Skip to content

Commit

Permalink
Get verify-enterprise-contract task working
Browse files Browse the repository at this point in the history
- Do some handling of the Rekor options
- Pull in the public key from the environment var created from the
  credential as it is done in the build pipeline.
- Fix some bash typos and syntax errors
- Use a different location for the /tmp/all-images.txt since my
  Jenkins user was not permitted to write to /tmp.
- Add a way to provide your own list of images to verify to help
  debug the ec verification.
- Use github url for configuration instead of a named ECP cluster
  record

See also konflux-ci/build-definitions#1240
which back-ports one of the changes introduced here to the
original source of the gather-deploy-images task.

Ref: https://issues.redhat.com/browse/EC-745
  • Loading branch information
simonbaird committed Aug 5, 2024
1 parent 1de8d1c commit a646269
Show file tree
Hide file tree
Showing 8 changed files with 87 additions and 36 deletions.
5 changes: 4 additions & 1 deletion Jenkinsfile.gitops
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ library identifier: 'RHTAP_Jenkins@main', retriever: modernSCM(

pipeline {
agent any
environment {
COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
}
stages {
stage('Compute Image Changes') {
steps {
Expand All @@ -16,7 +19,7 @@ pipeline {
stage('verify EC') {
steps {
script {
rhtap.info ("Validate Enteprise Contract")
rhtap.info ("Validate Enterprise Contract")
rhtap.verify_enterprise_contract()
}
}
Expand Down
5 changes: 4 additions & 1 deletion Jenkinsfile.gitops-local-shell
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
pipeline {
agent any
environment {
COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
}
stages {
stage('Compute Image Changes') {
steps {
Expand All @@ -9,7 +12,7 @@ pipeline {
}
stage('verify EC') {
steps {
echo 'Validate Enteprise Contract.'
echo 'Validate Enterprise Contract.'
sh "rhtap/verify-enterprise-contract.sh"
}
}
Expand Down
10 changes: 10 additions & 0 deletions hack/show-image-ref
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash
set -euo pipefail

# For testing verify-enterprise-contract you can do this:
# $ export MY_IMAGES_TO_VERIFY=$(hack/show-image-ref.sh)
# $ bash promote-pipeline.sh

IMAGE_URL=$(cat results/buildah-rhtap/IMAGE_URL)
IMAGE_DIGEST=$(cat results/buildah-rhtap/IMAGE_DIGEST)
echo "${IMAGE_URL%:*}@${IMAGE_DIGEST}"
12 changes: 11 additions & 1 deletion promote-pipeline.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,22 @@ fi

SETUP_ENV=rhtap/env.sh
cp rhtap/env.template.sh $SETUP_ENV
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
sed -i "s!\${{ values.image }}!quay.io/\${MY_QUAY_USER:-jduimovich0}/bootstrap!g" $SETUP_ENV
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
sed -i "s!\${{ values.repoURL }}!!g" $SETUP_ENV

# Set MY_REKOR_HOST and MY_TUF_MIRROR to 'none' if these services are not available
sed -i 's!export REKOR_HOST=.*$!export REKOR_HOST="\${MY_REKOR_HOST:-http://rekor-server.rhtap.svc}"!' $SETUP_ENV
sed -i 's!export TUF_MIRROR=.*$!export TUF_MIRROR="\${MY_TUF_MIRROR:-http://tuf.rhtap.svc}"!' $SETUP_ENV

source $SETUP_ENV
cat $SETUP_ENV
# When running in Jenkins the secret values will be read from credentials
# Todo: We need to restrict access to the signing secret. Here we need only
# the public key, the rest of the secret should not be visible at all.
SIGNING_SECRET_ENV=rhtap/signing-secret-env.sh
source $SIGNING_SECRET_ENV

COUNT=0

Expand Down
2 changes: 1 addition & 1 deletion rhtap/env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ export SOURCE_BUILD_RESULT_FILE=

export TARGET_BRANCH=""
# enterprise contract
export POLICY_CONFIGURATION="enterprise-contract-service/default"
export POLICY_CONFIGURATION="github.com/enterprise-contract/config//rhtap-jenkins"
#internal, assumes jenkins is local openshift
export REKOR_HOST="${MY_REKOR_HOST:-http://rekor-server.rhtap.svc}"
export IGNORE_REKOR=false
Expand Down
2 changes: 1 addition & 1 deletion rhtap/env.template.sh
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ export SOURCE_BUILD_RESULT_FILE=

export TARGET_BRANCH=""
# enterprise contract
export POLICY_CONFIGURATION="enterprise-contract-service/default"
export POLICY_CONFIGURATION="github.com/enterprise-contract/config//rhtap-jenkins"
#internal, assumes jenkins is local openshift
export REKOR_HOST=http://rekor-server.rhtap.svc
export IGNORE_REKOR=false
Expand Down
17 changes: 13 additions & 4 deletions rhtap/gather-deploy-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ function get-images-per-env() {
set -euo pipefail

IMAGE_PATH='.spec.template.spec.containers[0].image'
IMAGES_FILE=$HOMEDIR/all-images.txt
component_name=$(yq .metadata.name application.yaml)

for env in development stage prod; do
Expand All @@ -26,9 +27,17 @@ function get-images-per-env() {
fi

printf "%s\n" "$image"
done | sort -u > /tmp/all-images.txt

if [ ! -s /tmp/all-images.txt ]; then
done | sort -u > "$IMAGES_FILE"

# For development purposes, allow injecting your own list of images
# (Let's remove this when copying the changes to redhat-appstudio/tssc-sample-jenkins)
if [ -n "${MY_IMAGES_TO_VERIFY:-}" ]; then
for image in ${MY_IMAGES_TO_VERIFY}; do
printf "%s\n" "$image"
done > "$IMAGES_FILE"
fi

if [ ! -s "$IMAGES_FILE" ]; then
echo "No images to verify"
touch $RESULTS/IMAGES_TO_VERIFY
exit 0
Expand All @@ -37,7 +46,7 @@ function get-images-per-env() {
# TODO: each component needs a {"source": {"git": {"url": "...", "revision": "..."}}}
# will that be too large for Tekton results?

jq --compact-output --raw-input --slurp < /tmp/all-images.txt '
jq --compact-output --raw-input --slurp < "$IMAGES_FILE" '
# split input file
split("\n") |
# drop empty lines
Expand Down
70 changes: 43 additions & 27 deletions rhtap/verify-enterprise-contract.sh
Original file line number Diff line number Diff line change
@@ -1,22 +1,21 @@
#!/bin/bash
SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

# verify-enterprise-contract
source $SCRIPTDIR/common.sh

# Top level parameters

function version() {
echo "Running $TASK_NAME:version"
ec version
ec version
}

function initialize-tuf() {
echo "Running $TASK_NAME:initialize-tuf"
set -euo pipefail
if [[ -z "${TUF_MIRROR:-}" ]]; then
echo 'TUF_MIRROR not set. Skipping TUF root initialization.'
else

if [[ -z "${TUF_MIRROR:-}" || "${TUF_MIRROR:-}" = "none" ]]; then
echo 'TUF_MIRROR not set or set to "none". Skipping TUF root initialization.'
else
echo 'Initializing TUF root...'
cosign initialize --mirror "${TUF_MIRROR}" --root "${TUF_MIRROR}/root.json"
echo 'Done!'
Expand All @@ -25,57 +24,74 @@ function initialize-tuf() {

function validate() {
echo "Running $TASK_NAME:validate"

IMAGES=$(cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY)
echo "Images to Verify "
cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY | jq
ec "$IMAGES" \
echo "Images to verify: "
echo "$IMAGES" | jq
echo -n "Policy used: "
echo "$POLICY_CONFIGURATION"
echo -n "Rekor URL: "
echo "$REKOR_HOST"

if [ -n "$REKOR_HOST" -a "$REKOR_HOST" != "none" -a "$IGNORE_REKOR" != "true" ]; then
REKOR_OPT="--rekor-url=$REKOR_HOST"
else
REKOR_OPT="--ignore-rekor"
fi

PUBLIC_KEY=$(base64 -d <<< "$COSIGN_PUBLIC_KEY")

ec validate image \
"--images" \
"$IMAGES" \
"--policy" \
"$POLICY_CONFIGURATION" \
"--public-key" \
"$PUBLIC_KEY" \
"--rekor-url" \
"$REKOR_HOST" \
"--ignore-rekor=$IGNORE_REKOR" \
<(echo "$PUBLIC_KEY") \
"$REKOR_OPT" \
"--info=$INFO" \
"--strict=false" \
"--show-successes" \
"--effective-time=$EFFECTIVE_TIME \
"--output" \
"--effective-time=$EFFECTIVE_TIME" \
"--output" \
"yaml=$HOMEDIR/report.yaml" \
"--output" \
"appstudio=$RESULTS/TEST_OUTPUT" \
"--output" \
"json=$HOMEDIR/report-json.json"
"json=$HOMEDIR/report-json.json" \
"--output" \
"text"
}

function report() {
echo "Running $TASK_NAME:report"
cat "$HOMEDIR/report.yaml"
cat "$HOMEDIR/report.yaml"
}

function report-json() {
echo "Running $TASK_NAME:report-json"
cat "$HOMEDIR/report-json.json"
cat "$HOMEDIR/report-json.json"
}

function summary() {
echo "Running $TASK_NAME:summary"
jq "." "$RESULTS/TEST_OUTPUT"
jq "." "$RESULTS/TEST_OUTPUT"
}

function assert() {
echo "Running $TASK_NAME:assert"
jq --argjson strict "$STRICT" -e" \
".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n" \
"$RESULTS/TEST_OUTPUT"
jq --argjson strict "$STRICT" -e \
".result == \"SUCCESS\" or .result == \"WARNING\" or (\$strict | not)" \
"$RESULTS/TEST_OUTPUT"
}
# Task Steps

# Task Steps
version
initialize-tuf
validate
report
report-json
summary
assert
assert

exit_with_success_result

0 comments on commit a646269

Please sign in to comment.