Skip to content

Commit

Permalink
fix(RELEASE-1089): linting issues in sign-base64-blob (#758)
Browse files Browse the repository at this point in the history
Signed-off-by: Johnny Bieren <[email protected]>
  • Loading branch information
johnbieren authored Dec 20, 2024
1 parent 8a0a5ff commit b057dff
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 33 deletions.
3 changes: 3 additions & 0 deletions tasks/sign-base64-blob/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ data:
configMapName: <configmap name>
```

## Changes in 2.4.1
* Fix shellcheck/checkton linting issues in the task and tests

## Changes in 2.4.0
* No longer examine `.data.sign.request` to obtain the Signing pipeline name. Use the default - blob-signing-pipeline

Expand Down
33 changes: 17 additions & 16 deletions tasks/sign-base64-blob/sign-base64-blob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: sign-base64-blob
labels:
app.kubernetes.io/version: "2.4.0"
app.kubernetes.io/version: "2.4.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -40,7 +40,7 @@ spec:
image:
quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env sh
#!/usr/bin/env bash
set -ex
set -o pipefail
Expand All @@ -52,32 +52,33 @@ spec:
default_pipeline_image="quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3"
pipeline_image=$(jq -r --arg default_pipeline_image ${default_pipeline_image} \
'.sign.pipelineImage // $default_pipeline_image' ${DATA_FILE})
config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' ${DATA_FILE})
'.sign.pipelineImage // $default_pipeline_image' "${DATA_FILE}")
config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' "${DATA_FILE}")
pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid"
echo "Creating InternalRequest to sign blob:"
echo "- blob=$(params.blob)"
echo "- requester=$(params.requester)"
internal-request -r "blob-signing-pipeline" \
-p pipeline_image=${pipeline_image} \
-p blob=$(params.blob) \
-p requester=$(params.requester) \
-p config_map_name=${config_map_name} \
-t $(params.requestTimeout) \
-l ${pipelinerun_label}=$(params.pipelineRunUid) \
> $(workspaces.data.path)/ir-result.txt || \
(grep "^\[" $(workspaces.data.path)/ir-result.txt | jq . && exit 1)
-p pipeline_image="${pipeline_image}" \
-p blob="$(params.blob)" \
-p requester="$(params.requester)" \
-p config_map_name="${config_map_name}" \
-t "$(params.requestTimeout)" \
-l ${pipelinerun_label}="$(params.pipelineRunUid)" \
> "$(workspaces.data.path)/ir-result.txt" || \
(grep "^\[" "$(workspaces.data.path)/ir-result.txt" | jq . && exit 1)
internalRequest=$(awk 'NR==1{ print $2 }' $(workspaces.data.path)/ir-result.txt | xargs)
internalRequest=$(awk 'NR==1{ print $2 }' "$(workspaces.data.path)/ir-result.txt" | xargs)
echo "done (${internalRequest})"
payload=$(kubectl get internalrequest $internalRequest -o=jsonpath='{.status.results.signed_payload}')
decoded_payload=$(echo -n $payload | base64 -d)
payload=$(kubectl get internalrequest "$internalRequest" -o=jsonpath='{.status.results.signed_payload}')
decoded_payload=$(echo -n "$payload" | base64 -d)
# Build .sig file
checksum_file_name=$(ls $(workspaces.data.path)/$(params.binariesPath) | grep SHA256SUMS)
checksum_file_name=$(find "$(workspaces.data.path)/$(params.binariesPath)" -maxdepth 1 -name '*SHA256SUMS*' \
-printf '%f\n')
echo -n "$decoded_payload" \
| gpg --dearmor \
| tee "$(workspaces.data.path)/$(params.binariesPath)/${checksum_file_name}.sig"
35 changes: 18 additions & 17 deletions tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,19 @@ spec:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env sh
#!/usr/bin/env bash
set -eux
cat > $(workspaces.data.path)/data.json << EOF
cat > "$(workspaces.data.path)/data.json" << EOF
{
"sign": {
"configMapName": "signing-config-map"
}
}
EOF
mkdir -p $(workspaces.data.path)/binaries
touch $(workspaces.data.path)/binaries/foo_SHA256SUMS
mkdir -p "$(workspaces.data.path)/binaries"
touch "$(workspaces.data.path)/binaries/foo_SHA256SUMS"
- name: run-task
taskRef:
name: sign-base64-blob
Expand Down Expand Up @@ -60,46 +60,47 @@ spec:
- name: check-result
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env sh
#!/usr/bin/env bash
set -eux
internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers)"
params=$(kubectl get internalrequest ${internalRequest} -o jsonpath="{.spec.params}")
internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers \
-o custom-columns=":metadata.name")"
params=$(kubectl get internalrequest "${internalRequest}" -o jsonpath="{.spec.params}")
if [ $(jq -r '.blob' <<< "${params}") != "test-blob" ]; then
if [ "$(jq -r '.blob' <<< "${params}")" != "test-blob" ]; then
echo "blob does not match"
exit 1
fi
if [ $(jq -r '.config_map_name' <<< "${params}") != "signing-config-map" ]
if [ "$(jq -r '.config_map_name' <<< "${params}")" != "signing-config-map" ]
then
echo "config_map_name does not match"
exit 1
fi
if [ $(jq -r '.requester' <<< "${params}") != "testuser" ]
if [ "$(jq -r '.requester' <<< "${params}")" != "testuser" ]
then
echo "requester does not match"
exit 1
fi
if [ $(jq -r '.pipeline_image' <<< "${params}") != \
if [ "$(jq -r '.pipeline_image' <<< "${params}")" != \
"quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3" ]
then
echo "pipeline_image does not match"
exit 1
fi
binaries_path=$(workspaces.data.path)/binaries
created_file=$(ls $binaries_path | grep sig)
if [ $created_file != "foo_SHA256SUMS.sig" ]
binaries_path="$(workspaces.data.path)/binaries"
created_file=$(find "$binaries_path" -maxdepth 1 -name '*sig*' -printf '%f\n')
if [ "$created_file" != "foo_SHA256SUMS.sig" ]
then
echo "Unexpected filename for the signed file"
exit 1
fi
file_content=$(cat $binaries_path/foo_SHA256SUMS.sig)
if [ $file_content != "dummy-payload" ]
file_content=$(cat "$binaries_path/foo_SHA256SUMS.sig")
if [ "$file_content" != "dummy-payload" ]
then
echo "Payload is not correct"
exit 1
Expand All @@ -113,7 +114,7 @@ spec:
- name: delete-crs
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env sh
#!/usr/bin/env bash
set -eux
kubectl delete internalrequests --all

0 comments on commit b057dff

Please sign in to comment.