feat(ISV-5130): push SBOMs to Atlas

The rh-advisories pipeline now supports generating product-level SBOMs
at release time and enhancing component-level SBOMs created at build
time with additional release-time data.

Signed-off-by: Martin Jediny <jedinym@proton.me>

pipelines/rh-advisories/README.md

@@ -23,6 +23,14 @@ the rh-push-to-registry-redhat-io pipeline.
 | taskGitUrl                      | The url to the git repo where the release-service-catalog tasks to be used are stored                                              | Yes      | https://github.com/konflux-ci/release-service-catalog.git |
 | taskGitRevision                 | The revision in the taskGitUrl repo to be used                                                                                     | No       | -                                                         |
 
+## Changes in 1.6.0
+* Add collect-atlas-params task to fetch Atlas parameters from the RPA.
+* Add create-product-sbom task to create product-level SBOMs.
+* Add update-component-sbom task to update component-level SBOMs with release
+  info.
+* Add upload-product-sbom task to push the product SBOM to Atlas.
+* Add upload-component-sbom task to push the component-level SBOMs to Atlas.
+
 ## Changes in 1.5.6
 * new mandatory parameter resultsDirPath added to run-file-updates task
 

pipelines/rh-advisories/rh-advisories.yaml

@@ -4,7 +4,7 @@ kind: Pipeline
 metadata:
   name: rh-advisories
   labels:
-    app.kubernetes.io/version: "1.5.6"
+    app.kubernetes.io/version: "1.6.0"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -505,6 +505,60 @@ spec:
       workspaces:
         - name: data
           workspace: release-workspace
+    - name: update-component-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
+      taskRef:
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: tasks/update-component-sbom/update-component-sbom.yaml
+        resolver: git
+      workspaces:
+        - name: data
+          workspace: release-workspace
+      params:
+        - name: dataJsonPath
+          value: "$(tasks.collect-data.results.data)"
+        - name: downloadedSbomPath
+          value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
+      runAfter:
+        - collect-data
+        - collect-atlas-params
+        - push-rpm-data-to-pyxis
+    - name: upload-component-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
+      params:
+        - name: sbomDir
+          value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
+        - name: atlasSecretName
+          value: "$(tasks.collect-atlas-params.results.secretName)"
+        - name: ssoTokenUrl
+          value: "$(tasks.collect-atlas-params.results.ssoTokenUrl)"
+        - name: bombasticApiUrl
+          value: "$(tasks.collect-atlas-params.results.bombasticApiUrl)"
+      taskRef:
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: tasks/upload-sbom-to-atlas/upload-sbom-to-atlas.yaml
+        resolver: git
+      workspaces:
+        - name: data
+          workspace: release-workspace
+      runAfter:
+        - update-component-sbom
     - name: check-data-keys
       params:
         - name: dataPath
@@ -526,6 +580,75 @@ spec:
           workspace: release-workspace
       runAfter:
         - populate-release-notes-images
+    - name: collect-atlas-params
+      taskRef:
+        resolver: "git"
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: tasks/collect-atlas-params/collect-atlas-params.yaml
+      params:
+        - name: dataPath
+          value: "$(tasks.collect-data.results.data)"
+      workspaces:
+        - name: data
+          workspace: release-workspace
+      runAfter:
+        - collect-data
+    - name: create-product-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
+      params:
+        - name: dataJsonPath
+          value: "$(tasks.collect-data.results.data)"
+      taskRef:
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: tasks/create-product-sbom/create-product-sbom.yaml
+        resolver: git
+      workspaces:
+        - name: data
+          workspace: release-workspace
+      runAfter:
+        - collect-atlas-params
+        - populate-release-notes-images
+    - name: upload-product-sbom
+      when:
+        - input: "$(tasks.collect-atlas-params.results.secretName)"
+          operator: notin
+          values: [""]
+      params:
+        - name: sbomDir
+          value: "$(tasks.create-product-sbom.results.productSBOMPath)"
+        - name: atlasSecretName
+          value: "$(tasks.collect-atlas-params.results.secretName)"
+        - name: ssoTokenUrl
+          value: "$(tasks.collect-atlas-params.results.ssoTokenUrl)"
+        - name: bombasticApiUrl
+          value: "$(tasks.collect-atlas-params.results.bombasticApiUrl)"
+      taskRef:
+        params:
+          - name: url
+            value: $(params.taskGitUrl)
+          - name: revision
+            value: $(params.taskGitRevision)
+          - name: pathInRepo
+            value: tasks/upload-sbom-to-atlas/upload-sbom-to-atlas.yaml
+        resolver: git
+      workspaces:
+        - name: data
+          workspace: release-workspace
+      runAfter:
+        - create-product-sbom
     - name: create-advisory
       retries: 5
       params:

schema/dataKeys.json

@@ -318,6 +318,20 @@
         }
       }
     },
+    "atlas": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "server": {
+          "type": "string",
+          "description": "The release Atlas server to push SBOMs to",
+          "enum": [
+            "stage",
+            "production"
+          ]
+        }
+      }
+    },
     "slack": {
       "type": "object",
       "properties": {

tasks/collect-atlas-params/README.md

@@ -0,0 +1,13 @@
+# collect-atlas-params
+
+Tekton task that collects the Atlas server option from the data file. Based on
+the value of the "atlas.server" field ("stage" or "production"), outputs results
+used to push SBOMs to Atlas. If no Atlas fields are present in the RPA, it
+outputs empty strings as results, indicating that the Atlas push should be
+skipped.
+
+## Parameters
+
+| Name     | Description                                                                                                    | Optional | Default value |
+|----------|----------------------------------------------------------------------------------------------------------------|----------|---------------|
+| dataPath | Path to the merged data JSON file generated by collect-data task and containing the Atlas configuration option | No       | -             |

tasks/collect-atlas-params/collect-atlas-params.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: collect-atlas-params
+  labels:
+    app.kubernetes.io/version: "0.1.0"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: release
+spec:
+  description: >-
+    Tekton task that collects Atlas API configuration options from the data file.
+  params:
+    - name: dataPath
+      type: string
+      description: |
+        Path to the JSON string of the merged data containing the Atlas config.
+  workspaces:
+    - name: data
+  results:
+    - name: bombasticApiUrl
+      type: string
+      description: |
+        URL of the bombastic API.
+    - name: ssoTokenUrl
+      type: string
+      description: |
+        URL of the SSO token issuer.
+    - name: secretName
+      type: string
+      description: |
+        The kubernetes secret to use to authenticate to bombastic.
+  steps:
+    - name: collect-atlas-params
+      image:
+        quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
+      script: |
+        #!/usr/bin/env bash
+        set -x
+
+        DATA_FILE="$(workspaces.data.path)/$(params.dataPath)"
+        if [ ! -f "${DATA_FILE}" ] ; then
+            echo "ERROR: No valid data file was provided."
+            exit 1
+        fi
+
+        atlasServer=$(jq -r '.atlas.server' "$DATA_FILE")
+        if [ "$atlasServer" = "null" ]; then
+            # In this case, SBOM processing will be skipped.
+            bombasticApiUrl=""
+            ssoTokenUrl=""
+            secretName=""
+        elif [ "$atlasServer" = "stage" ]; then
+            bombasticApiUrl="https://sbom.atlas.release.stage.devshift.net"
+            ssoTokenUrl="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
+            secretName="atlas-staging-sso-secret"
+        elif [ "$atlasServer" = "production" ]; then
+            bombasticApiUrl="https://sbom.atlas.release.devshift.net"
+            ssoTokenUrl="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token"
+            secretName="atlas-prod-sso-secret"
+        else
+            echo "ERROR: Unknown .atlas.server value '$atlasServer'. Expected 'stage' or 'production'."
+            exit 1
+        fi
+
+        echo -n "$bombasticApiUrl" > "$(results.bombasticApiUrl.path)"
+        echo -n "$ssoTokenUrl" > "$(results.ssoTokenUrl.path)"
+        echo -n "$secretName" > "$(results.secretName.path)"

tasks/collect-atlas-params/tests/test-collect-atlas-params-bad-value.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: test-collect-atlas-params-bad-value
+  annotations:
+    test/assert-task-failure: "run-task"
+spec:
+  description: |
+    Run the collect-atlas-params task with a bad value as atlasServer.
+  workspaces:
+    - name: tests-workspace
+  tasks:
+    - name: setup
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskSpec:
+        workspaces:
+          - name: data
+        steps:
+          - name: setup-values
+            image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
+            script: |
+              #!/usr/bin/env bash
+              set -eux
+
+              cat > "$(workspaces.data.path)/data.json" << EOF
+              {
+                "atlas": {
+                  "server": "invalid"
+                }
+              }
+              EOF
+    - name: run-task
+      taskRef:
+        name: collect-atlas-params
+      params:
+        - name: dataPath
+          value: data.json
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      runAfter:
+        - setup

tasks/collect-atlas-params/tests/test-collect-atlas-params-nonexistent.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: test-collect-atlas-params-nonexistent
+spec:
+  description: |
+    Run the collect-atlas-params task with a missing atlasServer key.
+  workspaces:
+    - name: tests-workspace
+  tasks:
+    - name: setup
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      taskSpec:
+        workspaces:
+          - name: data
+        steps:
+          - name: setup-values
+            image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
+            script: |
+              #!/usr/bin/env bash
+              set -eux
+              echo "{}" > "$(workspaces.data.path)/data.json"
+    - name: run-task
+      taskRef:
+        name: collect-atlas-params
+      params:
+        - name: dataPath
+          value: data.json
+      workspaces:
+        - name: data
+          workspace: tests-workspace
+      runAfter:
+        - setup
+    - name: check-result
+      params:
+        - name: secretName
+          value: $(tasks.run-task.results.secretName)
+        - name: ssoTokenUrl
+          value: $(tasks.run-task.results.ssoTokenUrl)
+        - name: bombasticApiUrl
+          value: $(tasks.run-task.results.bombasticApiUrl)
+      taskSpec:
+        params:
+          - name: secretName
+          - name: ssoTokenUrl
+          - name: bombasticApiUrl
+        steps:
+          - name: check-result
+            image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5
+            env:
+              - name: "SECRET_NAME"
+                value: '$(params.secretName)'
+              - name: "SSO_TOKEN_URL"
+                value: '$(params.ssoTokenUrl)'
+              - name: "BOMBASTIC_API_URL"
+                value: '$(params.bombasticApiUrl)'
+            script: |
+              #!/usr/bin/env bash
+              set -eux
+
+              test "$SECRET_NAME" = ""
+              test "$SSO_TOKEN_URL" = ""
+              test "$BOMBASTIC_API_URL" = ""