yet exist in the registry at ${REPO}@sha256:${OCI_ARTIFACT_DIGEST}." echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl "${CURL_ARGS[@]}" --fail --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + download "$OCI_SOURCE" "$OCI_FILENAME" echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check @@ -210,6 +248,7 @@ spec: image: quay.io/konflux-ci/yq:latest@sha256:974dea6375ee9df561ffd3baf994db2b61777a71f3bcf0050c5dca91ac9b3430 workingDir: /var/workdir script: | + #!/bin/bash cat >sbom-cyclonedx.json < Date: Mon, 29 Jul 2024 08:37:34 -0400 Subject: [PATCH 3/5] Document more details of aws auth --- task/oci-copy-oci-ta/0.1/README.md | 2 +- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 9 ++++++--- task/oci-copy/0.1/README.md | 5 ++--- task/oci-copy/0.1/oci-copy.yaml | 5 ++++- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 15e9b788a8..efbb6cc53c 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,7 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| -|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 77d79427c7..b651ee6263 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -14,9 +14,11 @@ spec: arbitrary urls into the OCI registry. params: - name: AWS_SECRET_NAME - description: Name of a secret which will be made available to the build - to construct Authorization headers for requests to Amazon S3. If specified, - this will take precedence over BEARER_TOKEN_SECRET_NAME. + description: 'Name of a secret which will be made available to the build + to construct Authorization headers for requests to Amazon S3 using + https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. + If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. + The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.' type: string default: does-not-exist - name: BEARER_TOKEN_SECRET_NAME @@ -136,6 +138,7 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 51daee2400..d683c579d6 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -13,9 +13,8 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| -|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| -|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| - +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 979502dd71..50ee4210db 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -28,7 +28,9 @@ spec: - name: AWS_SECRET_NAME description: >- Name of a secret which will be made available to the build to construct Authorization headers for requests to - Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. + Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. + If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: + `aws_access_key_id` and `aws_secret_access_key`. type: string default: "does-not-exist" results: @@ -121,6 +123,7 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" From 36de6e13109be8f01a0c21dad1edff2cbe473524 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 29 Jul 2024 08:38:02 -0400 Subject: [PATCH 4/5] Regenerate readme from task for oci-copy task --- task/oci-copy/0.1/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index d683c579d6..d560ed4f87 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -11,7 +11,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste ## Parameters |name|description|default value|required| |---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| @@ -19,8 +19,8 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste ## Results |name|description| |---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| |IMAGE_REF|Image reference of the built image| From e3b8dd4fc9c45c50079d4b3159708a8514bee53c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 29 Jul 2024 11:18:24 -0400 Subject: [PATCH 5/5] Fix docs and comments regarding aws auth version --- task/oci-copy-oci-ta/0.1/README.md | 2 +- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 8 +++++--- task/oci-copy/0.1/README.md | 2 +- task/oci-copy/0.1/oci-copy.yaml | 8 +++++--- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index efbb6cc53c..48eba0f77b 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,7 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| -|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. In the future, this will be reimplemented to use v4 auth: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.|does-not-exist|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index b651ee6263..54e11da4fb 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -16,9 +16,10 @@ spec: - name: AWS_SECRET_NAME description: 'Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using - https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. + v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. - The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.' + The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. + In the future, this will be reimplemented to use v4 auth: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.' type: string default: does-not-exist - name: BEARER_TOKEN_SECRET_NAME @@ -138,7 +139,8 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" - # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html + # This implements v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. + # TODO - port to v4 auth https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index d560ed4f87..5c978941fb 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -14,7 +14,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| -|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`.|does-not-exist|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3 using v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. In the future, this will be reimplemented to use v4 auth: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html.|does-not-exist|false| ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 50ee4210db..4c6cb4675b 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -28,9 +28,10 @@ spec: - name: AWS_SECRET_NAME description: >- Name of a secret which will be made available to the build to construct Authorization headers for requests to - Amazon S3 using https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. + Amazon S3 using v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. The secret must contain two keys: - `aws_access_key_id` and `aws_secret_access_key`. + `aws_access_key_id` and `aws_secret_access_key`. In the future, this will be reimplemented to use v4 auth: + https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html. type: string default: "does-not-exist" results: @@ -123,7 +124,8 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" - # This implements https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html + # This implements v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. + # TODO - port to v4 auth https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"