Add EC checks for StepActions

[lcarva]

Ref: https://issues.redhat.com/browse/EC-1010

Before you complete this pull request ...

Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.

[lcarva]

Draft until enterprise-contract/ec-policies#1232 is merged.

[tnevrlka]

/retest

[chmeliik]

/tekton/scripts/script-3-swb4p: line 11: find: command not found
[DEBUG] Files parameter: 
Error: required flag(s) "file" not set

The ec-cli image doesn't have find, so something like Zoran's suggestion will be needed

[lcarva]

Extra changes needed to make checkton happy.

[lcarva]

/retest

Trying to pull registry.access.redhat.com/ubi9/ubi:latest...
error creating build container: Source image rejected: Error reading signature from https://access.redhat.com/webassets/docker/content/sigstore/ubi9/ubi@sha256=9ac75c1a392429b4a087971cdf9190ec42a854a169b6835bc9e25eecaf851258/signature-7: status 500 (Internal Server Error)
time="2024-11-27T16:28:41Z" level=error msg="exit status 125"

[lcarva]

/retest

[lcarva]

Hmm EC reporting a failure for stepactions-ec/0.1-eaas-get-ephemeral-cluster-credentials.yaml.

  - metadata:
      code: stepaction.image.accessible
    msg: Image ref "registry.redhat.io/openshift4/ose-cli@sha256:15da03b04318bcc842060b71e9dd6d6c2595edb4e8fdd11b0c6781eeb03ca182"
      is inaccessible

It requires authentication which we can't do from a PR. How important is the image accessible check? 🤔

UPDATE: Ah! Need a new version of the ec-clli that understands the "severity" result metadata.
UPDATE2: Nope. That's not it. (Got mislead by a local bogus version of EC I was hacking on.)

[lcarva]

There is a similar check for image accessibility for Task definitions which should be triggering a violation here (no secret to access that image from a pull request). But EC is currently passing due to a bug enterprise-contract/ec-policies#1237.

Not sure how to proceed here.

[lcarva]

Because the check happens in Konflux, there is probably a way to pipe the secrets to the ec-check Task.

[lcarva]

Ok. This seems to be sorted out now. Please have another looks 🙏

[lcarva]

This is needed so EC finds the authfile 🤷
And it also, for some reason, makes runAsUser required. Quite odd.

[chmeliik]

There is a similar check for image accessibility for Task definitions which should be triggering a violation here (no secret to access that image from a pull request). But EC is currently passing due to a bug enterprise-contract/ec-policies#1237.

Not sure how to proceed here.

Because the check happens in Konflux, there is probably a way to pipe the secrets to the ec-check Task.

Hmm, maybe we want it to fail. A while back, Gal went around changing all the images to publicly accessible ones for the community version of Konflux.

Maybe add an exception for this rule for now (for the specific tasks/stepactions if possible) and we should gradually move them away from using registry.redhat.io images

[zregvart]

LGTM, nitpickery inside

[zregvart]

Just by using bash this can be done like:

Suggested change

	while IFS= read -r -d '' f; do
	shopt -s globstar
	for f in stepactions/**/*.yaml; do

[lcarva]

There is a similar check for image accessibility for Task definitions which should be triggering a violation here (no secret to access that image from a pull request). But EC is currently passing due to a bug enterprise-contract/ec-policies#1237.
Not sure how to proceed here.

Because the check happens in Konflux, there is probably a way to pipe the secrets to the ec-check Task.

Hmm, maybe we want it to fail. A while back, Gal went around changing all the images to publicly accessible ones for the community version of Konflux.

Maybe add an exception for this rule for now (for the specific tasks/stepactions if possible) and we should gradually move them away from using registry.redhat.io images

The reason it was failing it's because EC wasn't seeing the registry auth file. That's fixed and things are working as expected.