Skip to content

Commit

Permalink
fix(RELEASE-1342): fix sign-index-image
Browse files Browse the repository at this point in the history 
- it now correctly supports internal-pipelineruns
  and simple-signing-pipeline
- a new mandatory parameter - `releasePlanAdmissionPath` - has
  been added. It is needed in order to obtain the serviceAccount
  so it can be used in the PipelineRun definition for the
  internal-pipelinerun

Signed-off-by: Scott Hebert <scoheb@gmail.com>
  • Loading branch information
@scoheb
scoheb committed Dec 9, 2024
1 parent 2f309e3 commit 05b9a1d
Show file tree
Hide file tree
Showing 8 changed files with 297 additions and 31 deletions.
6 changes: 5 additions & 1 deletion pipelines/fbc-release/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,12 @@ Tekton release pipeline to interact with FBC Pipeline
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |


## Changes in 4.0.4
* The `sign-index-image` task now receives new mandatory parameter `releasePlanAdmissionPath`

## Changes in 4.0.3
* The `sign-index-image` task now receives new mandatory parameters `taskGitUrl` and `taskGitRevision
* The `sign-index-image` task now receives new mandatory parameters `taskGitUrl` and `taskGitRevision`

## Changes in 4.0.2
* Drop the `binaryImage` param from the task `add-fbc-contribution-to-index-image`, so IIB can auto resolve it.
Expand Down
4 changes: 3 additions & 1 deletion pipelines/fbc-release/fbc-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: fbc-release
labels:
app.kubernetes.io/version: "4.0.3"
app.kubernetes.io/version: "4.0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -300,6 +300,8 @@ spec:
params:
- name: dataPath
value: "$(tasks.collect-data.results.data)"
- name: releasePlanAdmissionPath
value: "$(tasks.collect-data.results.releasePlanAdmission)"
- name: referenceImage
value: $(tasks.add-fbc-contribution-to-index-image.results.requestTargetIndex)
- name: manifestListDigests
Expand Down
25 changes: 15 additions & 10 deletions tasks/sign-index-image/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,17 @@ Creates an InternalRequest to sign an index image

## Parameters

| Name | Description | Optional | Default value |
|----------------------|-------------------------------------------------------------------------------------------|----------|------------------------|
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
| referenceImage | The image to be signed | No | - |
| manifestListDigests | The manifest digests for each arch in manifest list | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| requestTimeout | InternalRequest timeout | Yes | 180 |
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | No | - |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
| Name | Description | Optional | Default value |
|--------------------------|-------------------------------------------------------------------------------------------|----------|----------------|
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
| releasePlanAdmissionPath | Path to the JSON string of the releasePlanAdmission in the data workspace | No | - |
| referenceImage | The image to be signed | No | - |
| manifestListDigests | The manifest digests for each arch in manifest list | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| requestTimeout | InternalRequest timeout | Yes | 180 |
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | No | - |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Signing data parameters

Expand All @@ -28,6 +29,10 @@ data:
configMapName: <configmap name>
```

## Changes in 4.1.0
* Updated task to truly support the `simple-signing-pipeline` request
* New mandatory parameter `releasePlanAdmissionPath`

## Changes in 4.0.0
* Added new task parameters `taskGitRevision` and `taskGitUrl`
* These are passed to the InternalRequest as they are required parameters of the `simple-signing-pipeline`
Expand Down
58 changes: 41 additions & 17 deletions tasks/sign-index-image/sign-index-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: sign-index-image
labels:
app.kubernetes.io/version: "4.0.0"
app.kubernetes.io/version: "4.1.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand All @@ -15,6 +15,9 @@ spec:
- name: dataPath
description: Path to the JSON string of the merged data to use in the data workspace
type: string
- name: releasePlanAdmissionPath
description: Path to the JSON string of the releasePlanAdmission in the data workspace
type: string
- name: referenceImage
type: string
description: The image to be signed.
Expand Down Expand Up @@ -46,48 +49,69 @@ spec:
description: workspace to read and save files
steps:
- name: sign-index-image
image:
quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
image: quay.io/konflux-ci/release-service-utils:7d0135b80a47cdaa225010ea1e2dff78d057c922
script: |
#!/usr/bin/env sh
#!/usr/bin/env bash
set -e
TASK_LABEL="internal-services.appstudio.openshift.io/group-id"
TASK_ID=$(context.taskRun.uid)
PIPELINERUN_LABEL="internal-services.appstudio.openshift.io/pipelinerun-uid"
DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
if [ ! -f "${DATA_FILE}" ] ; then
echo "No valid data file was provided."
exit 1
fi
requestType=$(jq -r '.sign.requestType // "internal-request"' "${DATA_FILE}")
if [ "${requestType}" == "internal-pipelinerun" ] ; then
RPA_FILE="$(workspaces.data.path)/$(params.releasePlanAdmissionPath)"
if [ ! -f "${RPA_FILE}" ] ; then
echo "No valid rpa file was provided."
exit 1
fi
service_account_name=$(jq -r '.spec.pipeline.serviceAccountName // "appstudio-pipeline"' "${RPA_FILE}")
EXTRA_ARGS=(
--task-git-url "$(params.taskGitUrl)"
--task-git-revision "$(params.taskGitRevision)"
--service-account "${service_account_name}"
)
else
requestType=internal-request
EXTRA_ARGS=()
fi
request=$(jq -r '.sign.request // "simple-signing-pipeline"' "${DATA_FILE}")
default_pipeline_image="quay.io/redhat-isv/operator-pipelines-images:released"
pipeline_image=$(jq -r --arg default_pipeline_image "${default_pipeline_image}" \
'.sign.pipelineImage // .fbc.pipelineImage // $default_pipeline_image' "${DATA_FILE}")
config_map_name=$(jq -r '.sign.configMapName // .fbc.configMapName // "signing-config-map"' "${DATA_FILE}")
reference_image="$(params.referenceImage)"
pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid"
# Translate direct quay.io reference to public facing registry reference
# quay.io/redhat/product----repo -> registry.redhat.io/product/repo
reference_image=$(translate-delivery-repo "$reference_image" | jq -r '.[] | select(.repo=="redhat.io") | .url')
# get all digests from manifest list
for manifest_digest in $(params.manifestListDigests)
do
echo "Creating InternalRequest to sign image:"
echo "Creating ${requestType} to sign image:"
echo "- reference=${reference_image}"
echo "- manifest_digest=${manifest_digest}"
echo "- requester=$(params.requester)"
${requestType} -r "${request}" \
-p pipeline_image="${pipeline_image}" \
-p reference="${reference_image}" \
-p manifest_digest="${manifest_digest}" \
-p requester="$(params.requester)" \
-p config_map_name="${config_map_name}" \
-l ${TASK_LABEL}="${TASK_ID}" \
-l ${PIPELINERUN_LABEL}="$(params.pipelineRunUid)" \
-t "$(params.requestTimeout)" --pipeline-timeout "0h30m0s" --task-timeout "0h25m0s" \
"${EXTRA_ARGS[@]}" -s true

internal-request -r "${request}" \
-p pipeline_image="${pipeline_image}" \
-p reference="${reference_image}" \
-p manifest_digest="${manifest_digest}" \
-p requester="$(params.requester)" \
-p config_map_name="${config_map_name}" \
-p taskGitUrl="$(params.taskGitUrl)" \
-p taskGitRevision="$(params.taskGitRevision)" \
-t "$(params.requestTimeout)" \
-l "${pipelinerun_label}"="$(params.pipelineRunUid)"
echo "done"
done
12 changes: 12 additions & 0 deletions tasks/sign-index-image/tests/mocks.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,15 @@ function internal-request() {
echo "Sync flag set to true. Waiting for the InternalRequest to be completed."
sleep 2
}

function internal-pipelinerun() {
echo Mock internal-request called with: $*
echo $* >> $(workspaces.data.path)/mock_internal-request.txt

# set to async
/home/utils/internal-pipelinerun $@ -s false

# mimic the sync output
echo "Sync flag set to true. Waiting for the InternalRequest to be completed."
sleep 2
}
163 changes: 163 additions & 0 deletions tasks/sign-index-image/tests/test-sign-index-image-plr.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-sign-index-image-plr
spec:
description: Test creating a internal pipelinerun to sign an image using the simple-signing-pipeline request
workspaces:
- name: tests-workspace
tasks:
- name: setup
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
workspaces:
- name: data
steps:
- name: setup-values
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -eux
cat > "$(workspaces.data.path)/data.json" << EOF
{
"sign": {
"configMapName": "signing-config-map",
"request": "simple-signing-pipeline",
"requestType": "internal-pipelinerun"
}
}
EOF
cat > "$(workspaces.data.path)/release_plan_admission.json" << EOF
{
"spec": {
"pipeline": {
"pipelineRef": {
"resolver": "git",
"params": [
{
"name": "url",
"value": "https://localhost.git"
},
{
"name": "revision",
"value": "main"
},
{
"name": "pathInRepo",
"value": "pipelines/abc/abc.yaml"
}
]
},
"serviceAccountName": "release-service-account"
}
}
}
EOF
- name: run-task
taskRef:
name: sign-index-image
params:
- name: requester
value: testuser
- name: referenceImage
value: quay.io/testrepo/testimage:tag
- name: manifestListDigests
value: "sha256:6f9a420f660e73a sha256:6f9a420f660e73b"
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
- name: taskGitUrl
value: "http://localhost"
- name: taskGitRevision
value: "main"
- name: dataPath
value: data.json
- name: releasePlanAdmissionPath
value: release_plan_admission.json
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- setup
- name: check-result
workspaces:
- name: data
workspace: tests-workspace
taskSpec:
steps:
- name: check-result
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -eux
internalPipelineruns="$(kubectl get pr \
-l "internal-services.appstudio.openshift.io/pipelinerun-uid=$(context.pipelineRun.uid)" \
-o json --sort-by=.metadata.creationTimestamp | jq -c)"
plrsLength=$(jq ".items | length" <<< "${internalPipelineruns}" )
expectedReferences=()
expectedReferences+=("quay.io/testrepo/testimage:tag")
expectedReferences+=("quay.io/testrepo/testimage:tag")
expectedDigests=()
expectedDigests+=("sha256:6f9a420f660e73a")
expectedDigests+=("sha256:6f9a420f660e73b")
foundReferences=()
foundDigests=()
for((iplr=0; iplr<plrsLength; iplr++)); do
params=$(jq -r ".items[$iplr].spec.params" <<< "${internalPipelineruns}")
refValue=$(jq -r '.[1].value' <<< "${params}")
manifestDigest=$(jq -r '.[2].value' <<< "${params}")
foundReferences+=("${refValue}")
foundDigests+=("${manifestDigest}")
if [ "$(jq -r '.[4].value' <<< "${params}")" != "signing-config-map" ]; then
echo "config_map_name does not match"
exit 1
fi
if [ "$(jq -r '.[3].value' <<< "${params}")" != "testuser" ]; then
echo "requester does not match"
exit 1
fi
if [ "$(jq -r '.[0].value' <<< "${params}")" != \
"quay.io/redhat-isv/operator-pipelines-images:released" ]; then
echo "pipeline_image does not match"
exit 1
fi
done
differenceReferences=$(echo "${expectedReferences[@]}" "${foundReferences[@]}" | tr ' ' '\n' \
| sort | uniq -u)
differenceDigests=$(echo "${expectedDigests[@]}" "${foundDigests[@]}" | tr ' ' '\n' | sort | uniq -u)
if [ -n "${differenceReferences}" ] ; then
echo "error: references expected compared to found do not match"
echo ""
echo "${differenceReferences}"
exit 1
fi
if [ -n "${differenceDigests}" ] ; then
echo "error: digests expected compared to found do not match"
echo ""
echo "${differenceDigests}"
exit 1
fi
runAfter:
- run-task
finally:
- name: cleanup
taskSpec:
steps:
- name: delete-plrs
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -eux
kubectl delete pr -l "internal-services.appstudio.openshift.io/pipelinerun-uid=$(context.pipelineRun.uid)"
Loading

0 comments on commit 05b9a1d

Please sign in to comment.