Skip to content

Commit

Permalink
feat(ISV-5130): push SBOMs to Atlas
Browse files Browse the repository at this point in the history
The rh-advisories pipeline now supports generating product-level SBOMs
at release time and enhancing component-level SBOMs created at build
time with additional release-time data.

Signed-off-by: Martin Jediny <[email protected]>
  • Loading branch information
jedinym authored and johnbieren committed Dec 20, 2024
1 parent d8943bc commit 5cf831a
Show file tree
Hide file tree
Showing 17 changed files with 592 additions and 112 deletions.
8 changes: 8 additions & 0 deletions pipelines/managed/rh-advisories/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ the rh-push-to-registry-redhat-io pipeline.
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 1.7.0
* Add collect-atlas-params task to fetch Atlas parameters from the RPA.
* Add create-product-sbom task to create product-level SBOMs.
* Add update-component-sbom task to update component-level SBOMs with release
info.
* Add upload-product-sbom task to push the product SBOM to Atlas.
* Add upload-component-sbom task to push the component-level SBOMs to Atlas.

## Changes in 1.6.0
* Add new parameter `schema` to the `check-data-keys` task.
* Add new systems pyxis,mapping & signing to the task.
Expand Down
126 changes: 125 additions & 1 deletion pipelines/managed/rh-advisories/rh-advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: rh-advisories
labels:
app.kubernetes.io/version: "1.6.0"
app.kubernetes.io/version: "1.7.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -480,6 +480,61 @@ spec:
workspace: release-workspace
runAfter:
- create-pyxis-image
- name: update-component-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/update-component-sbom/update-component-sbom.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
params:
- name: dataJsonPath
value: "$(tasks.collect-data.results.data)"
- name: downloadedSbomPath
value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
runAfter:
- collect-data
- collect-atlas-params
- push-rpm-data-to-pyxis
- populate-release-notes-images
- name: upload-component-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
params:
- name: sbomDir
value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
- name: atlasSecretName
value: "$(tasks.collect-atlas-params.results.secretName)"
- name: ssoTokenUrl
value: "$(tasks.collect-atlas-params.results.ssoTokenUrl)"
- name: bombasticApiUrl
value: "$(tasks.collect-atlas-params.results.bombasticApiUrl)"
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/upload-sbom-to-atlas/upload-sbom-to-atlas.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
runAfter:
- update-component-sbom
- name: run-file-updates
params:
- name: fileUpdatesPath
Expand Down Expand Up @@ -533,6 +588,75 @@ spec:
workspace: release-workspace
runAfter:
- populate-release-notes-images
- name: collect-atlas-params
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/collect-atlas-params/collect-atlas-params.yaml
params:
- name: dataPath
value: "$(tasks.collect-data.results.data)"
workspaces:
- name: data
workspace: release-workspace
runAfter:
- collect-data
- name: create-product-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
params:
- name: dataJsonPath
value: "$(tasks.collect-data.results.data)"
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/create-product-sbom/create-product-sbom.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
runAfter:
- collect-atlas-params
- populate-release-notes-images
- name: upload-product-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
params:
- name: sbomDir
value: "$(tasks.create-product-sbom.results.productSBOMPath)"
- name: atlasSecretName
value: "$(tasks.collect-atlas-params.results.secretName)"
- name: ssoTokenUrl
value: "$(tasks.collect-atlas-params.results.ssoTokenUrl)"
- name: bombasticApiUrl
value: "$(tasks.collect-atlas-params.results.bombasticApiUrl)"
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/upload-sbom-to-atlas/upload-sbom-to-atlas.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
runAfter:
- create-product-sbom
- name: create-advisory
retries: 5
params:
Expand Down
14 changes: 14 additions & 0 deletions schema/dataKeys.json
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,20 @@
}
}
},
"atlas": {
"type": "object",
"additionalProperties": false,
"properties": {
"server": {
"type": "string",
"description": "The release Atlas server to push SBOMs to",
"enum": [
"stage",
"production"
]
}
}
},
"slack": {
"type": "object",
"properties": {
Expand Down
13 changes: 13 additions & 0 deletions tasks/collect-atlas-params/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# collect-atlas-params

Tekton task that collects the Atlas server option from the data file. Based on
the value of the "atlas.server" field ("stage" or "production"), outputs results
used to push SBOMs to Atlas. If no Atlas fields are present in the RPA, it
outputs empty strings as results, indicating that the Atlas push should be
skipped.

## Parameters

| Name | Description | Optional | Default value |
|----------|----------------------------------------------------------------------------------------------------------------|----------|---------------|
| dataPath | Path to the merged data JSON file generated by collect-data task and containing the Atlas configuration option | No | - |
69 changes: 69 additions & 0 deletions tasks/collect-atlas-params/collect-atlas-params.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: collect-atlas-params
labels:
app.kubernetes.io/version: "0.1.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: >-
Tekton task that collects Atlas API configuration options from the data file.
params:
- name: dataPath
type: string
description: |
Path to the JSON string of the merged data containing the Atlas config.
workspaces:
- name: data
results:
- name: bombasticApiUrl
type: string
description: |
URL of the bombastic API.
- name: ssoTokenUrl
type: string
description: |
URL of the SSO token issuer.
- name: secretName
type: string
description: |
The kubernetes secret to use to authenticate to bombastic.
steps:
- name: collect-atlas-params
image:
quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
script: |
#!/usr/bin/env bash
set -x
DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
if [ ! -f "${DATA_FILE}" ] ; then
echo "ERROR: No valid data file was provided."
exit 1
fi
atlasServer=$(jq -r '.atlas.server' "$DATA_FILE")
if [ "$atlasServer" = "null" ]; then
# In this case, SBOM processing will be skipped.
bombasticApiUrl=""
ssoTokenUrl=""
secretName=""
elif [ "$atlasServer" = "stage" ]; then
bombasticApiUrl="https://sbom.atlas.release.stage.devshift.net"
ssoTokenUrl="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
secretName="atlas-staging-sso-secret"
elif [ "$atlasServer" = "production" ]; then
bombasticApiUrl="https://sbom.atlas.release.devshift.net"
ssoTokenUrl="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
secretName="atlas-prod-sso-secret"
else
echo "ERROR: Unknown .atlas.server value '$atlasServer'. Expected 'stage' or 'production'."
exit 1
fi
echo -n "$bombasticApiUrl" > "$(results.bombasticApiUrl.path)"
echo -n "$ssoTokenUrl" > "$(results.ssoTokenUrl.path)"
echo -n "$secretName" > "$(results.secretName.path)"
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-collect-atlas-params-bad-value
annotations:
test/assert-task-failure: "run-task"
spec:
description: |
Run the collect-atlas-params task with a bad value as atlasServer.
workspaces:
- name: tests-workspace
tasks:
- name: setup
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
workspaces:
- name: data
steps:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
script: |
#!/usr/bin/env bash
set -eux
cat > "$(workspaces.data.path)/data.json" << EOF
{
"atlas": {
"server": "invalid"
}
}
EOF
- name: run-task
taskRef:
name: collect-atlas-params
params:
- name: dataPath
value: data.json
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- setup
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-collect-atlas-params-nonexistent
spec:
description: |
Run the collect-atlas-params task with a missing atlasServer key.
workspaces:
- name: tests-workspace
tasks:
- name: setup
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
workspaces:
- name: data
steps:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
script: |
#!/usr/bin/env bash
set -eux
echo "{}" > "$(workspaces.data.path)/data.json"
- name: run-task
taskRef:
name: collect-atlas-params
params:
- name: dataPath
value: data.json
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- setup
- name: check-result
params:
- name: secretName
value: $(tasks.run-task.results.secretName)
- name: ssoTokenUrl
value: $(tasks.run-task.results.ssoTokenUrl)
- name: bombasticApiUrl
value: $(tasks.run-task.results.bombasticApiUrl)
taskSpec:
params:
- name: secretName
- name: ssoTokenUrl
- name: bombasticApiUrl
steps:
- name: check-result
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
env:
- name: "SECRET_NAME"
value: '$(params.secretName)'
- name: "SSO_TOKEN_URL"
value: '$(params.ssoTokenUrl)'
- name: "BOMBASTIC_API_URL"
value: '$(params.bombasticApiUrl)'
script: |
#!/usr/bin/env bash
set -eux
test "$SECRET_NAME" = ""
test "$SSO_TOKEN_URL" = ""
test "$BOMBASTIC_API_URL" = ""
Loading

0 comments on commit 5cf831a

Please sign in to comment.