diff --git a/Jenkinsfile.gitops b/Jenkinsfile.gitops index 9780247..cd79dbf 100644 --- a/Jenkinsfile.gitops +++ b/Jenkinsfile.gitops @@ -4,6 +4,9 @@ library identifier: 'RHTAP_Jenkins@main', retriever: modernSCM( pipeline { agent any + environment { + COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY') + } stages { stage('Compute Image Changes') { steps { @@ -16,7 +19,7 @@ pipeline { stage('verify EC') { steps { script { - rhtap.info ("Validate Enteprise Contract") + rhtap.info ("Validate Enterprise Contract") rhtap.verify_enterprise_contract() } } diff --git a/Jenkinsfile.gitops-local-shell b/Jenkinsfile.gitops-local-shell index b0800d8..06ab6dc 100644 --- a/Jenkinsfile.gitops-local-shell +++ b/Jenkinsfile.gitops-local-shell @@ -1,5 +1,8 @@ pipeline { agent any + environment { + COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY') + } stages { stage('Compute Image Changes') { steps { @@ -9,7 +12,7 @@ pipeline { } stage('verify EC') { steps { - echo 'Validate Enteprise Contract.' + echo 'Validate Enterprise Contract.' sh "rhtap/verify-enterprise-contract.sh" } } diff --git a/hack/show-image-ref b/hack/show-image-ref new file mode 100755 index 0000000..57b34b6 --- /dev/null +++ b/hack/show-image-ref @@ -0,0 +1,10 @@ +#!/bin/bash +set -euo pipefail + +# For testing verify-enterprise-contract you can do this: +# $ export MY_IMAGES_TO_VERIFY=$(hack/show-image-ref.sh) +# $ bash promote-pipeline.sh + +IMAGE_URL=$(cat results/buildah-rhtap/IMAGE_URL) +IMAGE_DIGEST=$(cat results/buildah-rhtap/IMAGE_DIGEST) +echo "${IMAGE_URL%:*}@${IMAGE_DIGEST}" diff --git a/promote-pipeline.sh b/promote-pipeline.sh index 0930f8c..7c24522 100644 --- a/promote-pipeline.sh +++ b/promote-pipeline.sh @@ -18,12 +18,22 @@ fi SETUP_ENV=rhtap/env.sh cp rhtap/env.template.sh $SETUP_ENV -sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV +sed -i "s!\${{ values.image }}!quay.io/\${MY_QUAY_USER:-jduimovich0}/bootstrap!g" $SETUP_ENV sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV sed -i "s!\${{ values.repoURL }}!!g" $SETUP_ENV + +# Set MY_REKOR_HOST and MY_TUF_MIRROR to 'none' if these services are not available +sed -i 's!export REKOR_HOST=.*$!export REKOR_HOST="\${MY_REKOR_HOST:-http://rekor-server.rhtap.svc}"!' $SETUP_ENV +sed -i 's!export TUF_MIRROR=.*$!export TUF_MIRROR="\${MY_TUF_MIRROR:-http://tuf.rhtap.svc}"!' $SETUP_ENV + source $SETUP_ENV cat $SETUP_ENV +# When running in Jenkins the secret values will be read from credentials +# Todo: We need to restrict access to the signing secret. Here we need only +# the public key, the rest of the secret should not be visible at all. +SIGNING_SECRET_ENV=rhtap/signing-secret-env.sh +source $SIGNING_SECRET_ENV COUNT=0 diff --git a/rhtap/env.sh b/rhtap/env.sh index 6b981a6..0bcf62b 100755 --- a/rhtap/env.sh +++ b/rhtap/env.sh @@ -31,7 +31,7 @@ export SOURCE_BUILD_RESULT_FILE= export TARGET_BRANCH="" # enterprise contract -export POLICY_CONFIGURATION="enterprise-contract-service/default" +export POLICY_CONFIGURATION="github.com/enterprise-contract/config//rhtap-jenkins" #internal, assumes jenkins is local openshift export REKOR_HOST="${MY_REKOR_HOST:-http://rekor-server.rhtap.svc}" export IGNORE_REKOR=false diff --git a/rhtap/env.template.sh b/rhtap/env.template.sh index b0162bb..e4e8f9b 100755 --- a/rhtap/env.template.sh +++ b/rhtap/env.template.sh @@ -31,7 +31,7 @@ export SOURCE_BUILD_RESULT_FILE= export TARGET_BRANCH="" # enterprise contract -export POLICY_CONFIGURATION="enterprise-contract-service/default" +export POLICY_CONFIGURATION="github.com/enterprise-contract/config//rhtap-jenkins" #internal, assumes jenkins is local openshift export REKOR_HOST=http://rekor-server.rhtap.svc export IGNORE_REKOR=false diff --git a/rhtap/gather-deploy-images.sh b/rhtap/gather-deploy-images.sh index 03ff413..b15b55a 100755 --- a/rhtap/gather-deploy-images.sh +++ b/rhtap/gather-deploy-images.sh @@ -11,6 +11,7 @@ function get-images-per-env() { set -euo pipefail IMAGE_PATH='.spec.template.spec.containers[0].image' + IMAGES_FILE=$HOMEDIR/all-images.txt component_name=$(yq .metadata.name application.yaml) for env in development stage prod; do @@ -26,9 +27,17 @@ function get-images-per-env() { fi printf "%s\n" "$image" - done | sort -u > /tmp/all-images.txt - - if [ ! -s /tmp/all-images.txt ]; then + done | sort -u > "$IMAGES_FILE" + + # For development purposes, allow injecting your own list of images + # (Let's remove this when copying the changes to redhat-appstudio/tssc-sample-jenkins) + if [ -n "${MY_IMAGES_TO_VERIFY:-}" ]; then + for image in ${MY_IMAGES_TO_VERIFY}; do + printf "%s\n" "$image" + done > "$IMAGES_FILE" + fi + + if [ ! -s "$IMAGES_FILE" ]; then echo "No images to verify" touch $RESULTS/IMAGES_TO_VERIFY exit 0 @@ -37,7 +46,7 @@ function get-images-per-env() { # TODO: each component needs a {"source": {"git": {"url": "...", "revision": "..."}}} # will that be too large for Tekton results? - jq --compact-output --raw-input --slurp < /tmp/all-images.txt ' + jq --compact-output --raw-input --slurp < "$IMAGES_FILE" ' # split input file split("\n") | # drop empty lines diff --git a/rhtap/verify-enterprise-contract.sh b/rhtap/verify-enterprise-contract.sh index 1b1391e..10dd2f9 100755 --- a/rhtap/verify-enterprise-contract.sh +++ b/rhtap/verify-enterprise-contract.sh @@ -1,22 +1,21 @@ #!/bin/bash SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + # verify-enterprise-contract source $SCRIPTDIR/common.sh -# Top level parameters - function version() { echo "Running $TASK_NAME:version" - ec version + ec version } function initialize-tuf() { echo "Running $TASK_NAME:initialize-tuf" set -euo pipefail - - if [[ -z "${TUF_MIRROR:-}" ]]; then - echo 'TUF_MIRROR not set. Skipping TUF root initialization.' - else + + if [[ -z "${TUF_MIRROR:-}" || "${TUF_MIRROR:-}" = "none" ]]; then + echo 'TUF_MIRROR not set or set to "none". Skipping TUF root initialization.' + else echo 'Initializing TUF root...' cosign initialize --mirror "${TUF_MIRROR}" --root "${TUF_MIRROR}/root.json" echo 'Done!' @@ -25,57 +24,74 @@ function initialize-tuf() { function validate() { echo "Running $TASK_NAME:validate" - + IMAGES=$(cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY) - echo "Images to Verify " - cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY | jq - ec "$IMAGES" \ + echo "Images to verify: " + echo "$IMAGES" | jq + echo -n "Policy used: " + echo "$POLICY_CONFIGURATION" + echo -n "Rekor URL: " + echo "$REKOR_HOST" + + if [ -n "$REKOR_HOST" -a "$REKOR_HOST" != "none" -a "$IGNORE_REKOR" != "true" ]; then + REKOR_OPT="--rekor-url=$REKOR_HOST" + else + REKOR_OPT="--ignore-rekor" + fi + + PUBLIC_KEY=$(base64 -d <<< "$COSIGN_PUBLIC_KEY") + + ec validate image \ + "--images" \ + "$IMAGES" \ "--policy" \ "$POLICY_CONFIGURATION" \ "--public-key" \ - "$PUBLIC_KEY" \ - "--rekor-url" \ - "$REKOR_HOST" \ - "--ignore-rekor=$IGNORE_REKOR" \ + <(echo "$PUBLIC_KEY") \ + "$REKOR_OPT" \ "--info=$INFO" \ "--strict=false" \ "--show-successes" \ - "--effective-time=$EFFECTIVE_TIME \ - "--output" \ + "--effective-time=$EFFECTIVE_TIME" \ + "--output" \ "yaml=$HOMEDIR/report.yaml" \ "--output" \ "appstudio=$RESULTS/TEST_OUTPUT" \ "--output" \ - "json=$HOMEDIR/report-json.json" + "json=$HOMEDIR/report-json.json" \ + "--output" \ + "text" } function report() { echo "Running $TASK_NAME:report" - cat "$HOMEDIR/report.yaml" + cat "$HOMEDIR/report.yaml" +} function report-json() { echo "Running $TASK_NAME:report-json" - cat "$HOMEDIR/report-json.json" + cat "$HOMEDIR/report-json.json" } function summary() { echo "Running $TASK_NAME:summary" - jq "." "$RESULTS/TEST_OUTPUT" + jq "." "$RESULTS/TEST_OUTPUT" } function assert() { echo "Running $TASK_NAME:assert" - jq --argjson strict "$STRICT" -e" \ - ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n" \ - "$RESULTS/TEST_OUTPUT" + jq --argjson strict "$STRICT" -e \ + ".result == \"SUCCESS\" or .result == \"WARNING\" or (\$strict | not)" \ + "$RESULTS/TEST_OUTPUT" } - -# Task Steps + +# Task Steps version initialize-tuf validate report report-json summary -assert +assert + exit_with_success_result