Skip to content

Commit

Permalink
fix(RELEASE-1083): linting issues in push-snapshot (#754)
Browse files Browse the repository at this point in the history
Signed-off-by: Martin Malina <[email protected]>
  • Loading branch information
mmalina authored Dec 19, 2024
1 parent 4feb12e commit 1a5b02e
Show file tree
Hide file tree
Showing 12 changed files with 133 additions and 122 deletions.
3 changes: 3 additions & 0 deletions tasks/push-snapshot/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ Tekton task to push snapshot images to an image registry using `cosign copy`.
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |

## Changes in 6.4.2
* Fix checkton/shellcheck linting issues

## Changes in 6.4.1
* Bump release-service-utils image
* The updated image will fail if skopeo inspect fails
Expand Down
61 changes: 33 additions & 28 deletions tasks/push-snapshot/push-snapshot.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: push-snapshot
labels:
app.kubernetes.io/version: "6.4.1"
app.kubernetes.io/version: "6.4.2"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -43,7 +43,7 @@ spec:
#!/usr/bin/env bash
set -eux
push_image () { # Expected arguments are [origin_digest, name, containerImage, repository, tag, arch, oras_args]
push_image () { # Expected arguments are [origin_digest, name, containerImage, repository, tag, platform]
# note: Inspection might fail on empty repos, hence `|| true`
# oras has very limited support for selecting the right auth entry,
Expand All @@ -53,8 +53,12 @@ spec:
select-oci-auth "$4" | jq -c \
'.auths."'"$4"'" = .auths."'"$registry"'" | del(.auths."'"$registry"'")' > "$DEST_AUTH_FILE"
# We need this default value for $7 when oras_args is equal to ()
destination_digest=$(oras resolve --registry-config "$DEST_AUTH_FILE" ${7:-} "$4:$5" || true)
oras_args=()
if [ -n "$6" ]; then
oras_args=(--platform "$6")
fi
destination_digest=$(oras resolve --registry-config "$DEST_AUTH_FILE" "${oras_args[@]}" "$4:$5" || true)
if [[ "$destination_digest" != "$1" || -z "$destination_digest" ]]; then
printf '* Pushing component: %s to %s:%s\n' "$2" "$4" "$5"
Expand Down Expand Up @@ -96,28 +100,28 @@ spec:
exit 1
fi
if [ $(jq '.components | map(select((has("tags")|not) or (.tags | IN([])))) | length' \
"${SNAPSHOT_SPEC_FILE}") -ne 0 ] ; then
if [ "$(jq '.components | map(select((has("tags")|not) or (.tags | IN([])))) | length' \
"${SNAPSHOT_SPEC_FILE}")" -ne 0 ] ; then
echo "Found components in the snapshot file that do not contain tags. Failing"
cat "${SNAPSHOT_SPEC_FILE}"
exit 1
fi
RESULTS_FILE="$(workspaces.data.path)/$(params.resultsDirPath)/push-snapshot-results.json"
RESULTS_JSON='{"images":[]}'
RESULTS_JSON="{\"images\":[]}"
SOURCE_AUTH_FILE=$(mktemp)
defaultPushSourceContainer=$(jq -r '.mapping.defaults.pushSourceContainer' $DATA_FILE)
defaultPushSourceContainer=$(jq -r '.mapping.defaults.pushSourceContainer' "$DATA_FILE")
application=$(jq -r '.application' "${SNAPSHOT_SPEC_FILE}")
NUM_COMPONENTS=$(jq '.components | length' "${SNAPSHOT_SPEC_FILE}")
printf 'Beginning "%s" for "%s"\n\n' "$(context.task.name)" "$application"
for ((i = 0; i < $NUM_COMPONENTS; i++))
for ((i = 0; i < NUM_COMPONENTS; i++))
do
component=$(jq -c --argjson i "$i" '.components[$i]' "${SNAPSHOT_SPEC_FILE}")
containerImage=$(jq -r '.containerImage' <<< $component)
repository=$(jq -r '.repository' <<< $component)
imageTags=$(jq '.tags' <<< $component)
containerImage=$(jq -r '.containerImage' <<< "$component")
repository=$(jq -r '.repository' <<< "$component")
imageTags=$(jq '.tags' <<< "$component")
# oras has very limited support for selecting the right auth entry,
# so create a custom auth file with just one entry.
Expand All @@ -128,19 +132,20 @@ spec:
'.auths."'"$source_repo"'" = .auths."'"$registry"'" | del(.auths."'"$registry"'")' > "$SOURCE_AUTH_FILE"
arch_json=$(get-image-architectures "${containerImage}")
arches=$(jq -s 'map(.platform.architecture)' <<< $arch_json)
oses=$(jq -s 'map(.platform.os)' <<< $arch_json)
arches=$(jq -s 'map(.platform.architecture)' <<< "$arch_json")
oses=$(jq -s 'map(.platform.os)' <<< "$arch_json")
# Just read the first from the list of architectures
os=$(jq -r '.[0]' <<< $oses)
arch=$(jq -r '.[0]' <<< $arches)
name=$(jq -r '.name' <<< $component)
git_sha=$(jq -r '.source.git.revision' <<< $component) # this sets the value to "null" if it doesn't exist
os=$(jq -r '.[0]' <<< "$oses")
arch=$(jq -r '.[0]' <<< "$arches")
name=$(jq -r '.name' <<< "$component")
media_type=$(skopeo inspect --raw "docker://${containerImage}" | jq -r .mediaType)
oras_args=()
platform=
if [[ "$media_type" == "application/vnd.docker.distribution.manifest.list.v2+json" ]]\
|| [[ "$media_type" == "application/vnd.oci.image.index.v1+json" ]]; then
oras_args+=("--platform $os/$arch")
platform=$os/$arch
oras_args=(--platform "$platform")
fi
# we do not use oras_args here since we want to get the manifest index image digest
Expand All @@ -149,21 +154,21 @@ spec:
RESULTS_JSON=$(jq --arg i "$i" --argjson arches "$arches" --argjson oses "$oses" --arg name "$name" \
--arg sha "$origin_digest" \
'.images[$i|tonumber] += {"arches": $arches, "oses": $oses, "name": $name, "shasum": $sha, "urls": []}' \
<<< $RESULTS_JSON)
<<< "$RESULTS_JSON")
# Push source container if the component has pushSourceContainer: true or if the
# pushSourceContainer key is missing from the component and the defaults has
# pushSourceContainer: true
if [[ $(jq -r '.pushSourceContainer' <<< $component) == "true" ]] \
|| [[ $(jq 'has("pushSourceContainer")' <<< $component) == "false" && \
if [[ $(jq -r '.pushSourceContainer' <<< "$component") == "true" ]] \
|| [[ $(jq 'has("pushSourceContainer")' <<< "$component") == "false" && \
${defaultPushSourceContainer} == "true" ]] ; then
source_tag=${origin_digest/:/-}.src
# Calculate the source container image based on the provided container image
sourceContainer="${source_repo}:${source_tag}"
# Check if the source container exists
source_container_digest=$(oras resolve --registry-config "$SOURCE_AUTH_FILE" \
"${sourceContainer}" ${oras_args[@]})
"${sourceContainer}" "${oras_args[@]}")
if [ -z "$source_container_digest" ] ; then
echo "Error: Source container ${sourceContainer} not found!"
Expand All @@ -172,23 +177,23 @@ spec:
# Push the source image with the source tag here. The source image will be
# pushed with the provided tags below in the loop
push_image "${source_container_digest}" "${name}" "${sourceContainer}" \
"${repository}" "${source_tag}" "${oras_args[@]}"
"${repository}" "${source_tag}" "$platform"
fi
for tag in $(jq -r '.[]' <<< $imageTags) ; do
for tag in $(jq -r '.[]' <<< "$imageTags") ; do
# Push the container image
push_image "${origin_digest}" "${name}" "${containerImage}" "${repository}" "${tag}" \
"${arch}" "${oras_args[@]}"
"$platform"
# This variable will only exist if the above logic determined the source container should
# be pushed for this component
if [ -n "${source_container_digest-}" ] ; then
push_image "${source_container_digest}" "${name}" "${sourceContainer}" \
"${repository}" "${tag}-source" "${arch}" "${oras_args[@]}"
"${repository}" "${tag}-source" "$platform"
fi
done
done
echo -n "${RESULTS_JSON}" | tee $RESULTS_FILE
echo -n "${RESULTS_JSON}" | tee "$RESULTS_FILE"
printf 'Completed "%s" for "%s"\n\n' "$(context.task.name)" "$application"
volumeMounts:
- name: trusted-ca
Expand Down
10 changes: 5 additions & 5 deletions tasks/push-snapshot/tests/mocks.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ set -eux

function cosign() {
echo Mock cosign called with: $*
echo $* >> $(workspaces.data.path)/mock_cosign.txt
echo $* >> "$(workspaces.data.path)"/mock_cosign.txt

# mock cosign failing the first 3x for the retry test
if [[ "$*" == "copy -f registry.io/retry-image:tag "*":"* ]]
then
if [[ $(cat $(workspaces.data.path)/mock_cosign.txt | wc -l) -le 3 ]]
if [[ "$(wc -l < "$(workspaces.data.path)/mock_cosign.txt")" -le 3 ]]
then
echo Expected cosign call failure for retry test
return 1
Expand All @@ -35,7 +35,7 @@ function cosign() {

function skopeo() {
echo Mock skopeo called with: $* >&2
echo $* >> $(workspaces.data.path)/mock_skopeo.txt
echo $* >> "$(workspaces.data.path)"/mock_skopeo.txt

if [[ "$*" == "inspect --raw docker://"* ]]
then
Expand All @@ -54,11 +54,11 @@ function get-image-architectures() {
}

function select-oci-auth() {
echo $* >> $(workspaces.data.path)/mock_select-oci-auth.txt
echo $* >> "$(workspaces.data.path)"/mock_select-oci-auth.txt
}

function oras() {
echo $* >> $(workspaces.data.path)/mock_oras.txt
echo $* >> "$(workspaces.data.path)"/mock_oras.txt
if [[ "$*" == "resolve --registry-config "*" "* ]]
then
if [[ "$4" == *skip-image*.src || "$4" == *skip-image*-source ]]; then
Expand Down
29 changes: 15 additions & 14 deletions tasks/push-snapshot/tests/test-push-snapshot-digests-match.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ spec:
#!/usr/bin/env sh
set -eux
mkdir $(workspaces.data.path)/results
cat > $(workspaces.data.path)/mapped_snapshot.json << EOF
mkdir "$(workspaces.data.path)/results"
cat > "$(workspaces.data.path)/mapped_snapshot.json" << EOF
{
"application": "myapp",
"components": [
Expand All @@ -41,7 +41,7 @@ spec:
}
EOF
echo '{}' > $(workspaces.data.path)/data.json
echo '{}' > "$(workspaces.data.path)"/data.json
- name: run-task
taskRef:
name: push-snapshot
Expand Down Expand Up @@ -71,31 +71,32 @@ spec:
#!/usr/bin/env sh
set -eux
if [ $(cat $(workspaces.data.path)/mock_cosign.txt | wc -l) != 0 ]; then
echo Error: cosign was expected to be called 0 times. Actual calls:
cat $(workspaces.data.path)/mock_cosign.txt
if [ -f "$(workspaces.data.path)/mock_cosign.txt" ]; then
echo Error: cosign was not expected to be called. Actual calls:
cat "$(workspaces.data.path)/mock_cosign.txt"
exit 1
fi
if [ $(cat $(workspaces.data.path)/mock_skopeo.txt | wc -l) != 1 ]; then
if [ "$(wc -l < "$(workspaces.data.path)/mock_skopeo.txt")" != 1 ]; then
echo Error: skopeo was expected to be called 1 time. Actual calls:
cat $(workspaces.data.path)/mock_skopeo.txt
cat "$(workspaces.data.path)/mock_skopeo.txt"
exit 1
fi
if [ $(cat $(workspaces.data.path)/mock_oras.txt | wc -l) != 2 ]; then
if [ "$(wc -l < "$(workspaces.data.path)/mock_oras.txt")" != 2 ]; then
echo Error: oras was expected to be called 2 times. Actual calls:
cat $(workspaces.data.path)/mock_oras.txt
cat "$(workspaces.data.path)/mock_oras.txt"
exit 1
fi
echo Make sure the results file was still written even though no push happened
test $(jq -r '.images[0].name' $(workspaces.data.path)/results/push-snapshot-results.json) == "comp"
test $(jq -r '.images[0].shasum' $(workspaces.data.path)/results/push-snapshot-results.json) == \
test "$(jq -r '.images[0].name' "$(workspaces.data.path)/results/push-snapshot-results.json")" == "comp"
test "$(jq -r '.images[0].shasum' "$(workspaces.data.path)/results/push-snapshot-results.json")" == \
"sha256:0b770b6ec5414e841167266c96af42404e9f7049f72c21d0ab312e07c9403197"
test $(jq -r '.images[0].urls | length' $(workspaces.data.path)/results/push-snapshot-results.json) \
test "$(jq -r '.images[0].urls | length' "$(workspaces.data.path)/results/push-snapshot-results.json")" \
== "1"
test $(jq -r '.images[0].arches | length' $(workspaces.data.path)/results/push-snapshot-results.json) \
test "$(jq -r '.images[0].arches | length' \
"$(workspaces.data.path)/results/push-snapshot-results.json")" \
== "2"
runAfter:
- run-task
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ spec:
#!/usr/bin/env sh
set -eux
mkdir $(workspaces.data.path)/results
cat > $(workspaces.data.path)/mapped_snapshot.json << EOF
mkdir "$(workspaces.data.path)/results"
cat > "$(workspaces.data.path)/mapped_snapshot.json" << EOF
{
"application": "myapp",
"components": [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ spec:
#!/usr/bin/env sh
set -eux
mkdir $(workspaces.data.path)/results
cat > $(workspaces.data.path)/snapshot.json << EOF
mkdir "$(workspaces.data.path)/results"
cat > "$(workspaces.data.path)"/snapshot.json << EOF
{
"application": "myapp",
"components": [
Expand All @@ -50,7 +50,7 @@ spec:
}
EOF
cat > $(workspaces.data.path)/data.json << EOF
cat > "$(workspaces.data.path)"/data.json << EOF
{
"mapping": {
"defaults": {
Expand Down
27 changes: 14 additions & 13 deletions tasks/push-snapshot/tests/test-push-snapshot-mount-certs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ spec:
#!/usr/bin/env sh
set -eux
mkdir $(workspaces.data.path)/results
cat > $(workspaces.data.path)/snapshot.json << EOF
mkdir "$(workspaces.data.path)/results"
cat > "$(workspaces.data.path)"/snapshot.json << EOF
{
"application": "myapp",
"components": [
Expand All @@ -50,7 +50,7 @@ spec:
}
EOF
cat > $(workspaces.data.path)/data.json << EOF
cat > "$(workspaces.data.path)"/data.json << EOF
{
"mapping": {
"defaults": {
Expand Down Expand Up @@ -96,30 +96,31 @@ spec:
# 2 for comp1 (the 2 provided tags)
# 3 for comp2 (provided tag, once for image, once for source container, + once for source tag)
if [ $(cat $(workspaces.data.path)/mock_cosign.txt | wc -l) != 5 ]; then
if [ "$(wc -l < "$(workspaces.data.path)/mock_cosign.txt")" != 5 ]; then
echo Error: cosign was expected to be called 5 times. Actual calls:
cat $(workspaces.data.path)/mock_cosign.txt
cat "$(workspaces.data.path)/mock_cosign.txt"
exit 1
fi
if [ $(cat $(workspaces.data.path)/mock_skopeo.txt | wc -l) != 2 ]; then
if [ "$(wc -l < "$(workspaces.data.path)/mock_skopeo.txt")" != 2 ]; then
echo Error: skopeo was expected to be called 2 times. Actual calls:
cat $(workspaces.data.path)/mock_skopeo.txt
cat "$(workspaces.data.path)/mock_skopeo.txt"
exit 1
fi
if [ $(cat $(workspaces.data.path)/mock_oras.txt | wc -l) != 8 ]; then
if [ "$(wc -l < "$(workspaces.data.path)/mock_oras.txt")" != 8 ]; then
echo Error: oras was expected to be called 8 times. Actual calls:
cat $(workspaces.data.path)/mock_oras.txt
cat "$(workspaces.data.path)/mock_oras.txt"
exit 1
fi
test $(jq -r '.images[0].name' $(workspaces.data.path)/results/push-snapshot-results.json) == "comp1"
test $(jq -r '.images[0].shasum' $(workspaces.data.path)/results/push-snapshot-results.json) == \
test "$(jq -r '.images[0].name' "$(workspaces.data.path)/results/push-snapshot-results.json")" == "comp1"
test "$(jq -r '.images[0].shasum' "$(workspaces.data.path)/results/push-snapshot-results.json")" == \
"sha256:6ff029b0b6cf82e3df2a2360dc88cd527c51132b557207d64634d9c245e0d15e"
test $(jq -r '.images[0].urls | length' $(workspaces.data.path)/results/push-snapshot-results.json) \
test "$(jq -r '.images[0].urls | length' "$(workspaces.data.path)/results/push-snapshot-results.json")" \
== "2"
test $(jq -r '.images[0].arches | length' $(workspaces.data.path)/results/push-snapshot-results.json) \
test "$(jq -r '.images[0].arches | length' \
"$(workspaces.data.path)/results/push-snapshot-results.json")" \
== "2"
runAfter:
- run-task
Loading

0 comments on commit 1a5b02e

Please sign in to comment.