diff --git a/pipelines/push-binaries-to-dev-portal/README.md b/pipelines/push-binaries-to-dev-portal/README.md index d269bdeed..71378762a 100644 --- a/pipelines/push-binaries-to-dev-portal/README.md +++ b/pipelines/push-binaries-to-dev-portal/README.md @@ -19,6 +19,9 @@ Tekton pipeline to sign and release Red Hat binaries to the Red Hat Developer Po | taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git | | taskGitRevision | The revision in the taskGitUrl repo to be used | No | - | +## Changes in 1.3.0 +* Add more params for `sign-binaries` task + ## Changes in 1.2.0 * Add new reduce-snapshot task diff --git a/pipelines/push-binaries-to-dev-portal/push-binaries-to-dev-portal.yaml b/pipelines/push-binaries-to-dev-portal/push-binaries-to-dev-portal.yaml index 4f1e7c391..a35bcd23f 100644 --- a/pipelines/push-binaries-to-dev-portal/push-binaries-to-dev-portal.yaml +++ b/pipelines/push-binaries-to-dev-portal/push-binaries-to-dev-portal.yaml @@ -4,7 +4,7 @@ kind: Pipeline metadata: name: push-binaries-to-dev-portal labels: - app.kubernetes.io/version: "1.2.0" + app.kubernetes.io/version: "1.3.0" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: release @@ -213,6 +213,16 @@ spec: value: mac-signing-credentials - name: pipelineRunUid value: $(context.pipelineRun.uid) + - name: releasePath + value: "$(tasks.collect-data.results.release)" + - name: contentDir + value: "$(tasks.extract-binaries-from-image.results.binaries_path)" + - name: checksumUser + value: konflux-release-signing-sa + - name: checksumHost + value: etera-worker.hosted.upshift.rdu2.redhat.com + - name: kerberosRealm + value: IPA.REDHAT.COM runAfter: - extract-binaries-from-image - name: prepare-exodus-params diff --git a/tasks/sign-binaries/README.md b/tasks/sign-binaries/README.md index 602ab6445..5d3a08fbf 100644 --- a/tasks/sign-binaries/README.md +++ b/tasks/sign-binaries/README.md @@ -6,6 +6,7 @@ Tekton task to sign windows and mac binaries before they are pushed to the Red H | Name | Description | Optional | Default value | |------|-------------|----------|---------------| +| relasePath | Path to the release data JSON file | No | | | quayUrl | Quay URL of the repo where content will be shared | No | | | quaySecret | Secret to interact with Quay | No | | | windowsCredentials | Secret to interact with the Windows signing host | No | | @@ -13,8 +14,17 @@ Tekton task to sign windows and mac binaries before they are pushed to the Red H | macHostCredentials | Secret to interact with the Mac signing host | No | | | macSigningCredentials | Secret to interact with the Mac signing utils | No | | | macSSHKey | Secret containing SSH private key for the Mac signing host | Yes | mac-ssh-key | +| checksumUser | User to interact with the checksum host | No | | +| checksumHost | Hostname of the checksum host | No | | +| checksumKeytab | Secret containing the keytab for the checksum host | Yes | checksum-keytab | +| checksumFingerprint | Secret containing the fingerprint for the checksum host | Yes | checksum-fingerprint | +| kerberosRealm | Kerberos realm for the checksum host | No | | +| contentDir | Path where the content to push is stored in the workspace | No | | | pipelineRunUid | Unique ID of the pipelineRun | No | | +## Changes in 2.0.0 +* Add checksum signing step + ## Changes in 1.0.0 * Added parameters for mac signing steps diff --git a/tasks/sign-binaries/sign-binaries.yaml b/tasks/sign-binaries/sign-binaries.yaml index 4c790a7ed..78414b59f 100644 --- a/tasks/sign-binaries/sign-binaries.yaml +++ b/tasks/sign-binaries/sign-binaries.yaml @@ -4,7 +4,7 @@ kind: Task metadata: name: sign-binaries labels: - app.kubernetes.io/version: "1.0.0" + app.kubernetes.io/version: "2.0.0" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: release @@ -12,6 +12,9 @@ spec: description: >- Tekton task to sign windows and mac binaries before they are pushed to the Red Hat Developer Portal params: + - name: releasePath + type: string + description: Path to the release data JSON file - name: quayURL type: string description: quay URL of the repo where content will be shared @@ -38,10 +41,36 @@ spec: - name: pipelineRunUid type: string description: Unique identifier for the pipeline run + - name: checksumUser + type: string + description: User to interact with the checksum host + - name: checksumHost + type: string + description: Hostname of the checksum host + - name: checksumFingerprint + type: string + description: Secret containing the fingerprint for the checksum host + default: checksum-fingerprint + - name: checksumKeytab + type: string + description: Secret containing the keytab for the checksum host + default: checksum-keytab + - name: kerberosRealm + type: string + description: Kerberos realm for the checksum host + - name: contentDir + type: string + description: Path where the content to push is stored in the workspace volumes: - name: windows-ssh-key-vol secret: secretName: $(params.windowsSSHKey) + - name: checksum-fingerprint-vol + secret: + secretName: $(params.checksumFingerprint) + - name: checksum-keytab-vol + secret: + secretName: $(params.checksumKeytab) workspaces: - name: data description: Workspace to save the results to @@ -54,6 +83,14 @@ spec: type: string description: | Digest used to pull signed content back to pipeline via ORAS + - name: unsignedMacDigest + type: string + description: | + Digest used by signing host to pull unsignged content via ORAS + - name: signedMacDigest + type: string + description: | + Digest used to pull signed content back to pipeline via ORAS steps: - name: push-unsigned-using-oras image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f @@ -170,13 +207,112 @@ spec: # shellcheck disable=SC2029 ssh "$SSH_OPTS" "rmdir /s /q C:\\Users\\Administrator\\AppData\\Local\\Temp\\$(params.pipelineRunUid)" - # - name: pull-signed-using-oras - # image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f - # script: | - # #!/usr/bin/env bash - # # TODO CLDX-79 - # - name: generate-checksums - # image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f - # script: | - # #!/usr/bin/env bash - # # TODO CLDX-82 + - name: generate-checksums + image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f + volumeMounts: + - name: checksum-fingerprint-vol + mountPath: "/etc/secrets_fingerprint" + readOnly: true + - name: checksum-keytab-vol + mountPath: "/etc/secrets_keytab" + readOnly: true + env: + - name: QUAY_USER + valueFrom: + secretKeyRef: + name: $(params.quaySecret) + key: username + - name: QUAY_PASS + valueFrom: + secretKeyRef: + name: $(params.quaySecret) + key: password + script: | + #!/usr/bin/env bash + + #--------------------------------------------------------------------------------------- + # This step generates checksums for all of the binaries in the content directory and + # signs them using the checksum host. + # The general workflow is that the binaries are extracted from the image(previous task), + # signed on remote hosts (windows and mac) and then a sha256sum is generated for each + # binary. The shasums are collected in a sha256sum.txt file which is then transferred to + # the checksum host for signing with Red Hat's GPG key. + # The detached signatures are returned to the workspace for inclusion in the later tasks + # to be pushed to CDN and the Red Hat Developer Portal. + #--------------------------------------------------------------------------------------- + + AUTHOR=$(jq -r '.status.attribution.author' "$(workspaces.data.path)/$(params.releasePath)") + if [[ ${AUTHOR} == "" ]] ; then exit 1 ; fi + + SSH_OPTS="-o UserKnownHostsFile=/root/.ssh/known_hosts \ + -o GSSAPIAuthentication=yes \ + -o GSSAPIDelegateCredentials=yes" + + sign_file() { + sign_method=$1 # The signing method: --clearsign or --gpgsign + checksum_user=$(params.checksumUser) + checksum_host=$(params.checksumHost) + pipeline_run_uid=$(params.pipelineRunUid) + output_path="/home/$checksum_user/$pipeline_run_uid/checksum/sha256sum.txt.$2" + input_file="/home/$checksum_user/$pipeline_run_uid/checksum/sha256sum.txt" + + echo "Executing SSH command with sign method: $sign_method" + # shellcheck disable=SC2029 + ssh "$SSH_OPTS" "$checksum_user@$checksum_host" \ + "rpm-sign --nat $sign_method --key redhatrelease2 --onbehalfof=$AUTHOR \ + --output $output_path $input_file" + } + + # Generate a kerberos ticket to ssh to the checksum host. + # The ticket is required for interacting with rpm-sign as well, + # so we use GSSAPI Delegate (in ssh opts) to transfer the ticket to the checksum host + KRB5CCNAME=FILE:/tmp/krb5cc_$(id -u) + export KRB5CCNAME + kinit -kt /etc/secrets_keytab/keytab "$(params.checksumUser)@$(params.kerberosRealm)" + + mkdir -p /root/.ssh + chmod 700 /root/.ssh + cp "/etc/secrets_fingerprint/fingerprint" /root/.ssh/known_hosts + chmod 600 root/.ssh/known_hosts + + # get all of the signed binaries into a common directory + CONTENT_DIR="$(workspaces.data.path)/$(params.contentDir)" + SIGNED_DIR="$CONTENT_DIR/signed" + mkdir -p "$SIGNED_DIR" + mkdir -p "$CONTENT_DIR"/linux + cp -r "$CONTENT_DIR"/linux/* "$SIGNED_DIR" + cd "$SIGNED_DIR" || exit + oras login quay.io -u "$QUAY_USER" -p "$QUAY_PASS" + signed_mac_digest=$(cat "$(results.signedMacDigest.path)") + signed_windows_digest=$(cat "$(results.signedWindowsDigest.path)") + oras pull "$(params.quayURL)/signed@${signed_mac_digest}" + oras pull "$(params.quayURL)/signed@${signed_windows_digest}" + + # generate checksums for all of the binaries + SHA_SUM_PATH="${CONTENT_DIR}/sha256sum.txt" + touch "$SHA_SUM_PATH" + for file in *; do + if [ -f "$file" ]; then + checksum=$(sha256sum "$file" | awk '{ print $1 }') + echo "$checksum $file" >> "$SHA_SUM_PATH" + fi + done + # Send sha256sum.txt to the checksum host for signing + # shellcheck disable=SC2029 + ssh "$SSH_OPTS" "$(params.checksumUser)@$(params.checksumHost)" "mkdir -p ~/$(params.pipelineRunUid)/checksum" + scp "$SSH_OPTS" "${SHA_SUM_PATH}" \ + "$(params.checksumUser)@$(params.checksumHost):~/$(params.pipelineRunUid)/checksum" + + sign_file --clearsign sig + sign_file --gpgsign gpg + + # scp the two files back to the content directory + scp "$SSH_OPTS" \ + "$(params.checksumUser)@$(params.checksumHost):~/$(params.pipelineRunUid)/checksum/sha256sum.txt.sig" \ + "${SIGNED_DIR}/sha256sum.txt.sig" + + scp "$SSH_OPTS" \ + "$(params.checksumUser)@$(params.checksumHost):~/$(params.pipelineRunUid)/checksum/sha256sum.txt.gpg" \ + "${SIGNED_DIR}/sha256sum.txt.gpg" + + mv "$SHA_SUM_PATH" "${SIGNED_DIR}/sha256sum.txt" diff --git a/tasks/sign-binaries/tests/checksum_mocks.sh b/tasks/sign-binaries/tests/checksum_mocks.sh new file mode 100644 index 000000000..a59b44a18 --- /dev/null +++ b/tasks/sign-binaries/tests/checksum_mocks.sh @@ -0,0 +1,46 @@ +#!/bin/bash + + +count_file="/tmp/ssh_count_checksum.txt" +if [[ ! -f "$count_file" ]]; then + echo "0" > "$count_file" +fi + + +function ssh() { + # Read the current ssh_call_count from the file + ssh_call_count=$(cat "$count_file") + ssh_call_count=$((ssh_call_count + 1)) + echo "$ssh_call_count" > "$count_file" + + echo "$ssh_call_count" > $(workspaces.data.path)/ssh_calls_checksum.txt +} + +scp_count_file="/tmp/scp_count_checksum.txt" +if [[ ! -f "$scp_count_file" ]]; then + echo "0" > "$scp_count_file" +fi +function scp() { + scp_call_count=$(cat "$scp_count_file") + scp_call_count=$((scp_call_count + 1)) + echo "$scp_call_count" > "$scp_count_file" + if [[ "$scp_call_count" -eq 1 ]]; then + echo "$@" > $(workspaces.data.path)/mock_scp_1_checksum.txt + fi + + + if [[ "$scp_call_count" -eq 2 ]]; then + echo "$@" > "$(workspaces.data.path)/mock_scp_2_checksum.txt" + echo -n "sha256:0c4355ee4ef8d9d3875d5421972aed405ce6d8f5262983eeea3f6cbf5740c6e2" | \ + tee "$(results.signedWindowsDigest.path)" + fi + +} + +function kinit() { + echo "kinit $@" +} + +function oras() { + echo "oras $@" +} diff --git a/tasks/sign-binaries/tests/mocks.sh b/tasks/sign-binaries/tests/mocks.sh index 6c9f63f06..b77ca80eb 100644 --- a/tasks/sign-binaries/tests/mocks.sh +++ b/tasks/sign-binaries/tests/mocks.sh @@ -13,12 +13,7 @@ function ssh() { ssh_call_count=$((ssh_call_count + 1)) echo "$ssh_call_count" > "$count_file" - echo "$ssh_call_count" > $(workspaces.data.path)/ssh_calls.txt - if [[ "$*" == *"digest.txt"* ]]; then - # this is mocking oras via Windows ssh returning the signed digest - echo "mocked ssh $@" > $(workspaces.data.path)/mock_ssh_second_call.txt - echo "sha256:0c4355ee4ef8d9d3875d5421972aed405ce6d8f5262983eeea3f6cbf5740c6e2" - fi + echo "$ssh_call_count" > "$(workspaces.data.path)/ssh_calls.txt" } scp_count_file="/tmp/scp_count.txt" @@ -30,7 +25,7 @@ function scp() { scp_call_count=$((scp_call_count + 1)) echo "$scp_call_count" > "$scp_count_file" if [[ "$scp_call_count" -eq 1 ]]; then - echo "$@" > $(workspaces.data.path)/mock_scp_1.txt + echo "$@" > "$(workspaces.data.path)/mock_scp_1.txt" fi @@ -46,3 +41,7 @@ function oras() { # this is mocking the oras command to push unsigned binaries to the registry echo "Digest: sha256:5ce6d8f5262983eeea3f6cbf5740c6e20c4355ee4ef8d9d3875d5421972aed40" } + +function kinit() { + echo "kinit $*" +} diff --git a/tasks/sign-binaries/tests/pre-apply-task-hook.sh b/tasks/sign-binaries/tests/pre-apply-task-hook.sh index e3fc8b559..8d6e23654 100755 --- a/tasks/sign-binaries/tests/pre-apply-task-hook.sh +++ b/tasks/sign-binaries/tests/pre-apply-task-hook.sh @@ -5,6 +5,7 @@ TASK_PATH="$1" SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) yq -i '.spec.steps[0].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[0].script' "$TASK_PATH" yq -i '.spec.steps[1].script = load_str("'$SCRIPT_DIR'/mocks.sh") + .spec.steps[1].script' "$TASK_PATH" +yq -i '.spec.steps[2].script = load_str("'$SCRIPT_DIR'/checksum_mocks.sh") + .spec.steps[2].script' "$TASK_PATH" # Delete existing secrets if they exist kubectl delete secret windows-credentials --ignore-not-found @@ -13,6 +14,9 @@ kubectl delete secret mac-signing-credentials --ignore-not-found kubectl delete secret mac-host-credentials --ignore-not-found kubectl delete secret mac-ssh-key --ignore-not-found kubectl delete secret quay-secret --ignore-not-found +kubectl delete secret checksum-fingerprint --ignore-not-found +kubectl delete secret checksum-keytab --ignore-not-found + # Create the windows-credentials secret kubectl create secret generic windows-credentials \ --from-literal=username=myusername \ @@ -52,3 +56,13 @@ kubectl create secret generic mac-ssh-key \ --from-literal=id_rsa="some private key" \ --from-literal=fingerprint="some fingerprint" \ --namespace=default + +# Create the checksum fingerprint +kubectl create secret generic checksum-fingerprint \ + --from-literal=fingerprint="some fingerprint" \ + --namespace=default + +# Create the checksum keytab +kubectl create secret generic checksum-keytab \ + --from-literal=keytab="some keytab" \ + --namespace=default diff --git a/tasks/sign-binaries/tests/test-sign-binaries-checksum.yaml b/tasks/sign-binaries/tests/test-sign-binaries-checksum.yaml new file mode 100644 index 000000000..689a12b51 --- /dev/null +++ b/tasks/sign-binaries/tests/test-sign-binaries-checksum.yaml @@ -0,0 +1,171 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: test-sign-binaries-checksum +spec: + description: | + Run the sign-binaries task and verify the results + workspaces: + - name: tests-workspace + tasks: + - name: setup + workspaces: + - name: data + workspace: tests-workspace + taskSpec: + workspaces: + - name: data + steps: + - name: setup-values + image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f + script: | + #!/usr/bin/env sh + set -eux + cat > "$(workspaces.data.path)/data.json" << EOF + { + "somekey": { + "key": "value", + "foo": "bar" + } + } + EOF + mkdir -p "$(workspaces.data.path)/content/linux" + cat > "$(workspaces.data.path)/content/linux/linux_binary.bin" << EOF + some data + EOF + + # Create release.json status.attribution.author + cat > "$(workspaces.data.path)/release.json" << EOF + { + "status": { + "attribution": { + "author": "John Doe" + } + } + } + EOF + + # Create binaries in signed directory + mkdir -p "$(workspaces.data.path)/content/signed/" + cat > "$(workspaces.data.path)/content/signed/mac_binary.bin" << EOF + more data + EOF + cat > "$(workspaces.data.path)/content/signed/windows_binary.bin" << EOF + even more data + EOF + - name: run-task + taskRef: + name: sign-binaries + workspaces: + - name: data + workspace: tests-workspace + params: + - name: windowsCredentials + value: windows-credentials + - name: ssh_key_secret + value: windows-ssh-key + - name: macHostCredentials + value: mac-host-credentials + - name: macSigningCredentials + value: mac-signing-credentials + - name: quaySecret + value: quay-secret + - name: quayURL + value: quay.io/konflux-artifacts + - name: pipelineRunUid + value: 12345678 + - name: releasePath + value: "release.json" + - name: contentDir + value: "content" + - name: checksumUser + value: konflux-release-signing-sa + - name: checksumHost + value: etera-worker.hosted.upshift.rdu2.redhat.com + - name: kerberosRealm + value: IPA.REDHAT.COM + runAfter: + - setup + - name: check-result + workspaces: + - name: data + workspace: tests-workspace + params: + - name: signedWindowsDigest + value: $(tasks.run-task.results.signedWindowsDigest) + taskSpec: + workspaces: + - name: data + params: + - name: signedWindowsDigest + description: The digest of the signed content pushed using ORAS for signing hosts + type: string + steps: + - name: check-result + image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f + script: | + #!/usr/bin/env bash + + expected_calls="3" + actual_content=$(cat "$(workspaces.data.path)/ssh_calls_checksum.txt") + if [[ "$actual_content" == "$expected_calls" ]]; then + echo "Test passed: SSH called three times as expected." + else + echo "Test failed: SSH not called expected number of times." + echo "Expected: '$expected_calls'" + echo "Actual: '$actual_content'" + exit 1 + fi + + # assert sha256sum.txt is generated properly + expected_sha256sum="5aa03f96c77536579166fba147929626cc3a97960e994057a9d80271a736d10f linux_binary.bin + 1e26ce5588db2ef5080a3df10385a731af2a4bfd0d2515f691d05d9dd900e18a mac_binary.bin + a809cbf745ba013315fd174e0319d7159b856d1a09733cfd457636bf3898d581 windows_binary.bin" + actual_sha256sum=$(cat "$(workspaces.data.path)/content/signed/sha256sum.txt") + if [[ "$actual_sha256sum" == "$expected_sha256sum" ]]; then + echo "Test passed: sha256sum.txt is generated properly." + else + echo "Test failed: sha256sum.txt is not generated properly." + echo "Expected: '$expected_sha256sum'" + echo "Actual: '$actual_sha256sum'" + exit 1 + fi + + actual=$(cat "$(workspaces.data.path)/mock_scp_1_checksum.txt") + expected_scp="-o UserKnownHostsFile=/root/.ssh/known_hosts \ + -o GSSAPIAuthentication=yes \ + -o GSSAPIDelegateCredentials=yes \ + /workspace/data/content/sha256sum.txt \ + konflux-release-signing-sa@etera-worker.hosted.upshift.rdu2.redhat.com:~/12345678/checksum" + normalized_expected=$(echo "$expected_scp" | tr -s '[:space:]') + normalized_actual=$(echo "$actual" | tr -s '[:space:]') + if [[ "$normalized_actual" == "$normalized_expected" ]]; then + echo "Test passed: First SCP command is correct." + else + echo "Test failed: First SCP command is incorrect." + echo "Expected: '$normalized_expected'" + echo "Actual: '$normalized_actual'" + exit 1 + fi + + # check second scp command + actual=$(cat "$(workspaces.data.path)/mock_scp_2_checksum.txt") + expected_scp="-o UserKnownHostsFile=/root/.ssh/known_hosts \ + -o GSSAPIAuthentication=yes -o \ + GSSAPIDelegateCredentials=yes \ + konflux-release-signing-sa@etera-worker.hosted.upshift.rdu2.redhat.com:\ + ~/12345678/checksum/sha256sum.txt.sig \ + /workspace/data/content/signed/sha256sum.txt.sig" + normalized_expected=$(echo "$expected_scp" | tr -s '[:space:]') + normalized_actual=$(echo "$actual" | tr -s '[:space:]') + if [[ "$normalized_actual" == "$normalized_expected" ]]; then + echo "Test passed: Second SCP command is correct." + else + echo "Test failed: Second SCP command is incorrect." + echo "Expected: '$normalized_expected'" + echo "Actual: '$normalized_actual'" + exit 1 + fi + runAfter: + - run-task diff --git a/tasks/sign-binaries/tests/test-sign-binaries.yaml b/tasks/sign-binaries/tests/test-sign-binaries.yaml index 985e07cf4..ae1c20a0b 100644 --- a/tasks/sign-binaries/tests/test-sign-binaries.yaml +++ b/tasks/sign-binaries/tests/test-sign-binaries.yaml @@ -9,6 +9,51 @@ spec: workspaces: - name: tests-workspace tasks: + - name: setup + workspaces: + - name: data + workspace: tests-workspace + taskSpec: + workspaces: + - name: data + steps: + - name: setup-values + image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f + script: | + #!/usr/bin/env sh + set -eux + cat > "$(workspaces.data.path)/data.json" << EOF + { + "somekey": { + "key": "value", + "foo": "bar" + } + } + EOF + mkdir -p "$(workspaces.data.path)/content/linux" + cat > "$(workspaces.data.path)/content/linux/linux_binary.bin" << EOF + some data + EOF + + # Create release.json status.attribution.author + cat > "$(workspaces.data.path)/release.json" << EOF + { + "status": { + "attribution": { + "author": "John Doe" + } + } + } + EOF + + # Create binaries in signed directory + mkdir -p "$(workspaces.data.path)/content/signed/" + cat > "$(workspaces.data.path)/content/signed/mac_binary.bin" << EOF + more data + EOF + cat > "$(workspaces.data.path)/content/signed/windows_binary.bin" << EOF + even more data + EOF - name: run-task taskRef: name: sign-binaries @@ -30,6 +75,18 @@ spec: value: quay.io/konflux-artifacts - name: pipelineRunUid value: 12345678 + - name: releasePath + value: "release.json" + - name: contentDir + value: "content" + - name: checksumUser + value: konflux-release-signing-sa + - name: checksumHost + value: etera-worker.hosted.upshift.rdu2.redhat.com + - name: kerberosRealm + value: IPA.REDHAT.COM + runAfter: + - setup - name: check-result workspaces: - name: data @@ -98,6 +155,5 @@ spec: echo "Actual: '$mock_scp_2'" exit 1 fi - runAfter: - run-task