Sync build-definitions

redhat-appstudio · Oct 2, 2024 · 685d8f6 · 685d8f6
1 parent aa09931
commit 685d8f6
Show file tree

Hide file tree

Showing 6 changed files with 146 additions and 24 deletions.
diff --git a/pac/docker-build-rhtap/docker-pull-request.yaml b/pac/docker-build-rhtap/docker-pull-request.yaml
@@ -10,12 +10,13 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/docker-build-rhtap/docker-push.yaml b/pac/docker-build-rhtap/docker-push.yaml
@@ -10,12 +10,13 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/pipelines/docker-build-rhtap.yaml b/pac/pipelines/docker-build-rhtap.yaml
@@ -143,6 +143,21 @@ spec:
       workspaces:
         - name: source
           workspace: workspace
+    - name: rpms-signature-scan
+      params:
+        - name: image-url
+          value: $(tasks.build-container.results.IMAGE_URL)
+        - name: image-digest
+          value: $(tasks.build-container.results.IMAGE_DIGEST)
+      runAfter:
+        - build-container
+      taskRef:
+        name: rpms-signature-scan
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
     - name: acs-image-check
       params:
         - name: rox-secret-name

diff --git a/pac/source-repo/docker-pull-request.yaml b/pac/source-repo/docker-pull-request.yaml
@@ -10,12 +10,13 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/source-repo/docker-push.yaml b/pac/source-repo/docker-push.yaml
@@ -10,12 +10,13 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/tasks/rpms-signature-scan.yaml b/pac/tasks/rpms-signature-scan.yaml
@@ -0,0 +1,103 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: rpms-signature-scan
+spec:
+  params:
+    - name: image-url
+      type: string
+      description: Image URL
+    - name: image-digest
+      type: string
+      description: Image digest to scan
+    - name: fail-unsigned
+      type: string
+      description: "[true \\ false] If true fail if unsigned RPMs were found"
+      default: "false"
+    - name: workdir
+      type: string
+      default: /tmp
+      description: |
+        Directory that will be used for storing temporary
+        files produced by this task.
+    - name: ca-trust-config-map-name
+      type: string
+      description: The name of the ConfigMap to read CA bundle data from.
+      default: trusted-ca
+    - name: ca-trust-config-map-key
+      type: string
+      description: The name of the key in the ConfigMap that contains the CA bundle data.
+      default: ca-bundle.crt
+  results:
+    - name: TEST_OUTPUT
+      description: Tekton task test output.
+    - name: RPMS_DATA
+      description: Information about signed and unsigned RPMs
+    - name: IMAGES_PROCESSED
+      description: Images processed in the task.
+  volumes:
+    - name: workdir
+      emptyDir: {}
+    - name: trusted-ca
+      configMap:
+        name: $(params.ca-trust-config-map-name)
+        items:
+          - key: $(params.ca-trust-config-map-key)
+            path: ca-bundle.crt
+        optional: true
+  steps:
+    - name: rpms-signature-scan
+      image: quay.io/redhat-appstudio/tools@sha256:0017579adfc3156490713b05134ce10606bc18256b25065ed049aa7d094161da
+      volumeMounts:
+        - name: workdir
+          mountPath: "$(params.workdir)"
+        - name: trusted-ca
+          mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          subPath: ca-bundle.crt
+          readOnly: true
+      env:
+        - name: IMAGE_URL
+          value: "$(params.image-url)"
+        - name: IMAGE_DIGEST
+          value: "$(params.image-digest)"
+        - name: FAIL_UNSIGNED
+          value: "$(params.fail-unsigned)"
+        - name: WORKDIR
+          value: "$(params.workdir)"
+      script: |
+        #!/bin/bash
+        set -ex
+        set -o pipefail
+
+        rpm_verifier \
+          --image-url "${IMAGE_URL}" \
+          --image-digest "${IMAGE_DIGEST}" \
+          --fail-unsigned "${FAIL_UNSIGNED}" \
+          --workdir "${WORKDIR}" \
+    - name: output-results
+      image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
+      volumeMounts:
+        - name: workdir
+          mountPath: "$(params.workdir)"
+      env:
+        - name: WORKDIR
+          value: "$(params.workdir)"
+      script: |
+        #!/bin/bash
+        set -ex
+
+        source /utils.sh
+        status=$(cat "${WORKDIR}"/status)
+        rpms_data=$(cat "${WORKDIR}"/results)
+        images_processed=$(cat "${WORKDIR}"/images_processed)
+        if [ "$status" == "ERROR" ]; then
+          note="Task $(context.task.name) completed: Not all RPMs were confirmed to be signed. Refer to Tekton task output for details"
+        else
+          note="Task $(context.task.name) completed: No unsigned RPMs"
+        fi
+
+        TEST_OUTPUT=$(make_result_json -r "$status" -t "$note")
+        echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
+        echo "${rpms_data}" | tee "$(results.RPMS_DATA.path)"
+        echo "${images_processed}" | tee "$(results.IMAGES_PROCESSED.path)"