Merge pull request #86 from simonbaird/auth-before-ec-validate

Add podman login before ec validate image

generated/gitops-template/githubactions/.github/workflows/gitops-promotion.yml

@@ -25,6 +25,8 @@ env:
   TRUSTIFICATION_OIDC_CLIENT_ID: ${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}
   TRUSTIFICATION_OIDC_CLIENT_SECRET: ${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}
   TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: ${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}
+  QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
+  QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
 
   # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
   IMAGE_TAGS: ""
@@ -59,6 +61,8 @@ jobs:
             TRUSTIFICATION_OIDC_CLIENT_ID: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_ID }}`,
             TRUSTIFICATION_OIDC_CLIENT_SECRET: `${{ secrets.TRUSTIFICATION_OIDC_CLIENT_SECRET }}`,
             TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION: `${{ secrets.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }}`,
+            QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`,
+            QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`,
           };
           const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
             if (value.length === 0) {

generated/gitops-template/jenkins/Jenkinsfile

@@ -19,6 +19,7 @@ pipeline {
         TRUSTIFICATION_OIDC_CLIENT_ID = credentials('TRUSTIFICATION_OIDC_CLIENT_ID')
         TRUSTIFICATION_OIDC_CLIENT_SECRET = credentials('TRUSTIFICATION_OIDC_CLIENT_SECRET')
         TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = credentials('TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION')
+        QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
     }
     stages {
         stage('Verify EC') {

rhtap/buildah-rhtap.sh

@@ -9,28 +9,7 @@ function build() {
     echo "Running $TASK_NAME:build"
     echo "Running Login"
     IMAGE_REGISTRY="${IMAGE%%/*}"
-    # Check if the IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD are set and if not
-    # compute the values from the image name (backward compatable with prior naming)
-    # Users should set IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD from now on
-    # For backwards compatibility use the ARTIFACTORY or NEXUS or QUAY creds in place
-    # and this code will determine which one to use.
-    if [[ -z "$IMAGE_REGISTRY_USER" || -z "$IMAGE_REGISTRY_PASSWORD" ]]; then
-        # Determine credentials based on the registry
-        echo "Using $IMAGE_REGISTRY to determine quay,nexus or artifactory"
-        echo "Set IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD secrets to override detection"
-        if [[ "$IMAGE_REGISTRY" == *"artifactory"* || "$IMAGE_REGISTRY" == *"jfrog"* ]]; then
-            IMAGE_REGISTRY_USER="$ARTIFACTORY_IO_CREDS_USR"
-            IMAGE_REGISTRY_PASSWORD="$ARTIFACTORY_IO_CREDS_PSW"
-        elif [[ "$IMAGE_REGISTRY" == *"nexus"* ]]; then
-            IMAGE_REGISTRY_USER="$NEXUS_IO_CREDS_USR"
-            IMAGE_REGISTRY_PASSWORD="$NEXUS_IO_CREDS_PSW"
-        else
-            IMAGE_REGISTRY_USER="$QUAY_IO_CREDS_USR"
-            IMAGE_REGISTRY_PASSWORD="$QUAY_IO_CREDS_PSW"
-        fi
-    else
-        echo "Using IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD secrets for buildah"
-    fi
+    prepare-registry-user-pass $IMAGE_REGISTRY
     buildah login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $IMAGE_REGISTRY
     ERR=$?
     if [ $ERR != 0 ]; then

rhtap/common.sh

@@ -20,6 +20,35 @@ timestamp() {
     date -u +"%Y-%m-%dT%H:%M:%SZ"
 }
 
+prepare-registry-user-pass() {
+    local image_registry="$1"
+    #
+    # Check if the IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD are set and if not
+    # compute the values from the image name (backward compitable with prior naming).
+    #
+    # Users should set IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD for the registry.
+    # For backwards compatibility use the ARTIFACTORY or NEXUS or QUAY creds in place
+    # and this code will determine which one to use.
+    #
+    if [[ -z "${IMAGE_REGISTRY_USER-""}" || -z "${IMAGE_REGISTRY_PASSWORD-""}" ]]; then
+        # Determine credentials based on the registry
+        echo "Using $image_registry to determine quay, nexus or artifactory"
+        echo "Set IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD secrets to override detection"
+        if [[ "$image_registry" == *"artifactory"* || "$image_registry" == *"jfrog"* ]]; then
+            IMAGE_REGISTRY_USER="$ARTIFACTORY_IO_CREDS_USR"
+            IMAGE_REGISTRY_PASSWORD="$ARTIFACTORY_IO_CREDS_PSW"
+        elif [[ "$image_registry" == *"nexus"* ]]; then
+            IMAGE_REGISTRY_USER="$NEXUS_IO_CREDS_USR"
+            IMAGE_REGISTRY_PASSWORD="$NEXUS_IO_CREDS_PSW"
+        else
+            IMAGE_REGISTRY_USER="$QUAY_IO_CREDS_USR"
+            IMAGE_REGISTRY_PASSWORD="$QUAY_IO_CREDS_PSW"
+        fi
+    else
+        echo "Using IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD secrets for registry auth"
+    fi
+}
+
 DIR=$(pwd)
 export TASK_NAME=$(basename $0 .sh)
 export BASE_RESULTS=$DIR/results

rhtap/cosign-sign-attest.sh

@@ -16,8 +16,7 @@ function full-image-ref() {
     echo "$url@$digest"
 }
 
-# This is probably going to be quay.io, but let's not hard code it
-# here (even though it might be hard coded in a other places).
+# For example quay.io
 function image-registry() {
     local url=$(cat $BASE_RESULTS/buildah-rhtap/IMAGE_URL)
     echo "${url/\/*/}"
@@ -26,29 +25,13 @@ function image-registry() {
 # Cosign can use the same credentials as buildah
 function cosign-login() {
     local image_registry="$(image-registry)"
-    # Check if the IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD are set and if not
-    # compute the values from the image name (backward compatable with prior naming)
-    # Users should set IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD for the registri
-    # For backwards compatibility use the ARTIFACTORY or NEXUS or QUAY creds in place
-    # and this code will determine which one to use.
-    if [[ -z "$IMAGE_REGISTRY_USER" || -z "$IMAGE_REGISTRY_PASSWORD" ]]; then
-        # Determine credentials based on the registry
-        echo "Using $image_registry to determine quay,nexus or artifactory"
-        echo "Set IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD secrets to override detection"
-        if [[ "$image_registry" == *"artifactory"* || "$image_registry" == *"jfrog"* ]]; then
-            IMAGE_REGISTRY_USER="$ARTIFACTORY_IO_CREDS_USR"
-            IMAGE_REGISTRY_PASSWORD="$ARTIFACTORY_IO_CREDS_PSW"
-        elif [[ "$image_registry" == *"nexus"* ]]; then
-            IMAGE_REGISTRY_USER="$NEXUS_IO_CREDS_USR"
-            IMAGE_REGISTRY_PASSWORD="$NEXUS_IO_CREDS_PSW"
-        else
-            IMAGE_REGISTRY_USER="$QUAY_IO_CREDS_USR"
-            IMAGE_REGISTRY_PASSWORD="$QUAY_IO_CREDS_PSW"
-        fi
-    else
-        echo "Using IMAGE_REGISTRY_USER and IMAGE_REGISTRY_PASSWORD secrets for cosign"
-    fi
+    prepare-registry-user-pass $image_registry
     cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" "$image_registry"
+    ERR=$?
+    if [ $ERR != 0 ]; then
+        echo "Failed cosign login $image_registry for user $IMAGE_REGISTRY_USER"
+        exit $ERR
+    fi
 }
 
 # A wrapper for running cosign used for both sign and attest.

rhtap/verify-enterprise-contract.sh

@@ -41,6 +41,14 @@ function validate() {
 
     PUBLIC_KEY=$(base64 -d <<< "$COSIGN_PUBLIC_KEY")
 
+    # Assume the oci registry is the same for each component
+    local first_image_ref=$(jq -r '.components[0].containerImage' <<< "$IMAGES")
+    # Strip off everything after the first / char. It's likely $image_registry will be "quay.io"
+    local image_registry="${first_image_ref/\/*/}"
+    # If the repo is not publicly accessible we need to authenticate so ec can access it
+    prepare-registry-user-pass $image_registry
+    buildah login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
+
     ec validate image \
         "--images" \
         "$IMAGES" \

templates/data.yaml

@@ -47,3 +47,11 @@ gitops_secrets:
   - name: TRUSTIFICATION_OIDC_CLIENT_ID
   - name: TRUSTIFICATION_OIDC_CLIENT_SECRET
   - name: TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION
+  # If the OCI registry is not public then ec needs some credentials so it can see the attestations.
+  # Todo: Use different credentials here so we provide read access only instead of read/write access.
+  - name: QUAY_IO_CREDS
+    if: isJenkins
+  - name: QUAY_IO_CREDS_USR
+    if: '!isJenkins'
+  - name: QUAY_IO_CREDS_PSW
+    if: '!isJenkins'