-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Scott Hebert <[email protected]>
- Loading branch information
Showing
10 changed files
with
521 additions
and
1 deletion.
There are no files selected for viewing
141 changes: 141 additions & 0 deletions
141
internal/pipelines/hacbs-signing-pipeline-sa/hacbs-signing-pipeline-sa.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
--- | ||
apiVersion: tekton.dev/v1beta1 | ||
kind: Pipeline | ||
metadata: | ||
name: internal-simple-signing-pipeline | ||
labels: | ||
app.kubernetes.io/version: "0.1" | ||
annotations: | ||
tekton.dev/pipelines.minVersion: "0.12.1" | ||
tekton.dev/tags: fbc | ||
spec: | ||
description: >- | ||
Tekton pipeline for HACBS signing | ||
params: | ||
- name: pipeline_image | ||
description: An image with CLI tools needed for the signing. | ||
default: quay.io/redhat-isv/operator-pipelines-images:released | ||
- name: manifest_digest | ||
description: Manifest digest for the signed content, usually in the format sha256:xxx | ||
- name: reference | ||
description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9 | ||
- name: requester | ||
description: Name of the user that requested the signing, for auditing purposes | ||
- name: config_map_name | ||
description: A config map name with configuration | ||
default: hacbs-signing-pipeline-config | ||
- name: taskGitUrl | ||
type: string | ||
description: The url to the git repo where the release-service-catalog tasks to be used are stored | ||
default: https://github.com/konflux-ci/release-service-catalog.git | ||
- name: taskGitRevision | ||
type: string | ||
description: The revision in the taskGitUrl repo to be used | ||
workspaces: | ||
- name: pipeline | ||
tasks: | ||
- name: request-and-upload-signature | ||
taskRef: | ||
resolver: "git" | ||
params: | ||
- name: url | ||
value: $(params.taskGitUrl) | ||
- name: revision | ||
value: $(params.taskGitRevision) | ||
- name: pathInRepo | ||
value: internal/tasks/request-and-upload-signature/request-and-upload-signature.yaml | ||
params: | ||
- name: config_map_name | ||
value: $(params.config_map_name) | ||
- name: manifest_digest | ||
value: $(params.manifest_digest) | ||
- name: reference | ||
value: $(params.reference) | ||
- name: requester | ||
value: $(params.requester) | ||
- name: taskGitUrl | ||
value: $(params.taskGitUrl) | ||
- name: taskGitRevision | ||
value: $(params.taskGitRevision) | ||
workspaces: | ||
- name: source | ||
workspace: pipeline | ||
subPath: signing | ||
# - name: request-signature | ||
# taskRef: | ||
# resolver: "git" | ||
# params: | ||
# - name: url | ||
# value: $(params.taskGitUrl) | ||
# - name: revision | ||
# value: $(params.taskGitRevision) | ||
# - name: pathInRepo | ||
# value: internal/tasks/request-signature/request-signature.yaml | ||
# runAfter: | ||
# - set-env | ||
# params: | ||
# - name: pipeline_image | ||
# value: "$(params.pipeline_image)" | ||
# - name: manifest_digest | ||
# value: "$(params.manifest_digest)" | ||
# - name: reference | ||
# value: "$(params.reference)" | ||
# - name: requester | ||
# value: "$(params.requester)" | ||
# - name: sig_key_id | ||
# value: "$(tasks.set-env.results.sig_key_id)" | ||
# - name: sig_key_name | ||
# value: "$(tasks.set-env.results.sig_key_name)" | ||
# - name: umb_ssl_secret_name | ||
# value: "$(tasks.set-env.results.ssl_cert_secret_name)" | ||
# - name: umb_ssl_cert_secret_key | ||
# value: "$(tasks.set-env.results.ssl_cert_file_name)" | ||
# - name: umb_ssl_key_secret_key | ||
# value: "$(tasks.set-env.results.ssl_key_file_name)" | ||
# - name: umb_client_name | ||
# value: "$(tasks.set-env.results.umb_client_name)" | ||
# - name: umb_url | ||
# value: "$(tasks.set-env.results.umb_url)" | ||
# - name: umb_listen_topic | ||
# value: "$(tasks.set-env.results.umb_listen_topic)" | ||
# - name: umb_publish_topic | ||
# value: "$(tasks.set-env.results.umb_publish_topic)" | ||
# workspaces: | ||
# - name: source | ||
# workspace: pipeline | ||
# subPath: signing | ||
# | ||
# - name: upload-signature | ||
# taskRef: | ||
# resolver: "git" | ||
# params: | ||
# - name: url | ||
# value: $(params.taskGitUrl) | ||
# - name: revision | ||
# value: $(params.taskGitRevision) | ||
# - name: pathInRepo | ||
# value: internal/tasks/upload-signature/upload-signature.yaml | ||
# runAfter: | ||
# - request-signature | ||
# params: | ||
# - name: pipeline_image | ||
# value: "$(params.pipeline_image)" | ||
# - name: signature_data_file | ||
# value: "$(tasks.request-signature.results.signature_data_file)" | ||
# - name: pyxis_ssl_secret_name | ||
# value: "$(tasks.set-env.results.ssl_cert_secret_name)" | ||
# - name: pyxis_ssl_cert_secret_key | ||
# value: "$(tasks.set-env.results.ssl_cert_file_name)" | ||
# - name: pyxis_ssl_key_secret_key | ||
# value: "$(tasks.set-env.results.ssl_key_file_name)" | ||
# - name: pyxis_url | ||
# value: "$(tasks.set-env.results.pyxis_url)" | ||
# - name: verify_signature | ||
# value: "false" | ||
# workspaces: | ||
# - name: source | ||
# workspace: pipeline | ||
# subPath: signing | ||
# results: | ||
# - name: signature_data | ||
# value: "$(tasks.request-signature.results.signature_data)" |
136 changes: 136 additions & 0 deletions
136
internal/stepactions/request-signature-sa/request-signature-sa.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
--- | ||
apiVersion: tekton.dev/v1alpha1 | ||
kind: StepAction | ||
metadata: | ||
name: request-signature-sa | ||
spec: | ||
params: | ||
- description: A docker image of operator-pipeline-images for the steps to run in. | ||
name: pipeline_image | ||
- description: Manifest digest for the signed content, usually in the format sha256:xxx | ||
name: manifest_digest | ||
- description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9 | ||
name: reference | ||
- description: Name of the user that requested the signing, for auditing purposes | ||
name: requester | ||
- default: 4096R/55A34A82 SHA-256 | ||
description: The signing key id that the content is signed with | ||
name: sig_key_id | ||
- default: containerisvsign | ||
description: The signing key name that the content is signed with | ||
name: sig_key_name | ||
- description: Kubernetes secret name that contains the umb SSL files | ||
name: umb_ssl_secret_name | ||
- description: The key within the Kubernetes secret that contains the umb SSL cert. | ||
name: umb_ssl_cert_secret_key | ||
- description: The key within the Kubernetes secret that contains the umb SSL key. | ||
name: umb_ssl_key_secret_key | ||
- default: operatorpipelines | ||
description: Client name to connect to umb, usually a service account name | ||
name: umb_client_name | ||
- default: VirtualTopic.eng.robosignatory.isv.sign | ||
description: umb topic to listen to for responses with signed content | ||
name: umb_listen_topic | ||
- default: VirtualTopic.eng.operatorpipelines.isv.sign | ||
description: umb topic to publish to for requesting signing | ||
name: umb_publish_topic | ||
- default: umb.api.redhat.com | ||
description: umb host to connect to for messaging | ||
name: umb_url | ||
results: | ||
- name: signature_data_file | ||
- name: signature_data | ||
env: | ||
- name: UmbCert | ||
valueFrom: | ||
secretKeyRef: | ||
name: $(params.umb_ssl_secret_name) | ||
key: hacbs-signing-pipeline.pem | ||
- name: UmbKey | ||
valueFrom: | ||
secretKeyRef: | ||
name: $(params.umb_ssl_secret_name) | ||
key: hacbs-signing-pipeline.key | ||
- name: UMB_CERT_PATH | ||
value: "/tmp/crt" | ||
- name: UMB_KEY_PATH | ||
value: "/tmp/key" | ||
- name: manifest_digest | ||
value: $(params.manifest_digest) | ||
- name: reference | ||
value: $(params.reference) | ||
- name: requester | ||
value: $(params.requester) | ||
- name: sig_key_id | ||
value: $(params.sig_key_id) | ||
- name: sig_key_name | ||
value: $(params.sig_key_name) | ||
- name: umb_ssl_secret_name | ||
value: $(params.umb_ssl_secret_name) | ||
- name: umb_ssl_cert_secret_key | ||
value: $(params.umb_ssl_cert_secret_key) | ||
- name: umb_client_name | ||
value: $(params.umb_client_name) | ||
- name: umb_listen_topic | ||
value: $(params.umb_listen_topic) | ||
- name: umb_publish_topic | ||
value: $(params.umb_publish_topic) | ||
- name: umb_url | ||
value: $(params.umb_url) | ||
image: "$(params.pipeline_image)" | ||
script: | | ||
#!/usr/bin/env /bin/bash | ||
set -x | ||
echo "Requesting signing from RADAS" | ||
env | ||
echo "umb_url: $umb_url" | ||
echo "umb_publish_topic: $umb_publish_topic" | ||
echo "umb_listen_topic: $umb_listen_topic" | ||
echo "umb_client_name: $umb_client_name" | ||
echo "umb_ssl_cert_secret_key: $umb_ssl_cert_secret_key" | ||
echo "umb_ssl_secret_name: $umb_ssl_secret_name" | ||
echo "sig_key_name: $sig_key_name" | ||
echo "requester: $requester" | ||
echo "reference: $reference" | ||
echo "manifest_digest: $manifest_digest" | ||
MAX_RETRIES=3 | ||
RETRY_DELAY=5 # Initial delay | ||
set +x | ||
# This helps with Shellcheck warning | ||
echo "${UmbCert:?}" > /tmp/crt | ||
echo "${UmbKey:?}" > /tmp/key | ||
set -x | ||
echo "Requesting signing from RADAS" | ||
for ((i=1; i<=MAX_RETRIES; i++)); do | ||
if request-signature \ | ||
--manifest-digest "${manifest_digest}" \ | ||
--output signing_response.json \ | ||
--reference "${reference}" \ | ||
--requester "${requester}" \ | ||
--sig-key-id "${sig_key_id}" \ | ||
--sig-key-name "${sig_key_name}" \ | ||
--umb-client-name "${umb_client_name}" \ | ||
--umb-listen-topic "${umb_listen_topic}" \ | ||
--umb-publish-topic "${umb_publish_topic}" \ | ||
--umb-url "${umb_url}" \ | ||
--verbose | ||
then | ||
echo "request-signature command succeeded." | ||
break | ||
elif [ $i -eq $MAX_RETRIES ]; then | ||
echo "Max retries reached. Exiting." | ||
exit 1 | ||
else | ||
echo "Attempt $i failed. Retrying in $RETRY_DELAY seconds..." | ||
sleep $RETRY_DELAY | ||
RETRY_DELAY=$((RETRY_DELAY * 2)) # Exponential backoff | ||
fi | ||
done | ||
SIG_DATA=$(cat signing_response.json) | ||
echo "Signed claims and their metadata: " | ||
echo -n "$SIG_DATA" | tee "$(step.results.signature_data.path)" | ||
echo -n signing_response.json | tee "$(step.results.signature_data_file.path)" | ||
workingDir: "$(workspaces.source.path)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
apiVersion: tekton.dev/v1alpha1 | ||
kind: StepAction | ||
metadata: | ||
name: set-env-sa | ||
spec: | ||
params: | ||
- name: ubi8_minimal_image | ||
description: ubi8 minimal image | ||
default: "quay.io/redhat-isv/operator-pipelines-images:released" | ||
- name: config_map_name | ||
description: Name of a configmap with pipeline configuration | ||
results: | ||
- name: pyxis_url | ||
description: Container API URL based for selected environment | ||
- name: sig_key_id | ||
description: The signing key id that index image claims are signed with | ||
- name: sig_key_name | ||
description: The signing key name that index image claims are signed with | ||
- name: umb_url | ||
description: umb host to connect to for messaging, e.g. for signing | ||
- name: umb_listen_topic | ||
description: umb topic which is used for listening | ||
- name: umb_publish_topic | ||
description: umb topic which is used for publishing | ||
- name: umb_client_name | ||
description: Client name to connect to umb, usually a service account name | ||
- name: ssl_cert_secret_name | ||
description: SSL secret name | ||
- name: ssl_cert_file_name | ||
description: SSL certificate file name | ||
- name: ssl_key_file_name | ||
description: SSL key file name | ||
image: "$(params.ubi8_minimal_image)" | ||
env: | ||
- name: config_map_name | ||
value: $(params.config_map_name) | ||
script: | | ||
#!/bin/bash | ||
set -ex | ||
configMapJson=$(oc get "cm/${config_map_name:?}" -ojson) | ||
PYXIS_URL=$(jq -r '.data.PYXIS_URL' <<< "${configMapJson}") | ||
SIG_KEY_ID=$(jq -r '.data.SIG_KEY_ID' <<< "${configMapJson}") | ||
SIG_KEY_NAME=$(jq -r '.data.SIG_KEY_NAME' <<< "${configMapJson}") | ||
SSL_CERT_FILE_NAME=$(jq -r '.data.SSL_CERT_FILE_NAME' <<< "${configMapJson}") | ||
SSL_CERT_SECRET_NAME=$(jq -r '.data.SSL_CERT_SECRET_NAME' <<< "${configMapJson}") | ||
SSL_KEY_FILE_NAME=$(jq -r '.data.SSL_KEY_FILE_NAME' <<< "${configMapJson}") | ||
UMB_CLIENT_NAME=$(jq -r '.data.UMB_CLIENT_NAME' <<< "${configMapJson}") | ||
UMB_LISTEN_TOPIC=$(jq -r '.data.UMB_LISTEN_TOPIC' <<< "${configMapJson}") | ||
UMB_PUBLISH_TOPIC=$(jq -r '.data.UMB_PUBLISH_TOPIC' <<< "${configMapJson}") | ||
UMB_URL=$(jq -r '.data.UMB_URL' <<< "${configMapJson}") | ||
echo -n "$PYXIS_URL" | tee "$(step.results.pyxis_url.path)" | ||
echo -n "$SIG_KEY_ID" | tee "$(step.results.sig_key_id.path)" | ||
echo -n "$SIG_KEY_NAME" | tee "$(step.results.sig_key_name.path)" | ||
echo -n "$SSL_CERT_FILE_NAME" | tee "$(step.results.ssl_cert_file_name.path)" | ||
echo -n "$SSL_CERT_SECRET_NAME" | tee "$(step.results.ssl_cert_secret_name.path)" | ||
echo -n "$SSL_KEY_FILE_NAME" | tee "$(step.results.ssl_key_file_name.path)" | ||
echo -n "$UMB_CLIENT_NAME" | tee "$(step.results.umb_client_name.path)" | ||
echo -n "$UMB_LISTEN_TOPIC" | tee "$(step.results.umb_listen_topic.path)" | ||
echo -n "$UMB_PUBLISH_TOPIC" | tee "$(step.results.umb_publish_topic.path)" | ||
echo -n "$UMB_URL" | tee "$(step.results.umb_url.path)" |
Oops, something went wrong.