From 85a0aa33c25b80fd3c300373e0ca391cc90e848f Mon Sep 17 00:00:00 2001 From: Johnny Bieren Date: Wed, 20 Nov 2024 19:11:18 -0500 Subject: [PATCH] fix(KFLUXBUGS-1896): pass errata SA secret when creating advisories (#700) Currently, we hardcode the errata service account secret in the internal task. This results in using prod errata credentials when pushing stage advisories from a prod cluster. This commit fixes that. Signed-off-by: Johnny Bieren --- tasks/create-advisory/README.md | 3 +++ tasks/create-advisory/create-advisory.yaml | 7 ++++++- .../tests/test-create-advisory-pending-repo.yaml | 7 +++++++ .../tests/test-create-advisory-prod-repo.yaml | 7 +++++++ 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/tasks/create-advisory/README.md b/tasks/create-advisory/README.md index 7261ac405..507ff2467 100644 --- a/tasks/create-advisory/README.md +++ b/tasks/create-advisory/README.md @@ -18,6 +18,9 @@ Only all `redhat-pending` or all `redhat-prod` repositories may be specified in | synchronously | Whether the task should wait for InternalRequests to complete | Yes | true | | pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - | +## Changes in 4.4.3 +* Pass the errata service account secret name to the InternalRequest based on stage or prod + ## Changes in 4.4.2 * If the releaseNotes do not specify any CVEs fixed and the type is RHSA, fail the task * If the releaseNotes specify CVEs fixed, proceed with type set to RHSA regardless of the passed type diff --git a/tasks/create-advisory/create-advisory.yaml b/tasks/create-advisory/create-advisory.yaml index 3d13b68b8..b5d10b23b 100644 --- a/tasks/create-advisory/create-advisory.yaml +++ b/tasks/create-advisory/create-advisory.yaml @@ -4,7 +4,7 @@ kind: Task metadata: name: create-advisory labels: - app.kubernetes.io/version: "4.4.2" + app.kubernetes.io/version: "4.4.3" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: release @@ -99,7 +99,9 @@ spec: # these are their secret names # prodSecretName="create-advisory-prod-secret" + prodErrataSecretName="errata-prod-service-account" stagingSecretName="create-advisory-stage-secret" + stagingErrataSecretName="errata-stage-service-account" # # detect which one to use based on repositories specified # @@ -150,8 +152,10 @@ spec: # is true. # advisorySecretName="${prodSecretName}" + errataSecretName="${prodErrataSecretName}" if [ "${foundPendingRepositories}" == "true" ]; then advisorySecretName="${stagingSecretName}" + errataSecretName="${stagingErrataSecretName}" fi echo "Creating InternalRequest to create advisory..." @@ -161,6 +165,7 @@ spec: -p advisory_json="${advisoryData}" \ -p config_map_name="${configMapName}" \ -p advisory_secret_name="${advisorySecretName}" \ + -p errata_secret_name="${errataSecretName}" \ -s "$(params.synchronously)" \ -l ${pipelinerun_label}="$(params.pipelineRunUid)" \ > "$(workspaces.data.path)"/ir-result.txt || \ diff --git a/tasks/create-advisory/tests/test-create-advisory-pending-repo.yaml b/tasks/create-advisory/tests/test-create-advisory-pending-repo.yaml index 2a980bda0..6880d30ac 100644 --- a/tasks/create-advisory/tests/test-create-advisory-pending-repo.yaml +++ b/tasks/create-advisory/tests/test-create-advisory-pending-repo.yaml @@ -167,6 +167,13 @@ spec: echo "InternalRequest has the wrong advisory_secret_name parameter" exit 1 fi + + # Check the errata_secret_name parameter + if [ "$(echo "$internalRequest" | jq -r '.spec.params.errata_secret_name' )" != \ + "errata-stage-service-account" ]; then + echo "InternalRequest has the wrong errata_secret_name parameter" + exit 1 + fi finally: - name: cleanup taskSpec: diff --git a/tasks/create-advisory/tests/test-create-advisory-prod-repo.yaml b/tasks/create-advisory/tests/test-create-advisory-prod-repo.yaml index 311256738..7edf6d176 100644 --- a/tasks/create-advisory/tests/test-create-advisory-prod-repo.yaml +++ b/tasks/create-advisory/tests/test-create-advisory-prod-repo.yaml @@ -182,6 +182,13 @@ spec: echo "InternalRequest has the wrong advisory_secret_name parameter" exit 1 fi + + # Check the errata_secret_name parameter + if [ "$(echo "$internalRequest" | jq -r '.spec.params.errata_secret_name' )" != \ + "errata-prod-service-account" ]; then + echo "InternalRequest has the wrong errata_secret_name parameter" + exit 1 + fi finally: - name: cleanup taskSpec: