Skip to content

Commit

Permalink
feat(RELEASE-1191): differentiate pyxis and umb in signing (#729)
Browse files Browse the repository at this point in the history
This commit modifies the tasks used in `simple-signing-pipeline` to
separate credentials for Pyxis and UMB authentication. Prior to this
commit, both were pulled from the same configMap values so it was
impossible to use stage for one system and prod for the other.

Signed-off-by: Johnny Bieren <[email protected]>
  • Loading branch information
johnbieren authored Dec 10, 2024
1 parent 2f309e3 commit eb7b4f9
Show file tree
Hide file tree
Showing 8 changed files with 81 additions and 59 deletions.
4 changes: 4 additions & 0 deletions tasks/collect-simple-signing-params/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ Task to collect parameters for the simple signing pipeline
|------------------|---------------------------------------------------------------------------------------|----------|--------------------------------------------------------|
| config_map_name | Name of a configmap with pipeline configuration | No | - |

## Changes in 0.3.0
* Removed the `ssl_cert_secret_name`, `ssl_cert_file_name`, and `ssl_key_file_name` results
* The results added in 0.2.0 take their places

## Changes in 0.2.0
* Added the `[pyxis,umb]_ssl_cert_file_name`, `[pyxis,umb]_ssl_cert_secret_name` and `[pyxis,umb]_ssl_key_file_name`
results
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: collect-simple-signing-params
labels:
app.kubernetes.io/version: "0.2.0"
app.kubernetes.io/version: "0.3.0"
annotations:
tekton.dev/tags: release
spec:
Expand All @@ -26,12 +26,6 @@ spec:
description: umb topic which is used for publishing
- name: umb_client_name
description: Client name to connect to umb, usually a service account name
- name: ssl_cert_secret_name
description: SSL secret name
- name: ssl_cert_file_name
description: SSL certificate file name
- name: ssl_key_file_name
description: SSL key file name
- name: pyxis_ssl_cert_secret_name
description: Pyxis SSL secret name
- name: pyxis_ssl_cert_file_name
Expand All @@ -58,9 +52,6 @@ spec:
PYXIS_URL=$(jq -er '.data.PYXIS_URL' <<< "${configMapJson}")
SIG_KEY_ID=$(jq -er '.data.SIG_KEY_ID' <<< "${configMapJson}")
SIG_KEY_NAME=$(jq -er '.data.SIG_KEY_NAME' <<< "${configMapJson}")
SSL_CERT_FILE_NAME=$(jq -er '.data.SSL_CERT_FILE_NAME' <<< "${configMapJson}")
SSL_CERT_SECRET_NAME=$(jq -er '.data.SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
SSL_KEY_FILE_NAME=$(jq -er '.data.SSL_KEY_FILE_NAME' <<< "${configMapJson}")
PYXIS_SSL_CERT_FILE_NAME=$(jq -er '.data.PYXIS_SSL_CERT_FILE_NAME' <<< "${configMapJson}")
PYXIS_SSL_CERT_SECRET_NAME=$(jq -er '.data.PYXIS_SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
PYXIS_SSL_KEY_FILE_NAME=$(jq -er '.data.PYXIS_SSL_KEY_FILE_NAME' <<< "${configMapJson}")
Expand All @@ -75,9 +66,6 @@ spec:
echo -n "$PYXIS_URL" | tee "$(results.pyxis_url.path)"
echo -n "$SIG_KEY_ID" | tee "$(results.sig_key_id.path)"
echo -n "$SIG_KEY_NAME" | tee "$(results.sig_key_name.path)"
echo -n "$SSL_CERT_FILE_NAME" | tee "$(results.ssl_cert_file_name.path)"
echo -n "$SSL_CERT_SECRET_NAME" | tee "$(results.ssl_cert_secret_name.path)"
echo -n "$SSL_KEY_FILE_NAME" | tee "$(results.ssl_key_file_name.path)"
echo -n "$PYXIS_SSL_CERT_FILE_NAME" | tee "$(results.pyxis_ssl_cert_file_name.path)"
echo -n "$PYXIS_SSL_CERT_SECRET_NAME" | tee "$(results.pyxis_ssl_cert_secret_name.path)"
echo -n "$PYXIS_SSL_KEY_FILE_NAME" | tee "$(results.pyxis_ssl_key_file_name.path)"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,6 @@ cat > "/tmp/configMap.json" << EOF
"PYXIS_URL": "https://pyxis.stage.engineering.redhat.com",
"SIG_KEY_ID": "4096R/37036783 SHA-256",
"SIG_KEY_NAME": "redhate2etesting",
"SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem",
"SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs",
"SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key",
"PYXIS_SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem",
"PYXIS_SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs",
"PYXIS_SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key",
Expand Down
42 changes: 25 additions & 17 deletions tasks/request-and-upload-signature/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,28 @@ Task to request and upload signatures using RADAS and pyxis

## Parameters

| Name | Description | Optional | Default value |
|----------------------|-------------------------------------------------------------------------------------------------------|----------|-------------------------------------------------------|
| pipeline_image | An image with CLI tools needed for the signing. | Yes | quay.io/redhat-isv/operator-pipelines-images:released |
| manifest_digest | Manifest digest for the signed content, usually in the format sha256:xxx | No | - |
| reference | Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9 | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| sig_key_id | The signing key id that the content is signed with | Yes | 4096R/55A34A82 SHA-256 |
| sig_key_name | The signing key name that the content is signed with | Yes | containerisvsign |
| ssl_cert_secret_name | Kubernetes secret name that contains the umb SSL files | No | - |
| ssl_cert_file_name | The key within the Kubernetes secret that contains the umb SSL cert. | No | - |
| ssl_key_file_name | The key within the Kubernetes secret that contains the umb SSL key. | No | - |
| umb_client_name | Client name to connect to umb, usually a service account name | Yes | operatorpipelines |
| umb_listen_topic | umb topic to listen to for responses with signed content | Yes | VirtualTopic.eng.robosignatory.isv.sign |
| umb_publish_topic | umb topic to publish to for requesting signing | Yes | VirtualTopic.eng.operatorpipelines.isv.sign |
| umb_url | umb host to connect to for messaging | Yes | umb.api.redhat.com |
| pyxis_url | Pyxis instance to upload the signature to. | Yes | https://pyxis.engineering.redhat.com |
| signature_data_file | The file where the signing response should be placed | Yes | signing_response.json |
| Name | Description | Optional | Default value |
|----------------------------|-------------------------------------------------------------------------------------------------------|----------|-------------------------------------------------------|
| pipeline_image | An image with CLI tools needed for the signing. | Yes | quay.io/redhat-isv/operator-pipelines-images:released |
| manifest_digest | Manifest digest for the signed content, usually in the format sha256:xxx | No | - |
| reference | Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9 | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| sig_key_id | The signing key id that the content is signed with | Yes | 4096R/55A34A82 SHA-256 |
| sig_key_name | The signing key name that the content is signed with | Yes | containerisvsign |
| pyxis_ssl_cert_secret_name | Kubernetes secret name that contains the Pyxis SSL files | No | - |
| pyxis_ssl_cert_file_name | The key within the Kubernetes secret that contains the Pyxis SSL cert. | No | - |
| pyxis_ssl_key_file_name | The key within the Kubernetes secret that contains the Pyxis SSL key. | No | - |
| umb_client_name | Client name to connect to umb, usually a service account name | Yes | operatorpipelines |
| umb_listen_topic | umb topic to listen to for responses with signed content | Yes | VirtualTopic.eng.robosignatory.isv.sign |
| umb_publish_topic | umb topic to publish to for requesting signing | Yes | VirtualTopic.eng.operatorpipelines.isv.sign |
| umb_url | umb host to connect to for messaging | Yes | umb.api.redhat.com |
| umb_ssl_cert_secret_name | Kubernetes secret name that contains the umb SSL files | No | - |
| umb_ssl_cert_file_name | The key within the Kubernetes secret that contains the umb SSL cert. | No | - |
| umb_ssl_key_file_name | The key within the Kubernetes secret that contains the umb SSL key. | No | - |
| pyxis_url | Pyxis instance to upload the signature to. | Yes | https://pyxis.engineering.redhat.com |
| signature_data_file | The file where the signing response should be placed | Yes | signing_response.json |

## Changes in 1.0.0
* Replaced `ssl_cert_secret_name`, `ssl_cert_file_name` and `ssl_key_file_name` parameters with Pyxis and UMB
specific ones
* This allows us to use the stage version of one system with the prod version of the other
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: request-and-upload-signature
labels:
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/version: "1.0.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -37,14 +37,14 @@ spec:
description: The signing key name that the content is signed with
name: sig_key_name
type: string
- description: Kubernetes secret name that contains the umb SSL files
name: ssl_cert_secret_name
- description: Kubernetes secret name that contains the Pyxis SSL files
name: pyxis_ssl_cert_secret_name
type: string
- description: The key within the Kubernetes secret that contains the umb SSL cert.
name: ssl_cert_file_name
- description: The key within the Kubernetes secret that contains the Pyxis SSL cert.
name: pyxis_ssl_cert_file_name
type: string
- description: The key within the Kubernetes secret that contains the umb SSL key.
name: ssl_key_file_name
- description: The key within the Kubernetes secret that contains the Pyxis SSL key.
name: pyxis_ssl_key_file_name
type: string
- default: operatorpipelines
description: Client name to connect to umb, usually a service account name
Expand All @@ -62,6 +62,15 @@ spec:
description: umb host to connect to for messaging
name: umb_url
type: string
- description: Kubernetes secret name that contains the umb SSL files
name: umb_ssl_cert_secret_name
type: string
- description: The key within the Kubernetes secret that contains the umb SSL cert.
name: umb_ssl_cert_file_name
type: string
- description: The key within the Kubernetes secret that contains the umb SSL key.
name: umb_ssl_key_file_name
type: string
- default: https://pyxis.engineering.redhat.com
description: Pyxis instance to upload the signature to.
name: pyxis_url
Expand All @@ -78,13 +87,13 @@ spec:
- name: UmbCert
valueFrom:
secretKeyRef:
name: $(params.ssl_cert_secret_name)
key: $(params.ssl_cert_file_name)
name: $(params.umb_ssl_cert_secret_name)
key: $(params.umb_ssl_cert_file_name)
- name: UmbKey
valueFrom:
secretKeyRef:
name: $(params.ssl_cert_secret_name)
key: $(params.ssl_key_file_name)
name: $(params.umb_ssl_cert_secret_name)
key: $(params.umb_ssl_key_file_name)
- name: UMB_CERT_PATH
value: "/tmp/crt"
- name: UMB_KEY_PATH
Expand Down Expand Up @@ -159,13 +168,13 @@ spec:
- name: PyxisCert
valueFrom:
secretKeyRef:
name: $(params.ssl_cert_secret_name)
key: $(params.ssl_cert_file_name)
name: $(params.pyxis_ssl_cert_secret_name)
key: $(params.pyxis_ssl_cert_file_name)
- name: PyxisKey
valueFrom:
secretKeyRef:
name: $(params.ssl_cert_secret_name)
key: $(params.ssl_key_file_name)
name: $(params.pyxis_ssl_cert_secret_name)
key: $(params.pyxis_ssl_key_file_name)
- name: PYXIS_CERT_PATH
value: "/tmp/pyxisCert"
- name: PYXIS_KEY_PATH
Expand Down
10 changes: 7 additions & 3 deletions tasks/request-and-upload-signature/tests/pre-apply-task-hook.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
yq -i '.spec.steps[0].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH"
yq -i '.spec.steps[1].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[1].script' "$TASK_PATH"

# Create a dummy secret for ssl cert for UMB/pyxis interactions (and delete it first if it exists)
kubectl delete secret ssl-cert --ignore-not-found
kubectl create secret generic ssl-cert --from-literal=cert=mycert --from-literal=key=mykey
# Create a dummy secret for ssl cert for pyxis interactions (and delete it first if it exists)
kubectl delete secret pyxis-ssl-cert --ignore-not-found
kubectl create secret generic pyxis-ssl-cert --from-literal=cert=mypyxiscert --from-literal=key=mypyxiskey

# Create a dummy secret for ssl cert for UMB interactions (and delete it first if it exists)
kubectl delete secret umb-ssl-cert --ignore-not-found
kubectl create secret generic umb-ssl-cert --from-literal=cert=myumbcert --from-literal=key=myumbkey
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ spec:
name: sig_key_id
- value: containerisvsign
name: sig_key_name
- name: ssl_cert_secret_name
value: ssl-cert
- name: ssl_cert_file_name
- name: pyxis_ssl_cert_secret_name
value: pyxis-ssl-cert
- name: pyxis_ssl_cert_file_name
value: cert
- name: ssl_key_file_name
- name: pyxis_ssl_key_file_name
value: key
- value: operatorpipelines
name: umb_client_name
Expand All @@ -42,6 +42,12 @@ spec:
name: umb_publish_topic
- value: umb.api.redhat.com
name: umb_url
- name: umb_ssl_cert_secret_name
value: umb-ssl-cert
- name: umb_ssl_cert_file_name
value: cert
- name: umb_ssl_key_file_name
value: key
- value: https://pyxis.engineering.redhat.com
name: pyxis_url
- name: signature_data_file
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,11 @@ spec:
name: sig_key_id
- value: containerisvsign
name: sig_key_name
- name: ssl_cert_secret_name
value: ssl-cert
- name: ssl_cert_file_name
- name: pyxis_ssl_cert_secret_name
value: pyxis-ssl-cert
- name: pyxis_ssl_cert_file_name
value: cert
- name: ssl_key_file_name
- name: pyxis_ssl_key_file_name
value: key
- value: operatorpipelines
name: umb_client_name
Expand All @@ -39,6 +39,12 @@ spec:
name: umb_publish_topic
- value: umb.api.redhat.com
name: umb_url
- name: umb_ssl_cert_secret_name
value: umb-ssl-cert
- name: umb_ssl_cert_file_name
value: cert
- name: umb_ssl_key_file_name
value: key
- value: https://pyxis.engineering.redhat.com
name: pyxis_url
- name: signature_data_file
Expand Down

0 comments on commit eb7b4f9

Please sign in to comment.