Skip to content

Commit

Permalink
feat(RELEASE-1191): differentiate pyxis and umb in signing
Browse files Browse the repository at this point in the history
This commit modifies the `simple-signing-pipeline` and its tasks to use
separate credentials for Pyxis and UMB authentication. Prior to this
commit, both were pulled from the same configMap values so it was
impossible to use stage for one system and prod for the other.

Signed-off-by: Johnny Bieren <jbieren@redhat.com>
  • Loading branch information
johnbieren committed Dec 5, 2024
1 parent 13fe5ad commit 4511915
Show file tree
Hide file tree
Showing 10 changed files with 136 additions and 73 deletions.
8 changes: 8 additions & 0 deletions pipelines/simple-signing-pipeline/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,11 @@ Tekton pipeline for simple signing. It is meant to be used by the rh-sign-image
| config_map_name | A config map name with configuration | Yes | hacbs-signing-pipeline-config |
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |

## Changes in 0.2.0
* Changed the results used as parameters to `request-and-upload-signature`
* Instead of using the same results for both the Pyxis and UMB SSL authentication, the two were split into
their own keys. The `request-and-upload-signature` task already had separate parameters for them, but
they were using the same values
* While it did have separate parameters for them, one set was prefixed `pyxis_` and the other had no
prefix, so the prefix was added for the `umb_` ones
26 changes: 13 additions & 13 deletions pipelines/simple-signing-pipeline/simple-signing-pipeline.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Pipeline
metadata:
name: simple-signing-pipeline
labels:
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/version: "0.2.0"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -77,12 +77,12 @@ spec:
value: $(tasks.collect-simple-signing-params.results.sig_key_id)
- name: sig_key_name
value: $(tasks.collect-simple-signing-params.results.sig_key_name)
- name: ssl_cert_secret_name
value: $(tasks.collect-simple-signing-params.results.ssl_cert_secret_name)
- name: ssl_cert_file_name
value: $(tasks.collect-simple-signing-params.results.ssl_cert_file_name)
- name: ssl_key_file_name
value: $(tasks.collect-simple-signing-params.results.ssl_key_file_name)
- name: umb_ssl_cert_secret_name
value: $(tasks.collect-simple-signing-params.results.umb_ssl_cert_secret_name)
- name: umb_ssl_cert_file_name
value: $(tasks.collect-simple-signing-params.results.umb_ssl_cert_file_name)
- name: umb_ssl_key_file_name
value: $(tasks.collect-simple-signing-params.results.umb_ssl_key_file_name)
- name: umb_client_name
value: $(tasks.collect-simple-signing-params.results.umb_client_name)
- name: umb_listen_topic
Expand All @@ -91,12 +91,12 @@ spec:
value: $(tasks.collect-simple-signing-params.results.umb_publish_topic)
- name: umb_url
value: $(tasks.collect-simple-signing-params.results.umb_url)
- name: pyxis_ssl_secret_name
value: $(tasks.collect-simple-signing-params.results.ssl_cert_secret_name)
- name: pyxis_ssl_cert_secret_key
value: $(tasks.collect-simple-signing-params.results.ssl_cert_file_name)
- name: pyxis_ssl_key_secret_key
value: $(tasks.collect-simple-signing-params.results.ssl_key_file_name)
- name: pyxis_ssl_cert_secret_name
value: $(tasks.collect-simple-signing-params.results.pyxis_ssl_cert_secret_name)
- name: pyxis_ssl_cert_file_name
value: $(tasks.collect-simple-signing-params.results.pyxis_ssl_cert_file_name)
- name: pyxis_ssl_key_file_name
value: $(tasks.collect-simple-signing-params.results.pyxis_ssl_key_file_name)
- name: pyxis_url
value: $(tasks.collect-simple-signing-params.results.pyxis_url)
- name: taskGitUrl
Expand Down
7 changes: 7 additions & 0 deletions tasks/collect-simple-signing-params/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,10 @@ Task to collect parameters for the simple signing pipeline
| Name | Description | Optional | Default value |
|------------------|---------------------------------------------------------------------------------------|----------|--------------------------------------------------------|
| config_map_name | Name of a configmap with pipeline configuration | No | - |

## Changes in 0.2.0
* Added the `[pyxis,umb]_ssl_cert_file_name`, `[pyxis,umb]_ssl_cert_secret_name` and `[pyxis,umb]_ssl_key_file_name`
results
* They take the place of `ssl_cert_file_name`, `ssl_cert_secret_name` and `ssl_key_file_name` respectively
* These keys now exist in the configMaps used in this task
* They were added to break apart Pyxis and UMB credentials
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: collect-simple-signing-params
labels:
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/version: "0.2.0"
annotations:
tekton.dev/tags: release
spec:
Expand All @@ -26,12 +26,18 @@ spec:
description: umb topic which is used for publishing
- name: umb_client_name
description: Client name to connect to umb, usually a service account name
- name: ssl_cert_secret_name
description: SSL secret name
- name: ssl_cert_file_name
description: SSL certificate file name
- name: ssl_key_file_name
description: SSL key file name
- name: pyxis_ssl_cert_secret_name
description: Pyxis SSL secret name
- name: pyxis_ssl_cert_file_name
description: Pyxis SSL certificate file name
- name: pyxis_ssl_key_file_name
description: Pyxis SSL key file name
- name: umb_ssl_cert_secret_name
description: UMB SSL secret name
- name: umb_ssl_cert_file_name
description: UMB SSL certificate file name
- name: umb_ssl_key_file_name
description: UMB SSL key file name
steps:
- name: collect-simple-signing-params
image: quay.io/konflux-ci/release-service-utils:7d0135b80a47cdaa225010ea1e2dff78d057c922
Expand All @@ -46,21 +52,27 @@ spec:
PYXIS_URL=$(jq -er '.data.PYXIS_URL' <<< "${configMapJson}")
SIG_KEY_ID=$(jq -er '.data.SIG_KEY_ID' <<< "${configMapJson}")
SIG_KEY_NAME=$(jq -er '.data.SIG_KEY_NAME' <<< "${configMapJson}")
SSL_CERT_FILE_NAME=$(jq -er '.data.SSL_CERT_FILE_NAME' <<< "${configMapJson}")
SSL_CERT_SECRET_NAME=$(jq -er '.data.SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
SSL_KEY_FILE_NAME=$(jq -er '.data.SSL_KEY_FILE_NAME' <<< "${configMapJson}")
PYXIS_SSL_CERT_FILE_NAME=$(jq -er '.data.PYXIS_SSL_CERT_FILE_NAME' <<< "${configMapJson}")
PYXIS_SSL_CERT_SECRET_NAME=$(jq -er '.data.PYXIS_SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
PYXIS_SSL_KEY_FILE_NAME=$(jq -er '.data.PYXIS_SSL_KEY_FILE_NAME' <<< "${configMapJson}")
UMB_CLIENT_NAME=$(jq -er '.data.UMB_CLIENT_NAME' <<< "${configMapJson}")
UMB_LISTEN_TOPIC=$(jq -er '.data.UMB_LISTEN_TOPIC' <<< "${configMapJson}")
UMB_PUBLISH_TOPIC=$(jq -er '.data.UMB_PUBLISH_TOPIC' <<< "${configMapJson}")
UMB_URL=$(jq -er '.data.UMB_URL' <<< "${configMapJson}")
UMB_SSL_CERT_FILE_NAME=$(jq -er '.data.UMB_SSL_CERT_FILE_NAME' <<< "${configMapJson}")
UMB_SSL_CERT_SECRET_NAME=$(jq -er '.data.UMB_SSL_CERT_SECRET_NAME' <<< "${configMapJson}")
UMB_SSL_KEY_FILE_NAME=$(jq -er '.data.UMB_SSL_KEY_FILE_NAME' <<< "${configMapJson}")
echo -n "$PYXIS_URL" | tee "$(results.pyxis_url.path)"
echo -n "$SIG_KEY_ID" | tee "$(results.sig_key_id.path)"
echo -n "$SIG_KEY_NAME" | tee "$(results.sig_key_name.path)"
echo -n "$SSL_CERT_FILE_NAME" | tee "$(results.ssl_cert_file_name.path)"
echo -n "$SSL_CERT_SECRET_NAME" | tee "$(results.ssl_cert_secret_name.path)"
echo -n "$SSL_KEY_FILE_NAME" | tee "$(results.ssl_key_file_name.path)"
echo -n "$PYXIS_SSL_CERT_FILE_NAME" | tee "$(results.pyxis_ssl_cert_file_name.path)"
echo -n "$PYXIS_SSL_CERT_SECRET_NAME" | tee "$(results.pyxis_ssl_cert_secret_name.path)"
echo -n "$PYXIS_SSL_KEY_FILE_NAME" | tee "$(results.pyxis_ssl_key_file_name.path)"
echo -n "$UMB_CLIENT_NAME" | tee "$(results.umb_client_name.path)"
echo -n "$UMB_LISTEN_TOPIC" | tee "$(results.umb_listen_topic.path)"
echo -n "$UMB_PUBLISH_TOPIC" | tee "$(results.umb_publish_topic.path)"
echo -n "$UMB_URL" | tee "$(results.umb_url.path)"
echo -n "$UMB_SSL_CERT_FILE_NAME" | tee "$(results.umb_ssl_cert_file_name.path)"
echo -n "$UMB_SSL_CERT_SECRET_NAME" | tee "$(results.umb_ssl_cert_secret_name.path)"
echo -n "$UMB_SSL_KEY_FILE_NAME" | tee "$(results.umb_ssl_key_file_name.path)"
11 changes: 7 additions & 4 deletions tasks/collect-simple-signing-params/tests/pre-apply-task-hook.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,16 @@ cat > "/tmp/configMap.json" << EOF
"PYXIS_URL": "https://pyxis.stage.engineering.redhat.com",
"SIG_KEY_ID": "4096R/37036783 SHA-256",
"SIG_KEY_NAME": "redhate2etesting",
"SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem",
"SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs",
"SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key",
"PYXIS_SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem",
"PYXIS_SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs",
"PYXIS_SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key",
"UMB_CLIENT_NAME": "hacbs-signing-pipeline-nonprod",
"UMB_LISTEN_TOPIC": "VirtualTopic.eng.robosignatory.hacbs.sign",
"UMB_PUBLISH_TOPIC": "VirtualTopic.eng.hacbs-signing-pipeline.hacbs.sign",
"UMB_URL": "umb.stage.api.redhat.com"
"UMB_URL": "umb.stage.api.redhat.com",
"UMB_SSL_CERT_FILE_NAME": "hacbs-signing-pipeline.pem",
"UMB_SSL_CERT_SECRET_NAME": "hacbs-signing-pipeline-certs",
"UMB_SSL_KEY_FILE_NAME": "hacbs-signing-pipeline.key"
},
"kind": "ConfigMap",
"metadata": {
Expand Down
42 changes: 25 additions & 17 deletions tasks/request-and-upload-signature/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,28 @@ Task to request and upload signatures using RADAS and pyxis

## Parameters

| Name | Description | Optional | Default value |
|----------------------|-------------------------------------------------------------------------------------------------------|----------|-------------------------------------------------------|
| pipeline_image | An image with CLI tools needed for the signing. | Yes | quay.io/redhat-isv/operator-pipelines-images:released |
| manifest_digest | Manifest digest for the signed content, usually in the format sha256:xxx | No | - |
| reference | Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9 | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| sig_key_id | The signing key id that the content is signed with | Yes | 4096R/55A34A82 SHA-256 |
| sig_key_name | The signing key name that the content is signed with | Yes | containerisvsign |
| ssl_cert_secret_name | Kubernetes secret name that contains the umb SSL files | No | - |
| ssl_cert_file_name | The key within the Kubernetes secret that contains the umb SSL cert. | No | - |
| ssl_key_file_name | The key within the Kubernetes secret that contains the umb SSL key. | No | - |
| umb_client_name | Client name to connect to umb, usually a service account name | Yes | operatorpipelines |
| umb_listen_topic | umb topic to listen to for responses with signed content | Yes | VirtualTopic.eng.robosignatory.isv.sign |
| umb_publish_topic | umb topic to publish to for requesting signing | Yes | VirtualTopic.eng.operatorpipelines.isv.sign |
| umb_url | umb host to connect to for messaging | Yes | umb.api.redhat.com |
| pyxis_url | Pyxis instance to upload the signature to. | Yes | https://pyxis.engineering.redhat.com |
| signature_data_file | The file where the signing response should be placed | Yes | signing_response.json |
| Name | Description | Optional | Default value |
|----------------------------|-------------------------------------------------------------------------------------------------------|----------|-------------------------------------------------------|
| pipeline_image | An image with CLI tools needed for the signing. | Yes | quay.io/redhat-isv/operator-pipelines-images:released |
| manifest_digest | Manifest digest for the signed content, usually in the format sha256:xxx | No | - |
| reference | Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9 | No | - |
| requester | Name of the user that requested the signing, for auditing purposes | No | - |
| sig_key_id | The signing key id that the content is signed with | Yes | 4096R/55A34A82 SHA-256 |
| sig_key_name | The signing key name that the content is signed with | Yes | containerisvsign |
| pyxis_ssl_cert_secret_name | Kubernetes secret name that contains the Pyxis SSL files | No | - |
| pyxis_ssl_cert_file_name | The key within the Kubernetes secret that contains the Pyxis SSL cert. | No | - |
| pyxis_ssl_key_file_name | The key within the Kubernetes secret that contains the Pyxis SSL key. | No | - |
| umb_client_name | Client name to connect to umb, usually a service account name | Yes | operatorpipelines |
| umb_listen_topic | umb topic to listen to for responses with signed content | Yes | VirtualTopic.eng.robosignatory.isv.sign |
| umb_publish_topic | umb topic to publish to for requesting signing | Yes | VirtualTopic.eng.operatorpipelines.isv.sign |
| umb_url | umb host to connect to for messaging | Yes | umb.api.redhat.com |
| umb_ssl_cert_secret_name | Kubernetes secret name that contains the umb SSL files | No | - |
| umb_ssl_cert_file_name | The key within the Kubernetes secret that contains the umb SSL cert. | No | - |
| umb_ssl_key_file_name | The key within the Kubernetes secret that contains the umb SSL key. | No | - |
| pyxis_url | Pyxis instance to upload the signature to. | Yes | https://pyxis.engineering.redhat.com |
| signature_data_file | The file where the signing response should be placed | Yes | signing_response.json |

## Changes in 1.0.0
* Replaced `ssl_cert_secret_name`, `ssl_cert_file_name` and `ssl_key_file_name` parameters with Pyxis and UMB
specific ones
* This allows us to use the stage version of one system with the prod version of the other
Loading

0 comments on commit 4511915

Please sign in to comment.