Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ISV-5130): add pipeline steps for SBOM upload #627

Merged
merged 2 commits into from
Jan 2, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions pipelines/managed/rh-advisories/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ the rh-push-to-registry-redhat-io pipeline.
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 1.7.0
* Add collect-atlas-params task to fetch Atlas parameters from the RPA.
* Add create-product-sbom task to create product-level SBOMs.
* Add update-component-sbom task to update component-level SBOMs with release
info.
* Add upload-product-sbom task to push the product SBOM to Atlas.
* Add upload-component-sbom task to push the component-level SBOMs to Atlas.

## Changes in 1.6.0
* Add new parameter `schema` to the `check-data-keys` task.
* Add new systems pyxis,mapping & signing to the task.
Expand Down
126 changes: 125 additions & 1 deletion pipelines/managed/rh-advisories/rh-advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: rh-advisories
labels:
app.kubernetes.io/version: "1.6.0"
app.kubernetes.io/version: "1.7.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -480,6 +480,61 @@ spec:
workspace: release-workspace
runAfter:
- create-pyxis-image
- name: update-component-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/update-component-sbom/update-component-sbom.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
params:
- name: sbomJsonPath
value: "$(tasks.populate-release-notes-images.results.sbomDataPath)"
- name: downloadedSbomPath
value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
runAfter:
- collect-data
- collect-atlas-params
- push-rpm-data-to-pyxis
- populate-release-notes-images
- name: upload-component-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
params:
- name: sbomDir
value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
- name: atlasSecretName
value: "$(tasks.collect-atlas-params.results.secretName)"
- name: ssoTokenUrl
value: "$(tasks.collect-atlas-params.results.ssoTokenUrl)"
- name: bombasticApiUrl
value: "$(tasks.collect-atlas-params.results.bombasticApiUrl)"
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/upload-sbom-to-atlas/upload-sbom-to-atlas.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
runAfter:
- update-component-sbom
- name: run-file-updates
params:
- name: fileUpdatesPath
Expand Down Expand Up @@ -533,6 +588,75 @@ spec:
workspace: release-workspace
runAfter:
- populate-release-notes-images
- name: collect-atlas-params
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/collect-atlas-params/collect-atlas-params.yaml
params:
- name: dataPath
value: "$(tasks.collect-data.results.data)"
workspaces:
- name: data
workspace: release-workspace
runAfter:
- collect-data
- name: create-product-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
params:
- name: dataJsonPath
value: "$(tasks.collect-data.results.data)"
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/create-product-sbom/create-product-sbom.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
runAfter:
- collect-atlas-params
- populate-release-notes-images
- name: upload-product-sbom
when:
- input: "$(tasks.collect-atlas-params.results.secretName)"
operator: notin
values: [""]
params:
- name: sbomDir
value: "$(tasks.create-product-sbom.results.productSBOMPath)"
- name: atlasSecretName
value: "$(tasks.collect-atlas-params.results.secretName)"
- name: ssoTokenUrl
value: "$(tasks.collect-atlas-params.results.ssoTokenUrl)"
- name: bombasticApiUrl
value: "$(tasks.collect-atlas-params.results.bombasticApiUrl)"
taskRef:
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: tasks/upload-sbom-to-atlas/upload-sbom-to-atlas.yaml
resolver: git
workspaces:
- name: data
workspace: release-workspace
runAfter:
- create-product-sbom
- name: create-advisory
retries: 5
params:
Expand Down
14 changes: 14 additions & 0 deletions schema/dataKeys.json
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,20 @@
}
}
},
"atlas": {
"type": "object",
"additionalProperties": false,
"properties": {
"server": {
"type": "string",
"description": "The release Atlas server to push SBOMs to",
"enum": [
"stage",
"production"
]
}
}
},
"slack": {
"type": "object",
"properties": {
Expand Down
13 changes: 13 additions & 0 deletions tasks/collect-atlas-params/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# collect-atlas-params

Tekton task that collects the Atlas server option from the data file. Based on
the value of the "atlas.server" field ("stage" or "production"), outputs results
used to push SBOMs to Atlas. If no Atlas fields are present in the RPA, it
outputs empty strings as results, indicating that the Atlas push should be
skipped.

## Parameters

| Name | Description | Optional | Default value |
|----------|----------------------------------------------------------------------------------------------------------------|----------|---------------|
| dataPath | Path to the merged data JSON file generated by collect-data task and containing the Atlas configuration option | No | - |
69 changes: 69 additions & 0 deletions tasks/collect-atlas-params/collect-atlas-params.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: collect-atlas-params
labels:
app.kubernetes.io/version: "0.1.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
spec:
description: >-
Tekton task that collects Atlas API configuration options from the data file.
params:
- name: dataPath
type: string
description: |
Path to the JSON string of the merged data containing the Atlas config.
workspaces:
- name: data
results:
- name: bombasticApiUrl
type: string
description: |
URL of the bombastic API.
- name: ssoTokenUrl
type: string
description: |
URL of the SSO token issuer.
- name: secretName
type: string
description: |
The kubernetes secret to use to authenticate to bombastic.
steps:
- name: collect-atlas-params
image:
quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
script: |
#!/usr/bin/env bash
set -x

DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
if [ ! -f "${DATA_FILE}" ] ; then
echo "ERROR: No valid data file was provided."
exit 1
fi

atlasServer=$(jq -r '.atlas.server' "$DATA_FILE")
if [ "$atlasServer" = "null" ]; then
# In this case, SBOM processing will be skipped.
bombasticApiUrl=""
ssoTokenUrl=""
secretName=""
elif [ "$atlasServer" = "stage" ]; then
bombasticApiUrl="https://sbom.atlas.release.stage.devshift.net"
ssoTokenUrl="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
secretName="atlas-staging-sso-secret"
elif [ "$atlasServer" = "production" ]; then
bombasticApiUrl="https://sbom.atlas.release.devshift.net"
ssoTokenUrl="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
secretName="atlas-prod-sso-secret"
else
echo "ERROR: Unknown .atlas.server value '$atlasServer'. Expected 'stage' or 'production'."
exit 1
fi

echo -n "$bombasticApiUrl" > "$(results.bombasticApiUrl.path)"
echo -n "$ssoTokenUrl" > "$(results.ssoTokenUrl.path)"
echo -n "$secretName" > "$(results.secretName.path)"
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-collect-atlas-params-bad-value
annotations:
test/assert-task-failure: "run-task"
spec:
description: |
Run the collect-atlas-params task with a bad value as atlasServer.
workspaces:
- name: tests-workspace
tasks:
- name: setup
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
workspaces:
- name: data
steps:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
script: |
#!/usr/bin/env bash
set -eux

cat > "$(workspaces.data.path)/data.json" << EOF
{
"atlas": {
"server": "invalid"
}
}
EOF
- name: run-task
taskRef:
name: collect-atlas-params
params:
- name: dataPath
value: data.json
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- setup
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-collect-atlas-params-nonexistent
spec:
description: |
Run the collect-atlas-params task with a missing atlasServer key.
workspaces:
- name: tests-workspace
tasks:
- name: setup
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
workspaces:
- name: data
steps:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
script: |
#!/usr/bin/env bash
set -eux
echo "{}" > "$(workspaces.data.path)/data.json"
- name: run-task
taskRef:
name: collect-atlas-params
params:
- name: dataPath
value: data.json
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- setup
- name: check-result
params:
- name: secretName
value: $(tasks.run-task.results.secretName)
- name: ssoTokenUrl
value: $(tasks.run-task.results.ssoTokenUrl)
- name: bombasticApiUrl
value: $(tasks.run-task.results.bombasticApiUrl)
taskSpec:
params:
- name: secretName
- name: ssoTokenUrl
- name: bombasticApiUrl
steps:
- name: check-result
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
env:
- name: "SECRET_NAME"
value: '$(params.secretName)'
- name: "SSO_TOKEN_URL"
value: '$(params.ssoTokenUrl)'
- name: "BOMBASTIC_API_URL"
value: '$(params.bombasticApiUrl)'
script: |
#!/usr/bin/env bash
set -eux

test "$SECRET_NAME" = ""
test "$SSO_TOKEN_URL" = ""
test "$BOMBASTIC_API_URL" = ""
Loading
Loading