-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(ISV-5130): add pipeline steps for SBOM upload (#627)
* feat(ISV-5130): push SBOMs to Atlas The rh-advisories pipeline now supports generating product-level SBOMs at release time and enhancing component-level SBOMs created at build time with additional release-time data. Signed-off-by: Martin Jediny <[email protected]>
- Loading branch information
Showing
17 changed files
with
592 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# collect-atlas-params | ||
|
||
Tekton task that collects the Atlas server option from the data file. Based on | ||
the value of the "atlas.server" field ("stage" or "production"), outputs results | ||
used to push SBOMs to Atlas. If no Atlas fields are present in the RPA, it | ||
outputs empty strings as results, indicating that the Atlas push should be | ||
skipped. | ||
|
||
## Parameters | ||
|
||
| Name | Description | Optional | Default value | | ||
|----------|----------------------------------------------------------------------------------------------------------------|----------|---------------| | ||
| dataPath | Path to the merged data JSON file generated by collect-data task and containing the Atlas configuration option | No | - | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
--- | ||
apiVersion: tekton.dev/v1 | ||
kind: Task | ||
metadata: | ||
name: collect-atlas-params | ||
labels: | ||
app.kubernetes.io/version: "0.1.0" | ||
annotations: | ||
tekton.dev/pipelines.minVersion: "0.12.1" | ||
tekton.dev/tags: release | ||
spec: | ||
description: >- | ||
Tekton task that collects Atlas API configuration options from the data file. | ||
params: | ||
- name: dataPath | ||
type: string | ||
description: | | ||
Path to the JSON string of the merged data containing the Atlas config. | ||
workspaces: | ||
- name: data | ||
results: | ||
- name: bombasticApiUrl | ||
type: string | ||
description: | | ||
URL of the bombastic API. | ||
- name: ssoTokenUrl | ||
type: string | ||
description: | | ||
URL of the SSO token issuer. | ||
- name: secretName | ||
type: string | ||
description: | | ||
The kubernetes secret to use to authenticate to bombastic. | ||
steps: | ||
- name: collect-atlas-params | ||
image: | ||
quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5 | ||
script: | | ||
#!/usr/bin/env bash | ||
set -x | ||
DATA_FILE="$(workspaces.data.path)/$(params.dataPath)" | ||
if [ ! -f "${DATA_FILE}" ] ; then | ||
echo "ERROR: No valid data file was provided." | ||
exit 1 | ||
fi | ||
atlasServer=$(jq -r '.atlas.server' "$DATA_FILE") | ||
if [ "$atlasServer" = "null" ]; then | ||
# In this case, SBOM processing will be skipped. | ||
bombasticApiUrl="" | ||
ssoTokenUrl="" | ||
secretName="" | ||
elif [ "$atlasServer" = "stage" ]; then | ||
bombasticApiUrl="https://sbom.atlas.release.stage.devshift.net" | ||
ssoTokenUrl="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token" | ||
secretName="atlas-staging-sso-secret" | ||
elif [ "$atlasServer" = "production" ]; then | ||
bombasticApiUrl="https://sbom.atlas.release.devshift.net" | ||
ssoTokenUrl="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token" | ||
secretName="atlas-prod-sso-secret" | ||
else | ||
echo "ERROR: Unknown .atlas.server value '$atlasServer'. Expected 'stage' or 'production'." | ||
exit 1 | ||
fi | ||
echo -n "$bombasticApiUrl" > "$(results.bombasticApiUrl.path)" | ||
echo -n "$ssoTokenUrl" > "$(results.ssoTokenUrl.path)" | ||
echo -n "$secretName" > "$(results.secretName.path)" |
45 changes: 45 additions & 0 deletions
45
tasks/collect-atlas-params/tests/test-collect-atlas-params-bad-value.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
apiVersion: tekton.dev/v1 | ||
kind: Pipeline | ||
metadata: | ||
name: test-collect-atlas-params-bad-value | ||
annotations: | ||
test/assert-task-failure: "run-task" | ||
spec: | ||
description: | | ||
Run the collect-atlas-params task with a bad value as atlasServer. | ||
workspaces: | ||
- name: tests-workspace | ||
tasks: | ||
- name: setup | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
taskSpec: | ||
workspaces: | ||
- name: data | ||
steps: | ||
- name: setup-values | ||
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5 | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
cat > "$(workspaces.data.path)/data.json" << EOF | ||
{ | ||
"atlas": { | ||
"server": "invalid" | ||
} | ||
} | ||
EOF | ||
- name: run-task | ||
taskRef: | ||
name: collect-atlas-params | ||
params: | ||
- name: dataPath | ||
value: data.json | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
runAfter: | ||
- setup |
66 changes: 66 additions & 0 deletions
66
tasks/collect-atlas-params/tests/test-collect-atlas-params-nonexistent.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
--- | ||
apiVersion: tekton.dev/v1 | ||
kind: Pipeline | ||
metadata: | ||
name: test-collect-atlas-params-nonexistent | ||
spec: | ||
description: | | ||
Run the collect-atlas-params task with a missing atlasServer key. | ||
workspaces: | ||
- name: tests-workspace | ||
tasks: | ||
- name: setup | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
taskSpec: | ||
workspaces: | ||
- name: data | ||
steps: | ||
- name: setup-values | ||
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5 | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
echo "{}" > "$(workspaces.data.path)/data.json" | ||
- name: run-task | ||
taskRef: | ||
name: collect-atlas-params | ||
params: | ||
- name: dataPath | ||
value: data.json | ||
workspaces: | ||
- name: data | ||
workspace: tests-workspace | ||
runAfter: | ||
- setup | ||
- name: check-result | ||
params: | ||
- name: secretName | ||
value: $(tasks.run-task.results.secretName) | ||
- name: ssoTokenUrl | ||
value: $(tasks.run-task.results.ssoTokenUrl) | ||
- name: bombasticApiUrl | ||
value: $(tasks.run-task.results.bombasticApiUrl) | ||
taskSpec: | ||
params: | ||
- name: secretName | ||
- name: ssoTokenUrl | ||
- name: bombasticApiUrl | ||
steps: | ||
- name: check-result | ||
image: quay.io/konflux-ci/release-service-utils:d320c36f3d707cd5bfe55fe783f70236c06cc2e5 | ||
env: | ||
- name: "SECRET_NAME" | ||
value: '$(params.secretName)' | ||
- name: "SSO_TOKEN_URL" | ||
value: '$(params.ssoTokenUrl)' | ||
- name: "BOMBASTIC_API_URL" | ||
value: '$(params.bombasticApiUrl)' | ||
script: | | ||
#!/usr/bin/env bash | ||
set -eux | ||
test "$SECRET_NAME" = "" | ||
test "$SSO_TOKEN_URL" = "" | ||
test "$BOMBASTIC_API_URL" = "" |
Oops, something went wrong.