Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify ec and sboms from private registry #94

Merged
merged 1 commit into from
Nov 26, 2024
Merged

verify ec and sboms from private registry #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion build-pipeline.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ cp -r rhtap $BUILD/
# ENV with params
SETUP_ENV=$BUILD/rhtap/env.sh
cp rhtap/env.template.sh $SETUP_ENV
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
sed -i "s!\${{ values.image }}!$IMAGE_TO_BUILD!g" $SETUP_ENV
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
sed -i "s!\${{ values.repoURL }}!$OPTIONAL_REPO_UPDATE!g" $SETUP_ENV
Expand Down
9 changes: 8 additions & 1 deletion ci-test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ function updateBuild() {
mkdir -p $REPO/rhtap
SETUP_ENV=$REPO/rhtap/env.sh
cp rhtap/env.template.sh $SETUP_ENV
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
sed -i "s!\${{ values.image }}!$IMAGE_TO_BUILD!g" $SETUP_ENV
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
sed -i "s!\${{ values.repoURL }}!$GITOPS_REPO_UPDATE!g" $SETUP_ENV
Expand All @@ -46,6 +46,13 @@ function updateBuild() {
echo "export IGNORE_REKOR=$IGNORE_REKOR" >> $SETUP_ENV
echo "export TUF_MIRROR=$TUF_MIRROR" >> $SETUP_ENV
echo "# Update forced CI test $(date)" >> $SETUP_ENV

if [[ "$TEST_PRIVATE_REGISTRY" == "true" ]]; then
echo "WARNING Due to private repos, disabling ACS"
sed -i '/export DISABLE_ACS=/d' $SETUP_ENV
echo "export DISABLE_ACS=true" >> $SETUP_ENV
fi

updateGitAndQuayRefs $SETUP_ENV
cat $SETUP_ENV
}
Expand Down
2 changes: 1 addition & 1 deletion promote-pipeline.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ fi
cp -r rhtap $GITOPS/rhtap
SETUP_ENV=$GITOPS/rhtap/env.sh
cp rhtap/env.template.sh $SETUP_ENV
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
sed -i "s!\${{ values.image }}!$IMAGE_TO_BUILD!g" $SETUP_ENV
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
sed -i "s!\${{ values.repoURL }}!!g" $SETUP_ENV
Expand Down
7 changes: 7 additions & 0 deletions rhtap/download-sbom-from-url-in-attestation.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,13 @@ fi

jq -r '.components[].containerImage' <<< "$IMAGES" | while read -r image; do
echo "Getting attestation for $image"

image_registry="${image/\/*/}"
# If the repo is not publicly accessible we need to authenticate so ec can access it
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...authenticate so it can be accessed

prepare-registry-user-pass $image_registry
echo "cosign login to registry $image_registry"
cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is happening once per image. Since all the images are likely from the same registry, it would be more efficient to just do it once.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Discussed on slack. Conclusion: Not a big deal, and actually we might in theory have images in different registries.)


mkdir -p "$WORKDIR/$image"
cosign_verify_multiple_attestation_types \
--type slsaprovenance02 \
Expand Down
3 changes: 2 additions & 1 deletion rhtap/verify-enterprise-contract.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ function validate() {
local image_registry="${first_image_ref/\/*/}"
# If the repo is not publicly accessible we need to authenticate so ec can access it
prepare-registry-user-pass $image_registry
buildah login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
echo "cosign login to registry $image_registry"
cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry

ec validate image \
"--images" \
Expand Down
9 changes: 9 additions & 0 deletions setup-local-dev-repos.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,15 @@ GITLAB_GITOPS=$TMP_REPOS/gitlab-gitops
JENKINS_BUILD=$TMP_REPOS/jenkins-build
JENKINS_GITOPS=$TMP_REPOS/jenkins-gitops

# Change this for public or private image testing
export TEST_PRIVATE_REGISTRY=${TEST_PRIVATE_REGISTRY:-true}
if [[ "$TEST_PRIVATE_REGISTRY" == "true" ]]; then
echo "Note, private image being built by ci-test, acs disabled"
IMAGE_TO_BUILD=quay.io/$MY_QUAY_USER/private-image
else
IMAGE_TO_BUILD=quay.io/$MY_QUAY_USER/bootstrap
fi

cloneRepo $UPSTREAM_BUILD_REPO ${TEST_BUILD_REPO_SSH:-$TEST_BUILD_REPO} $TEST_BUILD_REPO $BUILD
cloneRepo $UPSTREAM_GITOPS_REPO ${TEST_GITOPS_REPO_SSH:-$TEST_GITOPS_REPO} $TEST_GITOPS_REPO $GITOPS
cloneRepo $UPSTREAM_BUILD_REPO ${TEST_BUILD_GITLAB_REPO_SSH:-$TEST_BUILD_GITLAB_REPO} $TEST_BUILD_GITLAB_REPO $GITLAB_BUILD
Expand Down