Skip to content

Commit

Permalink
fix(KFLUXBUGS-1896): pass errata SA secret when creating advisories (#…
Browse files Browse the repository at this point in the history
…700)

Currently, we hardcode the errata service account secret in the internal
task. This results in using prod errata credentials when pushing stage
advisories from a prod cluster. This commit fixes that.

Signed-off-by: Johnny Bieren <[email protected]>
  • Loading branch information
johnbieren authored Nov 21, 2024
1 parent 94d9db7 commit 85a0aa3
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 1 deletion.
3 changes: 3 additions & 0 deletions tasks/create-advisory/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ Only all `redhat-pending` or all `redhat-prod` repositories may be specified in
| synchronously | Whether the task should wait for InternalRequests to complete | Yes | true |
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |

## Changes in 4.4.3
* Pass the errata service account secret name to the InternalRequest based on stage or prod

## Changes in 4.4.2
* If the releaseNotes do not specify any CVEs fixed and the type is RHSA, fail the task
* If the releaseNotes specify CVEs fixed, proceed with type set to RHSA regardless of the passed type
Expand Down
7 changes: 6 additions & 1 deletion tasks/create-advisory/create-advisory.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: create-advisory
labels:
app.kubernetes.io/version: "4.4.2"
app.kubernetes.io/version: "4.4.3"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -99,7 +99,9 @@ spec:
# these are their secret names
#
prodSecretName="create-advisory-prod-secret"
prodErrataSecretName="errata-prod-service-account"
stagingSecretName="create-advisory-stage-secret"
stagingErrataSecretName="errata-stage-service-account"
#
# detect which one to use based on repositories specified
#
Expand Down Expand Up @@ -150,8 +152,10 @@ spec:
# is true.
#
advisorySecretName="${prodSecretName}"
errataSecretName="${prodErrataSecretName}"
if [ "${foundPendingRepositories}" == "true" ]; then
advisorySecretName="${stagingSecretName}"
errataSecretName="${stagingErrataSecretName}"
fi
echo "Creating InternalRequest to create advisory..."
Expand All @@ -161,6 +165,7 @@ spec:
-p advisory_json="${advisoryData}" \
-p config_map_name="${configMapName}" \
-p advisory_secret_name="${advisorySecretName}" \
-p errata_secret_name="${errataSecretName}" \
-s "$(params.synchronously)" \
-l ${pipelinerun_label}="$(params.pipelineRunUid)" \
> "$(workspaces.data.path)"/ir-result.txt || \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,13 @@ spec:
echo "InternalRequest has the wrong advisory_secret_name parameter"
exit 1
fi
# Check the errata_secret_name parameter
if [ "$(echo "$internalRequest" | jq -r '.spec.params.errata_secret_name' )" != \
"errata-stage-service-account" ]; then
echo "InternalRequest has the wrong errata_secret_name parameter"
exit 1
fi
finally:
- name: cleanup
taskSpec:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,13 @@ spec:
echo "InternalRequest has the wrong advisory_secret_name parameter"
exit 1
fi
# Check the errata_secret_name parameter
if [ "$(echo "$internalRequest" | jq -r '.spec.params.errata_secret_name' )" != \
"errata-prod-service-account" ]; then
echo "InternalRequest has the wrong errata_secret_name parameter"
exit 1
fi
finally:
- name: cleanup
taskSpec:
Expand Down

0 comments on commit 85a0aa3

Please sign in to comment.