feat(ISV-5130): optionally enable SBOM processing

Signed-off-by: Martin Jediny <[email protected]>
konflux-ci · Nov 18, 2024 · 1f5a40a · 1f5a40a
1 parent edb7fa5
commit 1f5a40a
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 8 deletions.
diff --git a/pipelines/rh-advisories/rh-advisories.yaml b/pipelines/rh-advisories/rh-advisories.yaml
@@ -543,6 +543,10 @@ spec:
       runAfter:
         - collect-data
     - name: create-product-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
       params:
         - name: dataJsonPath
           value: "$(tasks.collect-data.results.data)"
@@ -561,6 +565,10 @@ spec:
       runAfter:
         - check-data-keys
     - name: upload-product-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
       params:
         - name: sbomDir
           value: "$(tasks.create-product-sbom.results.productSBOMPath)"

diff --git a/pipelines/rh-push-to-registry-redhat-io/rh-push-to-registry-redhat-io.yaml b/pipelines/rh-push-to-registry-redhat-io/rh-push-to-registry-redhat-io.yaml
@@ -258,6 +258,10 @@ spec:
       runAfter:
         - collect-data
     - name: create-product-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
       params:
         - name: dataJsonPath
           value: "$(tasks.collect-data.results.data)"
@@ -276,6 +280,10 @@ spec:
       runAfter:
         - check-data-keys
     - name: upload-product-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
       params:
         - name: sbomDir
           value: "$(tasks.create-product-sbom.results.productSBOMPath)"

diff --git a/tasks/collect-atlas-params/collect-atlas-params.yaml b/tasks/collect-atlas-params/collect-atlas-params.yaml
@@ -52,11 +52,11 @@ spec:
 
         atlasServer=$(jq -r '.atlas.server' "$DATA_FILE")
         if [ "$atlasServer" = "null" ]; then
-            echo "ERROR: The JSON file does not contain the 'atlasServer' field."
-            exit 1
-        fi
-
-        if [ "$atlasServer" = "stage" ]; then
+            # In this case, SBOM processing will be skipped.
+            bombasticApiUrl=""
+            ssoTokenUrl=""
+            secretName=""
+        elif [ "$atlasServer" = "stage" ]; then
             bombasticApiUrl="https://sbom.atlas.release.stage.devshift.net"
             ssoTokenUrl="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
             secretName="atlas-staging-sso-secret"
@@ -65,7 +65,7 @@ spec:
             ssoTokenUrl="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
             secretName="atlas-prod-sso-secret"
         else
-            echo "ERROR: Unknown Atlas server value '$atlasServer'. Expected 'stage' or 'production'."
+            echo "ERROR: Unknown .atlas.server value '$atlasServer'. Expected 'stage' or 'production'."
             exit 1
         fi
 

diff --git a/tasks/collect-atlas-params/tests/test-collect-atlas-params-nonexistent.yaml b/tasks/collect-atlas-params/tests/test-collect-atlas-params-nonexistent.yaml
@@ -3,8 +3,6 @@ apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
   name: test-collect-atlas-params-nonexistent
-  annotations:
-    test/assert-task-failure: "run-task"
 spec:
   description: |
     Run the collect-atlas-params task with a missing atlasServer key.
@@ -36,3 +34,38 @@ spec:
           workspace: tests-workspace
       runAfter:
         - setup
+    - name: check-result
+      params:
+        - name: secretName
+          value: $(tasks.run-task.results.secretName)
+        - name: ssoTokenUrl
+          value: $(tasks.run-task.results.ssoTokenUrl)
+        - name: bombasticApiUrl
+          value: $(tasks.run-task.results.bombasticApiUrl)
+        - name: updateComponentSBOM
+          value: $(tasks.run-task.results.updateComponentSBOM)
+      taskSpec:
+        params:
+          - name: secretName
+          - name: ssoTokenUrl
+          - name: bombasticApiUrl
+          - name: updateComponentSBOM
+        steps:
+          - name: check-result
+            image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
+            env:
+              - name: "SECRET_NAME"
+                value: '$(params.secretName)'
+              - name: "SSO_TOKEN_URL"
+                value: '$(params.ssoTokenUrl)'
+              - name: "BOMBASTIC_API_URL"
+                value: '$(params.bombasticApiUrl)'
+              - name: "UPDATE_COMPONENT_SBOM"
+                value: '$(params.updateComponentSBOM)'
+            script: |
+              #!/usr/bin/env sh
+              set -eux
+
+              test "$SECRET_NAME" = ""
+              test "$SSO_TOKEN_URL" = ""
+              test "$BOMBASTIC_API_URL" = ""