Skip to content

Commit

Permalink
fix trusted artifact check
Browse files Browse the repository at this point in the history
  • Loading branch information
@tisutisu
tisutisu committed Jan 10, 2025
1 parent b95345c commit f0fb060
Show file tree
Hide file tree
Showing 4 changed files with 722 additions and 727 deletions.
370 changes: 186 additions & 184 deletions task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,207 +1,209 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: build-maven-zip-oci-ta
annotations:
tekton.dev/pipelines.minVersion: 0.12.1
tekton.dev/tags: maven-build, konflux
labels:
app.kubernetes.io/version: "0.1"
build.appstudio.redhat.com/build_type: maven-zip
name: build-maven-zip-oci-ta
spec:
description: |-
Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry.
In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool.
Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task.
params:
- default: ""
description: The Trusted Artifact URI pointing to the artifact with the prefetched
dependencies.
name: CACHI2_ARTIFACT
type: string
- default: maven-repository
description: The zip bundle file name of archived artifacts
name: FILE_NAME
type: string
- description: Reference of the OCI-Artifact this build task will produce.
name: IMAGE
type: string
- default: ""
description: Delete image tag after specified time. Empty means to keep the image
tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks,
respectively.
name: IMAGE_EXPIRES_AFTER
type: string
- default: maven-repository
description: The root directory of the artifacts under the prefetched directory.
Will be kept in the maven zip as the top directory for all artifacts.
name: PREFETCH_ROOT
type: string
- default: ca-bundle.crt
description: The name of the key in the ConfigMap that contains the CA bundle
data.
name: caTrustConfigMapKey
type: string
- default: trusted-ca
description: The name of the ConfigMap to read CA bundle data from.
name: caTrustConfigMapName
type: string
results:
- description: Digest of the OCI-Artifact just built
name: IMAGE_DIGEST
- description: OCI-Artifact reference of the built OCI-Artifact
name: IMAGE_REF
- description: OCI-Artifact repository and tag where the built OCI-Artifact was
pushed
name: IMAGE_URL
- description: Reference of SBOM blob digest to enable digest-based verification
from provenance
name: SBOM_BLOB_URL
type: string
stepTemplate:
env:
- name: CACHI2_ARTIFACT
description: The Trusted Artifact URI pointing to the artifact with
the prefetched dependencies.
type: string
default: ""
- name: FILE_NAME
value: $(params.FILE_NAME)
description: The zip bundle file name of archived artifacts
type: string
default: maven-repository
- name: IMAGE
value: $(params.IMAGE)
description: Reference of the OCI-Artifact this build task will produce.
type: string
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: PKG_ROOT
value: $(params.PREFETCH_ROOT)
description: Delete image tag after specified time. Empty means to keep
the image tag. Time values could be something like 1h, 2d, 3w for
hours, days, and weeks, respectively.
type: string
default: ""
- name: PREFETCH_ROOT
description: The root directory of the artifacts under the prefetched
directory. Will be kept in the maven zip as the top directory for
all artifacts.
type: string
default: maven-repository
- name: caTrustConfigMapKey
description: The name of the key in the ConfigMap that contains the
CA bundle data.
type: string
default: ca-bundle.crt
- name: caTrustConfigMapName
description: The name of the ConfigMap to read CA bundle data from.
type: string
default: trusted-ca
results:
- name: IMAGE_DIGEST
description: Digest of the OCI-Artifact just built
- name: IMAGE_REF
description: OCI-Artifact reference of the built OCI-Artifact
- name: IMAGE_URL
description: OCI-Artifact repository and tag where the built OCI-Artifact
was pushed
- name: SBOM_BLOB_URL
description: Reference of SBOM blob digest to enable digest-based verification
from provenance
type: string
volumes:
- name: shared
emptyDir: {}
- name: trusted-ca
configMap:
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
name: $(params.caTrustConfigMapName)
optional: true
- name: workdir
emptyDir: {}
stepTemplate:
env:
- name: FILE_NAME
value: $(params.FILE_NAME)
- name: IMAGE
value: $(params.IMAGE)
- name: IMAGE_EXPIRES_AFTER
value: $(params.IMAGE_EXPIRES_AFTER)
- name: PKG_ROOT
value: $(params.PREFETCH_ROOT)
volumeMounts:
- mountPath: /shared
name: shared
- mountPath: /var/workdir
name: workdir
- mountPath: /shared
name: shared
- mountPath: /var/workdir
name: workdir
steps:
- args:
- use
- $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:b31dc501d5068e30621e51681a2921d4e43f5a030ab78c8991f83a5e774534a3
name: use-trusted-artifact
- computeResources:
limits:
cpu: "4"
memory: 8Gi
requests:
cpu: "1"
memory: 2Gi
image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a
name: prepare
script: |
#!/bin/bash
set -euo pipefail
# Generate checksums for all maven artifact files. It will ignore the checksum files
# and signature files if they existed there
pkgpath="/var/workdir/cachi2/output/deps/generic"
if [ -d "$pkgpath/${PKG_ROOT}" ]; then
echo "Generating checksums for artifacts"
while IFS= read -r -d '' f; do
md5sum "$f" | awk '{print $1}' >"$f.md5"
sha1sum "$f" | awk '{print $1}' >"$f.sha1"
sha256sum "$f" | awk '{print $1}' >"$f.sha256"
done < <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \
! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \
! -name "*.sha512" ! -name "*.asc" -print0)
# Bundle the artifacts and checksums together into a zip file
cd "$pkgpath"
echo "create maven zip to /var/workdir/cachi2/output/${FILE_NAME}.zip"
zip -rq "${FILE_NAME}.zip" "${PKG_ROOT}"
mv "${FILE_NAME}.zip" "/shared/${FILE_NAME}.zip"
else
echo "No ${PKG_ROOT} dir found, can not generate maven zip!"
exit 1
fi
securityContext:
capabilities:
add:
- SETFCAP
workingDir: /var/workdir
- computeResources:
limits:
cpu: "4"
memory: 8Gi
requests:
cpu: "1"
memory: 2Gi
image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40
name: build
script: |
#!/bin/bash
set -euo pipefail
if [ -f "/shared/${FILE_NAME}.zip" ]; then
mv "/shared/${FILE_NAME}.zip" "./${FILE_NAME}.zip"
select-oci-auth "$IMAGE" >auth.json
[ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
oras push "$IMAGE" \
--registry-config auth.json \
"${EXPIRE_LABEL[@]}" \
--artifact-type application/vnd.maven+zip "${FILE_NAME}.zip"
RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
echo -n "${IMAGE}@${RESULTING_DIGEST}" | tee "$(results.IMAGE_REF.path)"
else
echo "The maven zip file is not found!"
exit 1
fi
- name: use-trusted-artifact
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:b31dc501d5068e30621e51681a2921d4e43f5a030ab78c8991f83a5e774534a3
args:
- use
- $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
- name: prepare
image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a
workingDir: /var/workdir
script: |
#!/bin/bash
set -euo pipefail
# Generate checksums for all maven artifact files. It will ignore the checksum files
# and signature files if they existed there
pkgpath="/var/workdir/cachi2/output/deps/generic"
if [ -d "$pkgpath/${PKG_ROOT}" ]; then
echo "Generating checksums for artifacts"
while IFS= read -r -d '' f; do
md5sum "$f" | awk '{print $1}' >"$f.md5"
sha1sum "$f" | awk '{print $1}' >"$f.sha1"
sha256sum "$f" | awk '{print $1}' >"$f.sha256"
done < <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \
! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \
! -name "*.sha512" ! -name "*.asc" -print0)
# Bundle the artifacts and checksums together into a zip file
cd "$pkgpath"
echo "create maven zip to /var/workdir/cachi2/output/${FILE_NAME}.zip"
zip -rq "${FILE_NAME}.zip" "${PKG_ROOT}"
mv "${FILE_NAME}.zip" "/shared/${FILE_NAME}.zip"
else
echo "No ${PKG_ROOT} dir found, can not generate maven zip!"
exit 1
fi
computeResources:
limits:
cpu: "4"
memory: 8Gi
requests:
cpu: "1"
memory: 2Gi
securityContext:
capabilities:
add:
- SETFCAP
- name: build
image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40
workingDir: /var/workdir
volumeMounts:
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
script: |
#!/bin/bash
set -euo pipefail
if [ -f "/shared/${FILE_NAME}.zip" ]; then
mv "/shared/${FILE_NAME}.zip" "./${FILE_NAME}.zip"
select-oci-auth "$IMAGE" >auth.json
[ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
oras push "$IMAGE" \
--registry-config auth.json \
"${EXPIRE_LABEL[@]}" \
--artifact-type application/vnd.maven+zip "${FILE_NAME}.zip"
RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
echo -n "${IMAGE}@${RESULTING_DIGEST}" | tee "$(results.IMAGE_REF.path)"
else
echo "The maven zip file is not found!"
exit 1
fi
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/var/workdir/cachi2/output/bom.json" ]; then
cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom-cyclonedx.json
else
echo "The SBOM file for fetched artifacts is not found!"
exit 1
fi
securityContext:
capabilities:
add:
- SETFCAP
volumeMounts:
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
workingDir: /var/workdir
- computeResources:
limits:
cpu: 200m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
name: upload-sbom
script: |
#!/bin/bash
set -euo pipefail
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
# Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
if [ -f "/var/workdir/cachi2/output/bom.json" ]; then
cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom-cyclonedx.json
else
echo "The SBOM file for fetched artifacts is not found!"
exit 1
fi
computeResources:
limits:
cpu: "4"
memory: 8Gi
requests:
cpu: "1"
memory: 2Gi
securityContext:
capabilities:
add:
- SETFCAP
- name: upload-sbom
image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
workingDir: /var/workdir
volumeMounts:
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
script: |
#!/bin/bash
set -euo pipefail
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE"
cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE"
# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
sbom_tag="sha256-$( <"$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom"
# The SBOM_BLOB_URL is created by `cosign attach sbom`.
echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)"
volumeMounts:
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
workingDir: /var/workdir
volumes:
- emptyDir: {}
name: shared
- configMap:
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
name: $(params.caTrustConfigMapName)
optional: true
name: trusted-ca
- emptyDir: {}
name: workdir
# Remove tag from IMAGE while allowing registry to contain a port number.
sbom_repo="${IMAGE%:*}"
sbom_tag="sha256-$( <"$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom"
# The SBOM_BLOB_URL is created by `cosign attach sbom`.
echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)"
computeResources:
limits:
cpu: 200m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
5 changes: 0 additions & 5 deletions task/build-maven-zip-oci-ta/0.1/kustomization.yaml
View file

This file was deleted.

Loading

0 comments on commit f0fb060

Please sign in to comment.