Get verify-enterprise-contract task working

- Do some handling of the Rekor options - Pull in the public key from the environment var created from the credential as it is done in the build pipeline. - Fix some bash typos and syntax errors - Use a different location for the /tmp/all-images.txt since my Jenkins user was not permitted to write to /tmp. - Add a way to provide your own list of images to verify to help debug the ec verification. - Use github url for configuration instead of a named ECP cluster record See also konflux-ci/build-definitions#1240 which back-ports one of the changes introduced here to the original source of the gather-deploy-images task. Ref: https://issues.redhat.com/browse/EC-745
simonbaird · Aug 5, 2024 · bb7f562 · bb7f562
1 parent 9f806d1
commit bb7f562
Show file tree

Hide file tree

Showing 8 changed files with 87 additions and 36 deletions.
diff --git a/Jenkinsfile.gitops b/Jenkinsfile.gitops
@@ -4,6 +4,9 @@ library identifier: 'RHTAP_Jenkins@main', retriever: modernSCM(
 
 pipeline { 
     agent any
+    environment {
+        COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
+    }
     stages {
         stage('Compute Image Changes') {
             steps {
@@ -16,7 +19,7 @@ pipeline {
         stage('verify EC') {
             steps {
                 script { 
-                    rhtap.info ("Validate Enteprise Contract")
+                    rhtap.info ("Validate Enterprise Contract")
                     rhtap.verify_enterprise_contract() 
                 }
             } 

diff --git a/Jenkinsfile.gitops-local-shell b/Jenkinsfile.gitops-local-shell
@@ -1,5 +1,8 @@
 pipeline { 
     agent any
+    environment {
+        COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
+    }
     stages {
         stage('Compute Image Changes') {
             steps {
@@ -9,7 +12,7 @@ pipeline {
         }
         stage('verify EC') {
             steps {
-                echo 'Validate Enteprise Contract.' 
+                echo 'Validate Enterprise Contract.'
                 sh "rhtap/verify-enterprise-contract.sh"  
             }
         }  

diff --git a/hack/show-image-ref b/hack/show-image-ref
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+# For testing verify-enterprise-contract you can do this:
+#  $ export MY_IMAGES_TO_VERIFY=$(hack/show-image-ref.sh)
+#  $ bash promote-pipeline.sh
+
+IMAGE_URL=$(cat results/buildah-rhtap/IMAGE_URL)
+IMAGE_DIGEST=$(cat results/buildah-rhtap/IMAGE_DIGEST)
+echo "${IMAGE_URL%:*}@${IMAGE_DIGEST}"
diff --git a/promote-pipeline.sh b/promote-pipeline.sh
@@ -18,12 +18,22 @@ fi
 
 SETUP_ENV=rhtap/env.sh 
 cp rhtap/env.template.sh $SETUP_ENV
-sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
+sed -i "s!\${{ values.image }}!quay.io/\${MY_QUAY_USER:-jduimovich0}/bootstrap!g" $SETUP_ENV
 sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
 sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
 sed -i "s!\${{ values.repoURL }}!!g" $SETUP_ENV
+
+# Set MY_REKOR_HOST and MY_TUF_MIRROR to 'none' if these services are not available
+sed -i 's!export REKOR_HOST=.*$!export REKOR_HOST="\${MY_REKOR_HOST:-http://rekor-server.rhtap.svc}"!' $SETUP_ENV
+sed -i 's!export TUF_MIRROR=.*$!export TUF_MIRROR="\${MY_TUF_MIRROR:-http://tuf.rhtap.svc}"!' $SETUP_ENV
+
 source $SETUP_ENV
 cat $SETUP_ENV
+# When running in Jenkins the secret values will be read from credentials
+# Todo: We need to restrict access to the signing secret. Here we need only
+# the public key, the rest of the secret should not be visible at all.
+SIGNING_SECRET_ENV=rhtap/signing-secret-env.sh
+source $SIGNING_SECRET_ENV
 
 COUNT=0
 

diff --git a/rhtap/env.sh b/rhtap/env.sh
@@ -31,7 +31,7 @@ export SOURCE_BUILD_RESULT_FILE=
 
 export TARGET_BRANCH="" 
 # enterprise contract 
-export POLICY_CONFIGURATION="enterprise-contract-service/default" 
+export POLICY_CONFIGURATION="github.com/enterprise-contract/config//rhtap-jenkins"
 #internal, assumes jenkins is local openshift
 export REKOR_HOST="${MY_REKOR_HOST:-http://rekor-server.rhtap.svc}"
 export IGNORE_REKOR=false

diff --git a/rhtap/env.template.sh b/rhtap/env.template.sh
@@ -31,7 +31,7 @@ export SOURCE_BUILD_RESULT_FILE=
 
 export TARGET_BRANCH="" 
 # enterprise contract 
-export POLICY_CONFIGURATION="enterprise-contract-service/default" 
+export POLICY_CONFIGURATION="github.com/enterprise-contract/config//rhtap-jenkins"
 #internal, assumes jenkins is local openshift
 export REKOR_HOST=http://rekor-server.rhtap.svc
 export IGNORE_REKOR=false

diff --git a/rhtap/gather-deploy-images.sh b/rhtap/gather-deploy-images.sh
@@ -11,6 +11,7 @@ function get-images-per-env() {
 	set -euo pipefail
 
 	IMAGE_PATH='.spec.template.spec.containers[0].image'
+	IMAGES_FILE=$HOMEDIR/all-images.txt
 	component_name=$(yq .metadata.name application.yaml)
 
 	for env in development stage prod; do
@@ -26,9 +27,17 @@ function get-images-per-env() {
 	  fi
 
 	  printf "%s\n" "$image"
-	done | sort -u > /tmp/all-images.txt
-
-	if [ ! -s /tmp/all-images.txt ]; then
+	done | sort -u > "$IMAGES_FILE"
+
+	# For development purposes, allow injecting your own list of images
+	# (Let's remove this when copying the changes to redhat-appstudio/tssc-sample-jenkins)
+	if [ -n "${MY_IMAGES_TO_VERIFY:-}" ]; then
+	  for image in ${MY_IMAGES_TO_VERIFY}; do
+	    printf "%s\n" "$image"
+	  done > "$IMAGES_FILE"
+	fi
+
+	if [ ! -s "$IMAGES_FILE" ]; then
 	  echo "No images to verify"
 	  touch $RESULTS/IMAGES_TO_VERIFY
 	  exit 0
@@ -37,7 +46,7 @@ function get-images-per-env() {
 	# TODO: each component needs a {"source": {"git": {"url": "...", "revision": "..."}}}
 	#       will that be too large for Tekton results?
 
-	jq --compact-output --raw-input --slurp < /tmp/all-images.txt '
+	jq --compact-output --raw-input --slurp < "$IMAGES_FILE" '
 	  # split input file
 	  split("\n") |
 	  # drop empty lines

diff --git a/rhtap/verify-enterprise-contract.sh b/rhtap/verify-enterprise-contract.sh
@@ -1,22 +1,21 @@
 #!/bin/bash
 SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
 # verify-enterprise-contract
 source $SCRIPTDIR/common.sh
 
-# Top level parameters 
-
 function version() {
 	echo "Running $TASK_NAME:version"
-	ec version  
+	ec version
 }
 
 function initialize-tuf() {
 	echo "Running $TASK_NAME:initialize-tuf"
 	set -euo pipefail
-	
-	if [[ -z "${TUF_MIRROR:-}" ]]; then
-	    echo 'TUF_MIRROR not set. Skipping TUF root initialization.'
-	else 
+
+	if [[ -z "${TUF_MIRROR:-}" || "${TUF_MIRROR:-}" = "none" ]]; then
+		echo 'TUF_MIRROR not set or set to "none". Skipping TUF root initialization.'
+	else
 		echo 'Initializing TUF root...'
 		cosign initialize --mirror "${TUF_MIRROR}" --root "${TUF_MIRROR}/root.json"
 		echo 'Done!'
@@ -25,57 +24,74 @@ function initialize-tuf() {
 
 function validate() {
 	echo "Running $TASK_NAME:validate"
-	
+
 	IMAGES=$(cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY)
-	echo "Images to Verify "
-	cat $BASE_RESULTS/gather-deploy-images/IMAGES_TO_VERIFY | jq  
-	ec "$IMAGES" \
+	echo "Images to verify: "
+	echo "$IMAGES" | jq
+	echo -n "Policy used: "
+	echo "$POLICY_CONFIGURATION"
+	echo -n "Rekor URL: "
+	echo "$REKOR_HOST"
+
+	if [ -n "$REKOR_HOST" -a "$REKOR_HOST" != "none" -a "$IGNORE_REKOR" != "true" ]; then
+		REKOR_OPT="--rekor-url=$REKOR_HOST"
+	else
+		REKOR_OPT="--ignore-rekor"
+	fi
+
+	PUBLIC_KEY=$(base64 -d <<< "$COSIGN_PUBLIC_KEY")
+
+	ec validate image \
+          "--images" \
+          "$IMAGES" \
           "--policy" \
           "$POLICY_CONFIGURATION" \
           "--public-key" \
-          "$PUBLIC_KEY" \
-          "--rekor-url" \
-          "$REKOR_HOST" \
-          "--ignore-rekor=$IGNORE_REKOR" \
+          <(echo "$PUBLIC_KEY") \
+          "$REKOR_OPT" \
           "--info=$INFO" \
           "--strict=false" \
           "--show-successes" \
-          "--effective-time=$EFFECTIVE_TIME \
-          "--output" \ 
+          "--effective-time=$EFFECTIVE_TIME" \
+          "--output" \
           "yaml=$HOMEDIR/report.yaml" \
           "--output" \
           "appstudio=$RESULTS/TEST_OUTPUT" \
           "--output" \
-          "json=$HOMEDIR/report-json.json"
+          "json=$HOMEDIR/report-json.json" \
+          "--output" \
+          "text"
 }
 
 function report() {
 	echo "Running $TASK_NAME:report"
-	cat "$HOMEDIR/report.yaml" 
+	cat "$HOMEDIR/report.yaml"
+}
 
 function report-json() {
 	echo "Running $TASK_NAME:report-json"
-	cat  "$HOMEDIR/report-json.json" 
+	cat  "$HOMEDIR/report-json.json"
 }
 
 function summary() {
 	echo "Running $TASK_NAME:summary"
-	jq "." "$RESULTS/TEST_OUTPUT" 
+	jq "." "$RESULTS/TEST_OUTPUT"
 }
 
 function assert() {
 	echo "Running $TASK_NAME:assert"
-	jq --argjson strict "$STRICT" -e" \
-        ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n" \
-          "$RESULTS/TEST_OUTPUT"
+	jq --argjson strict "$STRICT" -e \
+        ".result == \"SUCCESS\" or .result == \"WARNING\" or (\$strict | not)" \
+        "$RESULTS/TEST_OUTPUT"
 }
-  
-# Task Steps 
+
+# Task Steps
 version
 initialize-tuf
 validate
 report
 report-json
 summary
-assert 
+assert
+
 exit_with_success_result