Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refers to CVP-4333. This task uses the check-payload tool to verify if an operator bundle image is FIPS compliant.It utilizes Tekton stepAction because the code will be reused for checking FBC fragments in the fbc-validation check. Signed-off-by: Yashvardhan Nanavati <[email protected]>
- Loading branch information
1 parent
8842690
commit a0b086c
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| ## fips-operator-check-step-action | ||
|
|
||
| This stepAction scans relatedImages of operator bundle image builds for FIPS compliance using the check-payload tool. | ||
| * The relatedImages are expected to be in a file located at `/tekton/home/unique_related_images.txt`. | ||
| * If the check-payload scan is desired to be run with the built-in exception list, the target OCP version (`v4.x`) should be in a file located at `/tekton/home/target_ocp_version.txt`. | ||
| * It also supports replacing relatedImages pullspecs with their first mirror. In order to use that, a mapping like {"source_registry_and_repo": ["mirror_registry_and_repo"]} should be stored in a file located at `/tekton/home/related-images-map.txt` | ||
|
|
||
| ## Results: | ||
|
|
||
| | name | description | | ||
| |--------------------|--------------------------------------| | ||
| | TEST_OUTPUT | Tekton task test output. | | ||
|
|
||
|
|
||
| ## Additional links: | ||
| https://github.com/openshift/check-payload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,144 @@ | ||
| --- | ||
| apiVersion: tekton.dev/v1beta1 | ||
| kind: StepAction | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/version: "0.1" | ||
| annotations: | ||
| tekton.dev/pipelines.minVersion: "0.12.1" | ||
| tekton.dev/tags: "konflux" | ||
| name: fips-operator-check-step-action | ||
| spec: | ||
| description: >- | ||
| This stepAction scans relatedImages of operator bundle image builds for FIPS compliance using the check-payload tool. | ||
| results: | ||
| - name: TEST_OUTPUT | ||
| description: Tekton task test output. | ||
| image: quay.io/yashn/konflux-test-yashn:latest-amd64-dec17 | ||
| securityContext: | ||
| capabilities: | ||
| add: | ||
| - SETFCAP | ||
| script: | | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
| # shellcheck source=/dev/null | ||
| . /utils.sh | ||
| success_counter=0 | ||
| warnings_counter=0 | ||
| error_counter=0 | ||
| failure_counter=0 | ||
| if [ ! -e "/tekton/home/unique_related_images.txt" ]; then | ||
| echo "No relatedImages to process" | ||
| exit 0 | ||
| fi | ||
| related_images=$(cat /tekton/home/unique_related_images.txt) | ||
| echo "Related images are : ${related_images}" | ||
| # If target OCP version is found, use it to apply the exception list when running check-payload | ||
| check_payload_version="" | ||
| if [ -f "/tekton/home/target_ocp_version.txt" ]; then | ||
| version=$(cat "/tekton/home/target_ocp_version.txt") | ||
| check_payload_version="-V=${version}" | ||
| echo "Target OCP version found: ${check_payload_version}" | ||
| fi | ||
| # Check if an image to mirror map is defined for unreleased images | ||
| image_mirror_map="" | ||
| if [ -f "/tekton/home/related-images-map.txt" ]; then | ||
| image_mirror_map=$(cat "/tekton/home/related-images-map.txt") | ||
| echo "Image Mirror Map found: ${image_mirror_map}" | ||
| fi | ||
| for related_image in ${related_images}; do | ||
| echo "Processing related image : ${related_image}" | ||
| # Replace original pullspec with mirror, if present | ||
| if [ -n "${image_mirror_map}" ]; then | ||
| reg_and_repo=$(echo "${related_image}" | sed -E 's/^([^:@]+).*$/\1/') | ||
| first_mirror=$(echo "$image_mirror_map" | jq -r --arg image "$reg_and_repo" '.[$image][0]') | ||
| echo "${reg_and_repo} and ${first_mirror}" | ||
| if [ "$first_mirror" != "null" ]; then | ||
| replaced_image=$(replace_image_pullspec "$related_image" "$first_mirror") | ||
| echo "Replacing $related_image with $replaced_image" | ||
| related_image="$replaced_image" | ||
| fi | ||
| fi | ||
| if ! image_labels=$(get_image_labels "${related_image}"); then | ||
| echo "Error: Could not inspect image ${related_image} for labels" | ||
| error_counter=$((error_counter + 1)) | ||
| continue | ||
| fi | ||
| component_label=$(echo "${image_labels}" | grep 'com.redhat.component=' | cut -d= -f2 || true) | ||
| echo "Component label is ${component_label}" | ||
| if [ -z "${component_label}" ]; then | ||
| echo "Error: Could not get com.redhat.component label for ${related_image}" | ||
| error_counter=$((error_counter + 1)) | ||
| continue | ||
| fi | ||
| # Convert image to OCI format since umoci can only handle the OCI format | ||
| if ! skopeo copy --remove-signatures "docker://${related_image}" "oci:///tekton/home/${component_label}:latest"; then | ||
| echo "Error: Could not convert image ${related_image} to OCI format" | ||
| error_counter=$((error_counter + 1)) | ||
| continue | ||
| fi | ||
| # Unpack OCI image | ||
| if ! umoci raw unpack --rootless \ | ||
| --image "/tekton/home/${component_label}:latest" \ | ||
| "/tekton/home/unpacked-${component_label}"; then | ||
| echo "Error: Could not unpack OCI image ${related_image}" | ||
| error_counter=$((error_counter + 1)) | ||
| continue | ||
| fi | ||
| # Run check-payload on the unpacked image | ||
| # The check-payload command fails with exit 1 when the scan for an image is unsuccessful | ||
| # or when the image is not FIPS compliant. Hence, count those as failures and not errors | ||
| if ! check-payload scan local \ | ||
| --path="/tekton/home/unpacked-${component_label}" \ | ||
| "${check_payload_version}" \ | ||
| --components="${component_label}" \ | ||
| --output-format=csv \ | ||
| --output-file="/tekton/home/report-${component_label}.csv"; then | ||
| echo "check-payload scan failed for ${related_image}" | ||
| failure_counter=$((failure_counter + 1)) | ||
| continue | ||
| fi | ||
| if [ -f "/tekton/home/report-${component_label}.csv" ]; then | ||
| if grep -q -- "---- Successful run" "/tekton/home/report-${component_label}.csv"; then | ||
| echo "check-payload scan was successful for ${related_image}" | ||
| success_counter=$((success_counter + 1)) | ||
| elif grep -q -- "---- Successful run with warnings" "/tekton/home/report-${component_label}.csv"; then | ||
| echo "check-payload scan was successful with warnings for ${related_image}" | ||
| warnings_counter=$((warnings_counter + 1)) | ||
| fi | ||
| fi | ||
| done | ||
| note="Task $(context.task.name) failed: Some images could not be scanned. For details, check Tekton task log." | ||
| ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") | ||
| note="Task $(context.task.name) completed: Check result for task result." | ||
| if [[ "$error_counter" == 0 ]]; | ||
| then | ||
| if [[ "${failure_counter}" -gt 0 ]]; then | ||
| RES="FAILURE" | ||
| elif [[ "${warnings_counter}" -gt 0 ]]; then | ||
| RES="WARNING" | ||
| else | ||
| RES="SUCCESS" | ||
| fi | ||
| TEST_OUTPUT=$(make_result_json \ | ||
| -r "${RES}" \ | ||
| -s "${success_counter}" -f "${failure_counter}" -w "${warnings_counter}" -t "$note") | ||
| fi | ||
| echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(step.results.TEST_OUTPUT.path)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # fips-operator-bundle-check-oci-ta task | ||
|
|
||
| ## Description: | ||
| The fips-operator-bundle-check-oci-ta task uses the check-payload tool to verify if an operator bundle image is FIPS compliant. | ||
| It only scans operator bundle images which either claim to be FIPS compliant by setting the `features.operators.openshift.io/fips-compliant` | ||
| label to `"true"` on the bundle image or require one of `OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform` | ||
| subscriptions to run the operator on an Openshift cluster. | ||
|
|
||
| This task extracts relatedImages from the operator bundle image and scans them. Hence, it is necessary for relatedImages pullspecs to be | ||
| pullable at build time. In order to resolve them, this task expects a `imageDigestMirrorSet` file located at `.tekton/related-images-mirror-set.yaml` of your operator bundle git repo. It should map unreleased `registry.redhat.io` pullspecs, to their valid `quay.io` pullspecs. Here's an example of how the file should look like | ||
|
|
||
| ``` | ||
| --- | ||
| apiVersion: operator.openshift.io/v1alpha1 | ||
| kind: ImageDigestMirrorSet | ||
| metadata: | ||
| name: example-mirror-set | ||
| spec: | ||
| imageDigestMirrors: | ||
| - mirrors: | ||
| - quay.io/my-namespace/valid-repo | ||
| source: registry.redhat.io/gatekeeper/gatekeeper | ||
| ``` | ||
|
|
||
| ## Params: | ||
|
|
||
| | name | description | default | | ||
| |--------------------------|------------------------------------------------------------------------|---------------| | ||
| | image-digest | Image digest to scan. | None | | ||
| | image-url | Image URL. | None | | ||
| | SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with | None | | ||
| | | the application source code. | | | ||
|
|
||
| ## Results: | ||
|
|
||
| | name | description | | ||
| |--------------------|------------------------------| | ||
| | TEST_OUTPUT | Tekton task test output. | | ||
| | IMAGES_PROCESSED | Images processed in the task.| | ||
|
|
||
|
|
||
| ## Additional links: | ||
| https://github.com/openshift/check-payload | ||
| https://docs.openshift.com/container-platform/4.16/rest_api/config_apis/imagedigestmirrorset-config-openshift-io-v1.html | ||
Oops, something went wrong.