Skip to content

Commit

Permalink
trying stepactions
Browse files Browse the repository at this point in the history
Signed-off-by: Scott Hebert <[email protected]>
  • Loading branch information
scoheb committed Oct 1, 2024
1 parent b407eea commit 6e09acc
Show file tree
Hide file tree
Showing 10 changed files with 541 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: internal-simple-signing-pipeline
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: fbc
spec:
description: >-
Tekton pipeline for HACBS signing
params:
- name: pipeline_image
description: An image with CLI tools needed for the signing.
default: quay.io/redhat-isv/operator-pipelines-images:released
- name: manifest_digest
description: Manifest digest for the signed content, usually in the format sha256:xxx
- name: reference
description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9
- name: requester
description: Name of the user that requested the signing, for auditing purposes
- name: config_map_name
description: A config map name with configuration
default: hacbs-signing-pipeline-config
- name: taskGitUrl
type: string
description: The url to the git repo where the release-service-catalog tasks to be used are stored
default: https://github.com/konflux-ci/release-service-catalog.git
- name: taskGitRevision
type: string
description: The revision in the taskGitUrl repo to be used
workspaces:
- name: pipeline
tasks:
- name: request-and-upload-signature
taskRef:
resolver: "git"
params:
- name: url
value: $(params.taskGitUrl)
- name: revision
value: $(params.taskGitRevision)
- name: pathInRepo
value: internal/tasks/request-and-upload-signature/request-and-upload-signature.yaml
params:
- name: config_map_name
value: $(params.config_map_name)
- name: manifest_digest
value: $(params.manifest_digest)
- name: reference
value: $(params.reference)
- name: requester
value: $(params.requester)
- name: taskGitUrl
value: $(params.taskGitUrl)
- name: taskGitRevision
value: $(params.taskGitRevision)
workspaces:
- name: source
workspace: pipeline
subPath: signing
# - name: request-signature
# taskRef:
# resolver: "git"
# params:
# - name: url
# value: $(params.taskGitUrl)
# - name: revision
# value: $(params.taskGitRevision)
# - name: pathInRepo
# value: internal/tasks/request-signature/request-signature.yaml
# runAfter:
# - set-env
# params:
# - name: pipeline_image
# value: "$(params.pipeline_image)"
# - name: manifest_digest
# value: "$(params.manifest_digest)"
# - name: reference
# value: "$(params.reference)"
# - name: requester
# value: "$(params.requester)"
# - name: sig_key_id
# value: "$(tasks.set-env.results.sig_key_id)"
# - name: sig_key_name
# value: "$(tasks.set-env.results.sig_key_name)"
# - name: umb_ssl_secret_name
# value: "$(tasks.set-env.results.ssl_cert_secret_name)"
# - name: umb_ssl_cert_secret_key
# value: "$(tasks.set-env.results.ssl_cert_file_name)"
# - name: umb_ssl_key_secret_key
# value: "$(tasks.set-env.results.ssl_key_file_name)"
# - name: umb_client_name
# value: "$(tasks.set-env.results.umb_client_name)"
# - name: umb_url
# value: "$(tasks.set-env.results.umb_url)"
# - name: umb_listen_topic
# value: "$(tasks.set-env.results.umb_listen_topic)"
# - name: umb_publish_topic
# value: "$(tasks.set-env.results.umb_publish_topic)"
# workspaces:
# - name: source
# workspace: pipeline
# subPath: signing
#
# - name: upload-signature
# taskRef:
# resolver: "git"
# params:
# - name: url
# value: $(params.taskGitUrl)
# - name: revision
# value: $(params.taskGitRevision)
# - name: pathInRepo
# value: internal/tasks/upload-signature/upload-signature.yaml
# runAfter:
# - request-signature
# params:
# - name: pipeline_image
# value: "$(params.pipeline_image)"
# - name: signature_data_file
# value: "$(tasks.request-signature.results.signature_data_file)"
# - name: pyxis_ssl_secret_name
# value: "$(tasks.set-env.results.ssl_cert_secret_name)"
# - name: pyxis_ssl_cert_secret_key
# value: "$(tasks.set-env.results.ssl_cert_file_name)"
# - name: pyxis_ssl_key_secret_key
# value: "$(tasks.set-env.results.ssl_key_file_name)"
# - name: pyxis_url
# value: "$(tasks.set-env.results.pyxis_url)"
# - name: verify_signature
# value: "false"
# workspaces:
# - name: source
# workspace: pipeline
# subPath: signing
# results:
# - name: signature_data
# value: "$(tasks.request-signature.results.signature_data)"
136 changes: 136 additions & 0 deletions internal/stepactions/request-signature-sa/request-signature-sa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
---
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: request-signature-sa
spec:
params:
- description: A docker image of operator-pipeline-images for the steps to run in.
name: pipeline_image
- description: Manifest digest for the signed content, usually in the format sha256:xxx
name: manifest_digest
- description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9
name: reference
- description: Name of the user that requested the signing, for auditing purposes
name: requester
- default: 4096R/55A34A82 SHA-256
description: The signing key id that the content is signed with
name: sig_key_id
- default: containerisvsign
description: The signing key name that the content is signed with
name: sig_key_name
- description: Kubernetes secret name that contains the umb SSL files
name: umb_ssl_secret_name
- description: The key within the Kubernetes secret that contains the umb SSL cert.
name: umb_ssl_cert_secret_key
- description: The key within the Kubernetes secret that contains the umb SSL key.
name: umb_ssl_key_secret_key
- default: operatorpipelines
description: Client name to connect to umb, usually a service account name
name: umb_client_name
- default: VirtualTopic.eng.robosignatory.isv.sign
description: umb topic to listen to for responses with signed content
name: umb_listen_topic
- default: VirtualTopic.eng.operatorpipelines.isv.sign
description: umb topic to publish to for requesting signing
name: umb_publish_topic
- default: umb.api.redhat.com
description: umb host to connect to for messaging
name: umb_url
results:
- name: signature_data_file
- name: signature_data
env:
- name: UmbCert
valueFrom:
secretKeyRef:
name: $(params.umb_ssl_secret_name)
key: hacbs-signing-pipeline.pem
- name: UmbKey
valueFrom:
secretKeyRef:
name: $(params.umb_ssl_secret_name)
key: hacbs-signing-pipeline.key
- name: UMB_CERT_PATH
value: "/tmp/crt"
- name: UMB_KEY_PATH
value: "/tmp/key"
- name: manifest_digest
value: $(params.manifest_digest)
- name: reference
value: $(params.reference)
- name: requester
value: $(params.requester)
- name: sig_key_id
value: $(params.sig_key_id)
- name: sig_key_name
value: $(params.sig_key_name)
- name: umb_ssl_secret_name
value: $(params.umb_ssl_secret_name)
- name: umb_ssl_cert_secret_key
value: $(params.umb_ssl_cert_secret_key)
- name: umb_client_name
value: $(params.umb_client_name)
- name: umb_listen_topic
value: $(params.umb_listen_topic)
- name: umb_publish_topic
value: $(params.umb_publish_topic)
- name: umb_url
value: $(params.umb_url)
image: "$(params.pipeline_image)"
script: |
#!/usr/bin/env /bin/bash
set -x
echo "Requesting signing from RADAS"
env
echo "umb_url: $umb_url"
echo "umb_publish_topic: $umb_publish_topic"
echo "umb_listen_topic: $umb_listen_topic"
echo "umb_client_name: $umb_client_name"
echo "umb_ssl_cert_secret_key: $umb_ssl_cert_secret_key"
echo "umb_ssl_secret_name: $umb_ssl_secret_name"
echo "sig_key_name: $sig_key_name"
echo "requester: $requester"
echo "reference: $reference"
echo "manifest_digest: $manifest_digest"
MAX_RETRIES=3
RETRY_DELAY=5 # Initial delay
set +x
# This helps with Shellcheck warning
echo "${UmbCert:?}" > /tmp/crt
echo "${UmbKey:?}" > /tmp/key
set -x
echo "Requesting signing from RADAS"
for ((i=1; i<=MAX_RETRIES; i++)); do
if request-signature \
--manifest-digest "${manifest_digest}" \
--output signing_response.json \
--reference "${reference}" \
--requester "${requester}" \
--sig-key-id "${sig_key_id}" \
--sig-key-name "${sig_key_name}" \
--umb-client-name "${umb_client_name}" \
--umb-listen-topic "${umb_listen_topic}" \
--umb-publish-topic "${umb_publish_topic}" \
--umb-url "${umb_url}" \
--verbose
then
echo "request-signature command succeeded."
break
elif [ $i -eq $MAX_RETRIES ]; then
echo "Max retries reached. Exiting."
exit 1
else
echo "Attempt $i failed. Retrying in $RETRY_DELAY seconds..."
sleep $RETRY_DELAY
RETRY_DELAY=$((RETRY_DELAY * 2)) # Exponential backoff
fi
done
SIG_DATA=$(cat signing_response.json)
echo "Signed claims and their metadata: "
echo -n "$SIG_DATA" | tee "$(step.results.signature_data.path)"
echo -n signing_response.json | tee "$(step.results.signature_data_file.path)"
workingDir: "$(workspaces.source.path)"
63 changes: 63 additions & 0 deletions internal/stepactions/set-env-sa/set-env-sa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
apiVersion: tekton.dev/v1alpha1
kind: StepAction
metadata:
name: set-env-sa
spec:
params:
- name: ubi8_minimal_image
description: ubi8 minimal image
default: "quay.io/redhat-isv/operator-pipelines-images:released"
- name: config_map_name
description: Name of a configmap with pipeline configuration
results:
- name: pyxis_url
description: Container API URL based for selected environment
- name: sig_key_id
description: The signing key id that index image claims are signed with
- name: sig_key_name
description: The signing key name that index image claims are signed with
- name: umb_url
description: umb host to connect to for messaging, e.g. for signing
- name: umb_listen_topic
description: umb topic which is used for listening
- name: umb_publish_topic
description: umb topic which is used for publishing
- name: umb_client_name
description: Client name to connect to umb, usually a service account name
- name: ssl_cert_secret_name
description: SSL secret name
- name: ssl_cert_file_name
description: SSL certificate file name
- name: ssl_key_file_name
description: SSL key file name
image: "$(params.ubi8_minimal_image)"
env:
- name: config_map_name
value: $(params.config_map_name)
script: |
#!/bin/bash
set -ex
configMapJson=$(oc get "cm/${config_map_name:?}" -ojson)
PYXIS_URL=$(jq -r '.data.PYXIS_URL' <<< "${configMapJson}")
SIG_KEY_ID=$(jq -r '.data.SIG_KEY_ID' <<< "${configMapJson}")
SIG_KEY_NAME=$(jq -r '.data.SIG_KEY_NAME' <<< "${configMapJson}")
SSL_CERT_FILE_NAME=$(jq -r '.data.SSL_CERT_FILE_NAME' <<< "${configMapJson}")
SSL_CERT_SECRET_NAME=$(jq -r '.data.SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
SSL_KEY_FILE_NAME=$(jq -r '.data.SSL_KEY_FILE_NAME' <<< "${configMapJson}")
UMB_CLIENT_NAME=$(jq -r '.data.UMB_CLIENT_NAME' <<< "${configMapJson}")
UMB_LISTEN_TOPIC=$(jq -r '.data.UMB_LISTEN_TOPIC' <<< "${configMapJson}")
UMB_PUBLISH_TOPIC=$(jq -r '.data.UMB_PUBLISH_TOPIC' <<< "${configMapJson}")
UMB_URL=$(jq -r '.data.UMB_URL' <<< "${configMapJson}")
echo -n "$PYXIS_URL" | tee "$(step.results.pyxis_url.path)"
echo -n "$SIG_KEY_ID" | tee "$(step.results.sig_key_id.path)"
echo -n "$SIG_KEY_NAME" | tee "$(step.results.sig_key_name.path)"
echo -n "$SSL_CERT_FILE_NAME" | tee "$(step.results.ssl_cert_file_name.path)"
echo -n "$SSL_CERT_SECRET_NAME" | tee "$(step.results.ssl_cert_secret_name.path)"
echo -n "$SSL_KEY_FILE_NAME" | tee "$(step.results.ssl_key_file_name.path)"
echo -n "$UMB_CLIENT_NAME" | tee "$(step.results.umb_client_name.path)"
echo -n "$UMB_LISTEN_TOPIC" | tee "$(step.results.umb_listen_topic.path)"
echo -n "$UMB_PUBLISH_TOPIC" | tee "$(step.results.umb_publish_topic.path)"
echo -n "$UMB_URL" | tee "$(step.results.umb_url.path)"
Loading

0 comments on commit 6e09acc

Please sign in to comment.