Skip to content

Commit

Permalink
trying stepactions
Browse files Browse the repository at this point in the history 
Signed-off-by: Scott Hebert <[email protected]>
  • Loading branch information
@scoheb
scoheb committed Oct 1, 2024
1 parent b407eea commit 5fbd230
Show file tree
Hide file tree
Showing 11 changed files with 458 additions and 16 deletions.
63 changes: 63 additions & 0 deletions internal/pipelines/hacbs-signing-pipeline-sa/hacbs-signing-pipeline-sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: internal-simple-signing-pipeline
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: fbc
spec:
description: >-
Tekton pipeline for HACBS signing
params:
- name: pipeline_image
description: An image with CLI tools needed for the signing.
default: quay.io/redhat-isv/operator-pipelines-images:released
- name: manifest_digest
description: Manifest digest for the signed content, usually in the format sha256:xxx
- name: reference
description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9
- name: requester
description: Name of the user that requested the signing, for auditing purposes
- name: config_map_name
description: A config map name with configuration
default: hacbs-signing-pipeline-config
- name: taskGitUrl
type: string
description: The url to the git repo where the release-service-catalog tasks to be used are stored
default: https://github.com/konflux-ci/release-service-catalog.git
- name: taskGitRevision
type: string
description: The revision in the taskGitUrl repo to be used
workspaces:
- name: pipeline
tasks:
- name: request-and-upload-signature
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: internal/tasks/request-and-upload-signature/request-and-upload-signature.yaml
params:
- name: config_map_name
value: $(params.config_map_name)
- name: manifest_digest
value: $(params.manifest_digest)
- name: reference
value: $(params.reference)
- name: requester
value: $(params.requester)
- name: taskGitUrl
value: $(params.taskGitUrl)
- name: taskGitRevision
value: $(params.taskGitRevision)
workspaces:
- name: source
workspace: pipeline
subPath: signing
125 changes: 125 additions & 0 deletions internal/stepactions/request-signature-sa/request-signature-sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
---
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: request-signature-sa
spec:
params:
- description: A docker image of operator-pipeline-images for the steps to run in.
name: pipeline_image
- description: Manifest digest for the signed content, usually in the format sha256:xxx
name: manifest_digest
- description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9
name: reference
- description: Name of the user that requested the signing, for auditing purposes
name: requester
- default: 4096R/55A34A82 SHA-256
description: The signing key id that the content is signed with
name: sig_key_id
- default: containerisvsign
description: The signing key name that the content is signed with
name: sig_key_name
- description: Kubernetes secret name that contains the umb SSL files
name: umb_ssl_secret_name
- description: The key within the Kubernetes secret that contains the umb SSL cert.
name: umb_ssl_cert_secret_key
- description: The key within the Kubernetes secret that contains the umb SSL key.
name: umb_ssl_key_secret_key
- default: operatorpipelines
description: Client name to connect to umb, usually a service account name
name: umb_client_name
- default: VirtualTopic.eng.robosignatory.isv.sign
description: umb topic to listen to for responses with signed content
name: umb_listen_topic
- default: VirtualTopic.eng.operatorpipelines.isv.sign
description: umb topic to publish to for requesting signing
name: umb_publish_topic
- default: umb.api.redhat.com
description: umb host to connect to for messaging
name: umb_url
results:
- name: signature_data_file
- name: signature_data
env:
- name: UmbCert
valueFrom:
secretKeyRef:
name: $(params.umb_ssl_secret_name)
key: hacbs-signing-pipeline.pem
- name: UmbKey
valueFrom:
secretKeyRef:
name: $(params.umb_ssl_secret_name)
key: hacbs-signing-pipeline.key
- name: UMB_CERT_PATH
value: "/tmp/crt"
- name: UMB_KEY_PATH
value: "/tmp/key"
- name: manifest_digest
value: $(params.manifest_digest)
- name: reference
value: $(params.reference)
- name: requester
value: $(params.requester)
- name: sig_key_id
value: $(params.sig_key_id)
- name: sig_key_name
value: $(params.sig_key_name)
- name: umb_ssl_secret_name
value: $(params.umb_ssl_secret_name)
- name: umb_ssl_cert_secret_key
value: $(params.umb_ssl_cert_secret_key)
- name: umb_client_name
value: $(params.umb_client_name)
- name: umb_listen_topic
value: $(params.umb_listen_topic)
- name: umb_publish_topic
value: $(params.umb_publish_topic)
- name: umb_url
value: $(params.umb_url)
image: "$(params.pipeline_image)"
script: |
#!/usr/bin/env /bin/bash
set -x
MAX_RETRIES=3
RETRY_DELAY=5 # Initial delay
set +x
# This helps with Shellcheck warning
echo "${UmbCert:?}" > /tmp/crt
echo "${UmbKey:?}" > /tmp/key
set -x
echo "Requesting signing from RADAS"
for ((i=1; i<=MAX_RETRIES; i++)); do
if request-signature \
--manifest-digest "${manifest_digest}" \
--output signing_response.json \
--reference "${reference}" \
--requester "${requester}" \
--sig-key-id "${sig_key_id}" \
--sig-key-name "${sig_key_name}" \
--umb-client-name "${umb_client_name}" \
--umb-listen-topic "${umb_listen_topic}" \
--umb-publish-topic "${umb_publish_topic}" \
--umb-url "${umb_url}" \
--verbose
then
echo "request-signature command succeeded."
break
elif [ $i -eq $MAX_RETRIES ]; then
echo "Max retries reached. Exiting."
exit 1
else
echo "Attempt $i failed. Retrying in $RETRY_DELAY seconds..."
sleep $RETRY_DELAY
RETRY_DELAY=$((RETRY_DELAY * 2)) # Exponential backoff
fi
done
SIG_DATA=$(cat signing_response.json)
echo "Signed claims and their metadata: "
echo -n "$SIG_DATA" | tee "$(step.results.signature_data.path)"
echo -n signing_response.json | tee "$(step.results.signature_data_file.path)"
workingDir: "$(workspaces.source.path)"
63 changes: 63 additions & 0 deletions internal/stepactions/set-env-sa/set-env-sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: set-env-sa
spec:
params:
- name: ubi8_minimal_image
description: ubi8 minimal image
default: "quay.io/redhat-isv/operator-pipelines-images:released"
- name: config_map_name
description: Name of a configmap with pipeline configuration
results:
- name: pyxis_url
description: Container API URL based for selected environment
- name: sig_key_id
description: The signing key id that index image claims are signed with
- name: sig_key_name
description: The signing key name that index image claims are signed with
- name: umb_url
description: umb host to connect to for messaging, e.g. for signing
- name: umb_listen_topic
description: umb topic which is used for listening
- name: umb_publish_topic
description: umb topic which is used for publishing
- name: umb_client_name
description: Client name to connect to umb, usually a service account name
- name: ssl_cert_secret_name
description: SSL secret name
- name: ssl_cert_file_name
description: SSL certificate file name
- name: ssl_key_file_name
description: SSL key file name
image: "$(params.ubi8_minimal_image)"
env:
- name: config_map_name
value: $(params.config_map_name)
script: |
#!/bin/bash
set -ex
configMapJson=$(oc get "cm/${config_map_name:?}" -ojson)
PYXIS_URL=$(jq -r '.data.PYXIS_URL' <<< "${configMapJson}")
SIG_KEY_ID=$(jq -r '.data.SIG_KEY_ID' <<< "${configMapJson}")
SIG_KEY_NAME=$(jq -r '.data.SIG_KEY_NAME' <<< "${configMapJson}")
SSL_CERT_FILE_NAME=$(jq -r '.data.SSL_CERT_FILE_NAME' <<< "${configMapJson}")
SSL_CERT_SECRET_NAME=$(jq -r '.data.SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
SSL_KEY_FILE_NAME=$(jq -r '.data.SSL_KEY_FILE_NAME' <<< "${configMapJson}")
UMB_CLIENT_NAME=$(jq -r '.data.UMB_CLIENT_NAME' <<< "${configMapJson}")
UMB_LISTEN_TOPIC=$(jq -r '.data.UMB_LISTEN_TOPIC' <<< "${configMapJson}")
UMB_PUBLISH_TOPIC=$(jq -r '.data.UMB_PUBLISH_TOPIC' <<< "${configMapJson}")
UMB_URL=$(jq -r '.data.UMB_URL' <<< "${configMapJson}")
echo -n "$PYXIS_URL" | tee "$(step.results.pyxis_url.path)"
echo -n "$SIG_KEY_ID" | tee "$(step.results.sig_key_id.path)"
echo -n "$SIG_KEY_NAME" | tee "$(step.results.sig_key_name.path)"
echo -n "$SSL_CERT_FILE_NAME" | tee "$(step.results.ssl_cert_file_name.path)"
echo -n "$SSL_CERT_SECRET_NAME" | tee "$(step.results.ssl_cert_secret_name.path)"
echo -n "$SSL_KEY_FILE_NAME" | tee "$(step.results.ssl_key_file_name.path)"
echo -n "$UMB_CLIENT_NAME" | tee "$(step.results.umb_client_name.path)"
echo -n "$UMB_LISTEN_TOPIC" | tee "$(step.results.umb_listen_topic.path)"
echo -n "$UMB_PUBLISH_TOPIC" | tee "$(step.results.umb_publish_topic.path)"
echo -n "$UMB_URL" | tee "$(step.results.umb_url.path)"
74 changes: 74 additions & 0 deletions internal/stepactions/upload-signature-sa/upload-signature-sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: upload-signature-sa
spec:
params:
- description: Json file containing the list of signature data to upload to Pyxis
signature.
name: signature_data_file
- description: A docker image of operator-pipeline-images for the steps to run in.
name: pipeline_image
- description: Kubernetes secret name that contains the Pyxis SSL files.
name: pyxis_ssl_secret_name
- description: The key within the Kubernetes secret that contains the Pyxis SSL
cert.
name: pyxis_ssl_cert_secret_key
- description: The key within the Kubernetes secret that contains the Pyxis SSL
key.
name: pyxis_ssl_key_secret_key
- default: https://pyxis.engineering.redhat.com
description: Pyxis instance to upload the signature to.
name: pyxis_url
- default: 'true'
description: Whether to verify that the signature data is signed with the right
key.
name: verify_signature
- default: signing-pub-key
description: The name of the Kubernetes Secret that contains the public key for
verifying signatures.
name: signing_pub_secret_name
- default: sig-key.pub
description: The key within the Kubernetes Secret that contains the public key
for verifying signatures.
name: signing_pub_secret_key
image: "$(params.pipeline_image)"
env:
- name: PYXIS_CERT_PATH
value: "/tmp/pyxisCert"
- name: PYXIS_KEY_PATH
value: "/tmp/pyxisKey"
- name: PyxisCert
valueFrom:
secretKeyRef:
name: $(params.pyxis_ssl_secret_name)
#key: $(params.pyxis_ssl_cert_secret_key)

Check failure on line 46 in internal/stepactions/upload-signature-sa/upload-signature-sa.yaml

View workflow job for this annotation

GitHub Actions / yamllint 

missing starting space in comment
key: hacbs-signing-pipeline.pem
- name: PyxisKey
valueFrom:
secretKeyRef:
name: $(params.pyxis_ssl_secret_name)
#key: $(params.pyxis_ssl_key_secret_key)

Check failure on line 52 in internal/stepactions/upload-signature-sa/upload-signature-sa.yaml

View workflow job for this annotation

GitHub Actions / yamllint 

missing starting space in comment
key: hacbs-signing-pipeline.key
- name: pyxis_url
value: $(params.pyxis_url)
- name: signature_data_file
value: $(params.signature_data_file)
script: |
#!/bin/bash
set -xe
set +x
# This helps with Shellcheck warning
echo "${PyxisCert:?}" > /tmp/pyxisCert
echo "${PyxisKey:?}" > /tmp/pyxisKey
set -x
echo "Signature verified. Uploading to Pyxis sigstore"
upload-signature \
--pyxis-url "$pyxis_url" \
--signature-data "$signature_data_file" \
--verbose
workingDir: "$(workspaces.source.path)"
Loading

0 comments on commit 5fbd230

Please sign in to comment.