From efc8413ad8a3db3a1d9d5a8a37f8a043fb2b2ce5 Mon Sep 17 00:00:00 2001 From: gbenhaim Date: Sun, 14 Apr 2024 11:19:53 +0300 Subject: [PATCH] Configurable public key path for EC pipelines Allow to mention the path to the public key in the enterprise-contract pipelines. This is needed when running on non OCP k8s cluster. Signed-off-by: gbenhaim --- pipelines/enterprise-contract-everything.yaml | 9 ++++++++- pipelines/enterprise-contract-redhat-no-hermetic.yaml | 9 ++++++++- pipelines/enterprise-contract-redhat.yaml | 9 ++++++++- pipelines/enterprise-contract-slsa3.yaml | 9 ++++++++- pipelines/enterprise-contract.yaml | 9 ++++++++- 5 files changed, 40 insertions(+), 5 deletions(-) diff --git a/pipelines/enterprise-contract-everything.yaml b/pipelines/enterprise-contract-everything.yaml index 31b5ae8d67..55a4214eb4 100644 --- a/pipelines/enterprise-contract-everything.yaml +++ b/pipelines/enterprise-contract-everything.yaml @@ -39,6 +39,13 @@ spec: "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator. default: "" + - name: PUBLIC_KEY + type: string + default: "k8s://openshift-pipelines/public-key" + description: | + Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. results: - name: TEST_OUTPUT value: "$(tasks.verify.results.TEST_OUTPUT)" @@ -58,7 +65,7 @@ spec: - name: STRICT value: "true" - name: PUBLIC_KEY - value: "k8s://openshift-pipelines/public-key" + value: "$(params.PUBLIC_KEY)" - name: IGNORE_REKOR value: "true" taskRef: diff --git a/pipelines/enterprise-contract-redhat-no-hermetic.yaml b/pipelines/enterprise-contract-redhat-no-hermetic.yaml index 0bc7072c57..6db0902fb4 100644 --- a/pipelines/enterprise-contract-redhat-no-hermetic.yaml +++ b/pipelines/enterprise-contract-redhat-no-hermetic.yaml @@ -39,6 +39,13 @@ spec: "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator. default: "" + - name: PUBLIC_KEY + type: string + default: "k8s://openshift-pipelines/public-key" + description: | + Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. results: - name: TEST_OUTPUT value: "$(tasks.verify.results.TEST_OUTPUT)" @@ -58,7 +65,7 @@ spec: - name: STRICT value: "true" - name: PUBLIC_KEY - value: "k8s://openshift-pipelines/public-key" + value: "$(params.PUBLIC_KEY)" - name: IGNORE_REKOR value: "true" taskRef: diff --git a/pipelines/enterprise-contract-redhat.yaml b/pipelines/enterprise-contract-redhat.yaml index 1812e64499..fed1714a42 100644 --- a/pipelines/enterprise-contract-redhat.yaml +++ b/pipelines/enterprise-contract-redhat.yaml @@ -39,6 +39,13 @@ spec: "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator. default: "" + - name: PUBLIC_KEY + type: string + default: "k8s://openshift-pipelines/public-key" + description: | + Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. results: - name: TEST_OUTPUT value: "$(tasks.verify.results.TEST_OUTPUT)" @@ -58,7 +65,7 @@ spec: - name: STRICT value: "true" - name: PUBLIC_KEY - value: "k8s://openshift-pipelines/public-key" + value: "$(params.PUBLIC_KEY)" - name: IGNORE_REKOR value: "true" taskRef: diff --git a/pipelines/enterprise-contract-slsa3.yaml b/pipelines/enterprise-contract-slsa3.yaml index 2dde42307c..38e2b5ef08 100644 --- a/pipelines/enterprise-contract-slsa3.yaml +++ b/pipelines/enterprise-contract-slsa3.yaml @@ -39,6 +39,13 @@ spec: "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator. default: "" + - name: PUBLIC_KEY + type: string + default: "k8s://openshift-pipelines/public-key" + description: | + Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. results: - name: TEST_OUTPUT value: "$(tasks.verify.results.TEST_OUTPUT)" @@ -58,7 +65,7 @@ spec: - name: STRICT value: "true" - name: PUBLIC_KEY - value: "k8s://openshift-pipelines/public-key" + value: "$(params.PUBLIC_KEY)" - name: IGNORE_REKOR value: "true" taskRef: diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 7b8990f688..6817c73f13 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -40,6 +40,13 @@ spec: "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator. default: "" + - name: PUBLIC_KEY + type: string + default: "k8s://openshift-pipelines/public-key" + description: | + Public key used to verify signatures. Must be a valid k8s cosign + reference, e.g. k8s://my-space/my-secret where my-secret contains + the expected cosign.pub attribute. results: - name: TEST_OUTPUT value: "$(tasks.verify.results.TEST_OUTPUT)" @@ -59,7 +66,7 @@ spec: - name: STRICT value: "true" - name: PUBLIC_KEY - value: "k8s://openshift-pipelines/public-key" + value: "$(params.PUBLIC_KEY)" - name: IGNORE_REKOR value: "true" taskRef: