From 4c24b887fea3f5c42763be4a953d5557d5e9de2d Mon Sep 17 00:00:00 2001 From: Lance Ball Date: Fri, 15 Sep 2023 14:41:47 -0400 Subject: [PATCH 1/7] :open_file_folder: update Red Hat specific files --- .tekton/rekor-cli-pull-request.yaml | 387 +++++++++++++++++++++++++ .tekton/rekor-cli-push.yaml | 384 ++++++++++++++++++++++++ .tekton/rekor-server-pull-request.yaml | 387 +++++++++++++++++++++++++ .tekton/rekor-server-push.yaml | 384 ++++++++++++++++++++++++ Dockerfile | 4 +- Dockerfile.backfill-redis | 14 + Dockerfile.cli | 14 + Makefile | 2 +- OWNERS | 12 + redhat/patches/0001-dockerfile.patch | 22 ++ redhat/patches/0002-makefile.patch | 13 + redhat/release/update-to-head.sh | 105 +++++++ 12 files changed, 1725 insertions(+), 3 deletions(-) create mode 100644 .tekton/rekor-cli-pull-request.yaml create mode 100644 .tekton/rekor-cli-push.yaml create mode 100644 .tekton/rekor-server-pull-request.yaml create mode 100644 .tekton/rekor-server-push.yaml create mode 100644 Dockerfile.backfill-redis create mode 100644 Dockerfile.cli create mode 100644 OWNERS create mode 100644 redhat/patches/0001-dockerfile.patch create mode 100644 redhat/patches/0002-makefile.patch create mode 100755 redhat/release/update-to-head.sh diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml new file mode 100644 index 000000000..5aa708985 --- /dev/null +++ b/.tekton/rekor-cli-pull-request.yaml @@ -0,0 +1,387 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[pull_request]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-cli + pipelines.appstudio.openshift.io/type: build + name: rekor-cli-on-pull-request + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.cli + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-cli:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml new file mode 100644 index 000000000..6aa3f7da8 --- /dev/null +++ b/.tekton/rekor-cli-push.yaml @@ -0,0 +1,384 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[push]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-cli + pipelines.appstudio.openshift.io/type: build + name: rekor-cli-on-push + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.cli + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-cli:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml new file mode 100644 index 000000000..a0872adae --- /dev/null +++ b/.tekton/rekor-server-pull-request.yaml @@ -0,0 +1,387 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[pull_request]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-server + pipelines.appstudio.openshift.io/type: build + name: rekor-server-on-pull-request + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-server:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:ebbf3859d0fe10e655dd9df47a1133157d0f2d11ea2faa7d060df0f9268e2a4e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.2@sha256:58d16de95b4ca597f7f860fb85d6206e549910fa7a8d2a2cc229558f791ad329 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml new file mode 100644 index 000000000..9826e827d --- /dev/null +++ b/.tekton/rekor-server-push.yaml @@ -0,0 +1,384 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[push]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-server + pipelines.appstudio.openshift.io/type: build + name: rekor-server-on-push + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-server:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:ebbf3859d0fe10e655dd9df47a1133157d0f2d11ea2faa7d060df0f9268e2a4e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.2@sha256:58d16de95b4ca597f7f860fb85d6206e549910fa7a8d2a2cc229558f791ad329 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/Dockerfile b/Dockerfile index f2d39ace3..16989b132 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 AS builder +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server # Multi-Stage production build -FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 as deploy +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/Dockerfile.backfill-redis b/Dockerfile.backfill-redis new file mode 100644 index 000000000..609f4a4e3 --- /dev/null +++ b/Dockerfile.backfill-redis @@ -0,0 +1,14 @@ +#Build stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS build-env +USER root +RUN git config --global --add safe.directory /opt/app-root/src +COPY . . +RUN make backfill-redis + +#Install stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 +COPY --from=build-env /opt/app-root/src/backfill-redis /usr/local/bin/backfill-redis +WORKDIR /opt/app-root/src/home + +#ENTRYPOINT +ENTRYPOINT [ "backfill-redis" ] diff --git a/Dockerfile.cli b/Dockerfile.cli new file mode 100644 index 000000000..46d89dd59 --- /dev/null +++ b/Dockerfile.cli @@ -0,0 +1,14 @@ +#Build stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS build-env +USER root +RUN git config --global --add safe.directory /opt/app-root/src +COPY . . +RUN make rekor-cli + +#Install stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 +COPY --from=build-env /opt/app-root/src/rekor-cli /usr/local/bin/rekor-cli +WORKDIR /opt/app-root/src/home + +#ENTRYPOINT +ENTRYPOINT [ "rekor-cli" ] diff --git a/Makefile b/Makefile index 9c2467b87..4904ad9a6 100644 --- a/Makefile +++ b/Makefile @@ -83,7 +83,7 @@ rekor-server: $(SRCS) CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/rekor-server backfill-redis: $(SRCS) - CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/backfill-redis + CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o backfill-redis ./cmd/backfill-redis test: go test ./... diff --git a/OWNERS b/OWNERS new file mode 100644 index 000000000..45bb15aeb --- /dev/null +++ b/OWNERS @@ -0,0 +1,12 @@ +# The OWNERS file is used by prow to automatically merge approved PRs. + +approvers: +- lance +- cooktheryan +- lkatalin +- sallom + +reviewers: +- JasonPowr +- tommyd450 + diff --git a/redhat/patches/0001-dockerfile.patch b/redhat/patches/0001-dockerfile.patch new file mode 100644 index 000000000..fc419caaa --- /dev/null +++ b/redhat/patches/0001-dockerfile.patch @@ -0,0 +1,22 @@ +diff --git a/Dockerfile b/Dockerfile +index f2d39ac..16989b1 100644 +--- a/Dockerfile ++++ b/Dockerfile +@@ -13,7 +13,7 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + +-FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 AS builder ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder + ENV APP_ROOT=/opt/app-root + ENV GOPATH=$APP_ROOT + +@@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o + RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server + + # Multi-Stage production build +-FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 as deploy ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy + + # Retrieve the binary from the previous stage + COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/redhat/patches/0002-makefile.patch b/redhat/patches/0002-makefile.patch new file mode 100644 index 000000000..5f0c9cbea --- /dev/null +++ b/redhat/patches/0002-makefile.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile b/Makefile +index 9c2467b..4904ad9 100644 +--- a/Makefile ++++ b/Makefile +@@ -83,7 +83,7 @@ rekor-server: $(SRCS) + CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/rekor-server + + backfill-redis: $(SRCS) +- CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/backfill-redis ++ CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o backfill-redis ./cmd/backfill-redis + + test: + go test ./... diff --git a/redhat/release/update-to-head.sh b/redhat/release/update-to-head.sh new file mode 100755 index 000000000..03c4cbad2 --- /dev/null +++ b/redhat/release/update-to-head.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash + +# Copyright 2023 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The local git repo must have a remote "upstream" pointing +# to upstream sigstore/rekor, and a remote "origin" +# pointing to securesign/rekor + +# Synchs the release-next branch to either the upstream `main` branch +# or a provided git-ref (typically an upstream release tag) and then triggers CI. +# +# NOTE: This requires a corresponding midstream branch to exist in the securesign fork +# with the same name as the upstream branch/ref, but prefixed with "midstream-". +# +# Usage: update-to-head.sh [] + +if [ "$#" -ne 1 ]; then + upstream_ref="main" + midstream_ref="main" + redhat_ref="release-next" +else + upstream_ref=$1 + midstream_ref="midstream-${upstream_ref}" # The overlays and patches for the given version + redhat_ref="redhat-${upstream_ref}" # The midstream repo with overlays and patches applied +fi + +echo "Synchronizing ${redhat_ref} to upstream/${upstream_ref}..." + +set -e +REPO_NAME=$(basename $(git rev-parse --show-toplevel)) + +# Custom files +custom_files=$(cat <. +git fetch upstream $upstream_ref +if [[ "$upstream_ref" == "main" ]]; then + git checkout upstream/main -B ${redhat_ref} +else + git checkout $upstream_ref -B ${redhat_ref} +fi + +# Update redhat's main and take all needed files from there. +git fetch origin $midstream_ref +git checkout origin/$midstream_ref $custom_files + +# Apply midstream patches +if [[ -d redhat/patches ]]; then + git apply redhat/patches/* +fi + +# RHTAP writes its pipeline files to the root of ${redhat_ref} +# Fetch those from origin and apply them to the the release branch +# since we just wiped out our local copy with the upstream ref. +git fetch origin $redhat_ref +git checkout origin/$redhat_ref .tekton + +# Move overlays to root +if [[ -d redhat/overlays ]]; then + git mv redhat/overlays/* . +fi + +git add . # Adds applied patches +git add $custom_files # Adds custom files +git commit -m "${redhat_files_msg}" + +# Push the release-next branch +git push -f origin "${redhat_ref}" + +# Trigger CI +# TODO: Set up openshift or github CI to run on release-next-ci +git checkout "${redhat_ref}" -B "${redhat_ref}"-ci +date > ci +git add ci +git commit -m "${robot_trigger_msg}" +git push -f origin "${redhat_ref}-ci" + +if hash hub 2>/dev/null; then + # Test if there is already a sync PR in + COUNT=$(hub api -H "Accept: application/vnd.github.v3+json" repos/securesign/${REPO_NAME}/pulls --flat \ + | grep -c "${robot_trigger_msg}") || true + if [ "$COUNT" = "0" ]; then + hub pull-request --no-edit -l "kind/sync-fork-to-upstream" -b securesign/${REPO_NAME}:${redhat_ref} -h securesign/${REPO_NAME}:${redhat_ref}-ci -m "${robot_trigger_msg}" + fi +else + echo "hub (https://github.com/github/hub) is not installed, so you'll need to create a PR manually." +fi From 9134c312869c60de7ecf5b37ecd713c5caa6d225 Mon Sep 17 00:00:00 2001 From: "red-hat-trusted-app-pipeline[bot]" <126015336+red-hat-trusted-app-pipeline[bot]@users.noreply.github.com> Date: Fri, 15 Sep 2023 15:29:34 -0400 Subject: [PATCH 2/7] Red Hat Trusted App Pipeline update backfill-redis (#55) # Pipelines as Code configuration proposal To start the PipelineRun, add a new comment with content `/ok-to-test` For more detailed information about running a PipelineRun, please refer to Pipelines as Code documentation [Running the PipelineRun](https://pipelinesascode.com/docs/guide/running/) To customize the proposed PipelineRuns after merge, please refer to [Build Pipeline customization](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/configuring-builds/proc_customize_build_pipeline/) Co-authored-by: red-hat-trusted-app-pipeline --- .tekton/backfill-redis-pull-request.yaml | 387 +++++++++++++++++++++++ .tekton/backfill-redis-push.yaml | 384 ++++++++++++++++++++++ 2 files changed, 771 insertions(+) create mode 100644 .tekton/backfill-redis-pull-request.yaml create mode 100644 .tekton/backfill-redis-push.yaml diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml new file mode 100644 index 000000000..e9d300e06 --- /dev/null +++ b/.tekton/backfill-redis-pull-request.yaml @@ -0,0 +1,387 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[pull_request]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: backfill-redis + pipelines.appstudio.openshift.io/type: build + name: backfill-redis-on-pull-request + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.backfill-redis + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/backfill-redis:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml new file mode 100644 index 000000000..ed8dd46a9 --- /dev/null +++ b/.tekton/backfill-redis-push.yaml @@ -0,0 +1,384 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[push]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: backfill-redis + pipelines.appstudio.openshift.io/type: build + name: backfill-redis-on-push + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.backfill-redis + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/backfill-redis:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From fd57b1819ee8f21ee99fb92127054bd29dc0878c Mon Sep 17 00:00:00 2001 From: Jason Power Date: Fri, 22 Sep 2023 15:57:07 +0100 Subject: [PATCH 3/7] add-unit-testing-to-rhtap (#58) This pr adds unit testing to rhtap for rekor. I've created my own version of rekor in rhtap in my own workspace and have tested both fail and success scenarios for both. ## Comments I only went with that image as its the same used in the Docker files, if it needs to be changed let me know :+1: Gonna work on the e2e tests next --- .tekton/backfill-redis-pull-request.yaml | 14 ++++++++++++++ .tekton/backfill-redis-push.yaml | 14 ++++++++++++++ .tekton/rekor-cli-pull-request.yaml | 14 ++++++++++++++ .tekton/rekor-cli-push.yaml | 14 ++++++++++++++ .tekton/rekor-server-pull-request.yaml | 14 ++++++++++++++ .tekton/rekor-server-push.yaml | 14 ++++++++++++++ 6 files changed, 84 insertions(+) diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml index e9d300e06..5571b3797 100644 --- a/.tekton/backfill-redis-pull-request.yaml +++ b/.tekton/backfill-redis-pull-request.yaml @@ -365,6 +365,20 @@ spec: operator: in values: - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml index ed8dd46a9..6e8bad830 100644 --- a/.tekton/backfill-redis-push.yaml +++ b/.tekton/backfill-redis-push.yaml @@ -362,6 +362,20 @@ spec: operator: in values: - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml index 5aa708985..d213fa49f 100644 --- a/.tekton/rekor-cli-pull-request.yaml +++ b/.tekton/rekor-cli-pull-request.yaml @@ -365,6 +365,20 @@ spec: operator: in values: - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml index 6aa3f7da8..3cb3688f1 100644 --- a/.tekton/rekor-cli-push.yaml +++ b/.tekton/rekor-cli-push.yaml @@ -362,6 +362,20 @@ spec: operator: in values: - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml index a0872adae..2f5222ee8 100644 --- a/.tekton/rekor-server-pull-request.yaml +++ b/.tekton/rekor-server-pull-request.yaml @@ -365,6 +365,20 @@ spec: operator: in values: - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml index 9826e827d..267fdbe09 100644 --- a/.tekton/rekor-server-push.yaml +++ b/.tekton/rekor-server-push.yaml @@ -362,6 +362,20 @@ spec: operator: in values: - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test workspaces: - name: workspace - name: git-auth From 78af0087c98078c9f02ca8ca79dd146412818835 Mon Sep 17 00:00:00 2001 From: Jason Power Date: Mon, 25 Sep 2023 17:40:45 +0100 Subject: [PATCH 4/7] changes needed for new contract (#61) This pr contains the necessary changes to the pipeline for the new contract --- .tekton/backfill-redis-pull-request.yaml | 2 ++ .tekton/backfill-redis-push.yaml | 2 ++ .tekton/rekor-cli-pull-request.yaml | 2 ++ .tekton/rekor-cli-push.yaml | 2 ++ .tekton/rekor-server-pull-request.yaml | 4 +++- .tekton/rekor-server-push.yaml | 4 +++- 6 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml index 5571b3797..9e84677e2 100644 --- a/.tekton/backfill-redis-pull-request.yaml +++ b/.tekton/backfill-redis-pull-request.yaml @@ -99,10 +99,12 @@ spec: description: Execute the build with network isolation name: hermetic type: string + value: "true" - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string + value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml index 6e8bad830..7126605c6 100644 --- a/.tekton/backfill-redis-push.yaml +++ b/.tekton/backfill-redis-push.yaml @@ -96,10 +96,12 @@ spec: description: Execute the build with network isolation name: hermetic type: string + value: "true" - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string + value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml index d213fa49f..0786d9e35 100644 --- a/.tekton/rekor-cli-pull-request.yaml +++ b/.tekton/rekor-cli-pull-request.yaml @@ -99,10 +99,12 @@ spec: description: Execute the build with network isolation name: hermetic type: string + value: "true" - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string + value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml index 3cb3688f1..cd9cb14e2 100644 --- a/.tekton/rekor-cli-push.yaml +++ b/.tekton/rekor-cli-push.yaml @@ -96,10 +96,12 @@ spec: description: Execute the build with network isolation name: hermetic type: string + value: "true" - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string + value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml index 2f5222ee8..908d74502 100644 --- a/.tekton/rekor-server-pull-request.yaml +++ b/.tekton/rekor-server-pull-request.yaml @@ -99,10 +99,12 @@ spec: description: Execute the build with network isolation name: hermetic type: string + value: "true" - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string + value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java @@ -270,7 +272,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.2@sha256:58d16de95b4ca597f7f860fb85d6206e549910fa7a8d2a2cc229558f791ad329 + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f - name: kind value: task resolver: bundles diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml index 267fdbe09..87955b201 100644 --- a/.tekton/rekor-server-push.yaml +++ b/.tekton/rekor-server-push.yaml @@ -96,10 +96,12 @@ spec: description: Execute the build with network isolation name: hermetic type: string + value: "true" - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string + value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java @@ -267,7 +269,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.2@sha256:58d16de95b4ca597f7f860fb85d6206e549910fa7a8d2a2cc229558f791ad329 + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f - name: kind value: task resolver: bundles From 1da999055435cb30fff43ee2c0f41aabc6a828fa Mon Sep 17 00:00:00 2001 From: Jason Power Date: Tue, 26 Sep 2023 19:30:26 +0100 Subject: [PATCH 5/7] fix for hermetic builds (#71) Small pr to fix the hermetic builds in RHTAP, (mirrors the changes in cosign) --- .tekton/backfill-redis-pull-request.yaml | 6 ++---- .tekton/backfill-redis-push.yaml | 6 ++---- .tekton/rekor-cli-pull-request.yaml | 6 ++---- .tekton/rekor-cli-push.yaml | 6 ++---- .tekton/rekor-server-pull-request.yaml | 6 ++---- .tekton/rekor-server-push.yaml | 6 ++---- 6 files changed, 12 insertions(+), 24 deletions(-) diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml index 9e84677e2..7adc6ac49 100644 --- a/.tekton/backfill-redis-pull-request.yaml +++ b/.tekton/backfill-redis-pull-request.yaml @@ -95,16 +95,14 @@ spec: description: Skip optional checks, set false if you want to run optional checks name: skip-optional type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string - value: "true" - - default: "" + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml index 7126605c6..6822086b1 100644 --- a/.tekton/backfill-redis-push.yaml +++ b/.tekton/backfill-redis-push.yaml @@ -92,16 +92,14 @@ spec: description: Skip optional checks, set false if you want to run optional checks name: skip-optional type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string - value: "true" - - default: "" + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml index 0786d9e35..84db92b7b 100644 --- a/.tekton/rekor-cli-pull-request.yaml +++ b/.tekton/rekor-cli-pull-request.yaml @@ -95,16 +95,14 @@ spec: description: Skip optional checks, set false if you want to run optional checks name: skip-optional type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string - value: "true" - - default: "" + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml index cd9cb14e2..44acf8821 100644 --- a/.tekton/rekor-cli-push.yaml +++ b/.tekton/rekor-cli-push.yaml @@ -92,16 +92,14 @@ spec: description: Skip optional checks, set false if you want to run optional checks name: skip-optional type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string - value: "true" - - default: "" + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml index 908d74502..b017f28a0 100644 --- a/.tekton/rekor-server-pull-request.yaml +++ b/.tekton/rekor-server-pull-request.yaml @@ -95,16 +95,14 @@ spec: description: Skip optional checks, set false if you want to run optional checks name: skip-optional type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string - value: "true" - - default: "" + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml index 87955b201..42612abee 100644 --- a/.tekton/rekor-server-push.yaml +++ b/.tekton/rekor-server-push.yaml @@ -92,16 +92,14 @@ spec: description: Skip optional checks, set false if you want to run optional checks name: skip-optional type: string - - default: "false" + - default: "true" description: Execute the build with network isolation name: hermetic type: string - value: "true" - - default: "" + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - value: '{"type": "gomod", "path": "."}' - default: "false" description: Java build name: java From 29681863f768be40c6ccdcde346c313f571ce9ec Mon Sep 17 00:00:00 2001 From: JasonPowr <20076537@mail.wit.ie> Date: Wed, 27 Sep 2023 15:17:29 +0100 Subject: [PATCH 6/7] update unit tests for rhtap --- .tekton/backfill-redis-pull-request.yaml | 23 ++++++++++++----------- .tekton/backfill-redis-push.yaml | 23 ++++++++++++----------- .tekton/rekor-cli-pull-request.yaml | 23 ++++++++++++----------- .tekton/rekor-cli-push.yaml | 23 ++++++++++++----------- .tekton/rekor-server-pull-request.yaml | 23 ++++++++++++----------- .tekton/rekor-server-push.yaml | 23 ++++++++++++----------- .tekton/unit-test.yaml | 22 ++++++++++++++++++++++ 7 files changed, 94 insertions(+), 66 deletions(-) create mode 100644 .tekton/unit-test.yaml diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml index 7adc6ac49..c8f496dac 100644 --- a/.tekton/backfill-redis-pull-request.yaml +++ b/.tekton/backfill-redis-pull-request.yaml @@ -365,20 +365,21 @@ spec: operator: in values: - "false" - - name: unit-test + - name: run-unit-test runAfter: - - clone-repository + - prefetch-dependencies + taskRef: + params: + - name: name + value: go-unit-test + - name: bundle + value: quay.io/securesign/go-unit-test@sha256:2743ce9106dd0eeb15dd60f6b9e0e79f69e7f0854969f9da7e0cd9251aff7217 + - name: kind + value: task + resolver: bundles workspaces: - - name: output + - name: source workspace: workspace - taskSpec: - steps: - - name: run-unit-tests - image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 - script: | - #!/bin/bash - cd / && cd workspace/output - GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml index 6822086b1..63048dc25 100644 --- a/.tekton/backfill-redis-push.yaml +++ b/.tekton/backfill-redis-push.yaml @@ -362,20 +362,21 @@ spec: operator: in values: - "false" - - name: unit-test + - name: run-unit-test runAfter: - - clone-repository + - prefetch-dependencies + taskRef: + params: + - name: name + value: go-unit-test + - name: bundle + value: quay.io/securesign/go-unit-test@sha256:2743ce9106dd0eeb15dd60f6b9e0e79f69e7f0854969f9da7e0cd9251aff7217 + - name: kind + value: task + resolver: bundles workspaces: - - name: output + - name: source workspace: workspace - taskSpec: - steps: - - name: run-unit-tests - image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 - script: | - #!/bin/bash - cd / && cd workspace/output - GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml index 84db92b7b..8e5fa6136 100644 --- a/.tekton/rekor-cli-pull-request.yaml +++ b/.tekton/rekor-cli-pull-request.yaml @@ -365,20 +365,21 @@ spec: operator: in values: - "false" - - name: unit-test + - name: run-unit-test runAfter: - - clone-repository + - prefetch-dependencies + taskRef: + params: + - name: name + value: go-unit-test + - name: bundle + value: quay.io/securesign/go-unit-test@sha256:2743ce9106dd0eeb15dd60f6b9e0e79f69e7f0854969f9da7e0cd9251aff7217 + - name: kind + value: task + resolver: bundles workspaces: - - name: output + - name: source workspace: workspace - taskSpec: - steps: - - name: run-unit-tests - image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 - script: | - #!/bin/bash - cd / && cd workspace/output - GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml index 44acf8821..5773b3994 100644 --- a/.tekton/rekor-cli-push.yaml +++ b/.tekton/rekor-cli-push.yaml @@ -362,20 +362,21 @@ spec: operator: in values: - "false" - - name: unit-test + - name: run-unit-test runAfter: - - clone-repository + - prefetch-dependencies + taskRef: + params: + - name: name + value: go-unit-test + - name: bundle + value: quay.io/securesign/go-unit-test@sha256:2743ce9106dd0eeb15dd60f6b9e0e79f69e7f0854969f9da7e0cd9251aff7217 + - name: kind + value: task + resolver: bundles workspaces: - - name: output + - name: source workspace: workspace - taskSpec: - steps: - - name: run-unit-tests - image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 - script: | - #!/bin/bash - cd / && cd workspace/output - GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml index b017f28a0..5ce8db7b4 100644 --- a/.tekton/rekor-server-pull-request.yaml +++ b/.tekton/rekor-server-pull-request.yaml @@ -365,20 +365,21 @@ spec: operator: in values: - "false" - - name: unit-test + - name: run-unit-test runAfter: - - clone-repository + - prefetch-dependencies + taskRef: + params: + - name: name + value: go-unit-test + - name: bundle + value: quay.io/securesign/go-unit-test@sha256:2743ce9106dd0eeb15dd60f6b9e0e79f69e7f0854969f9da7e0cd9251aff7217 + - name: kind + value: task + resolver: bundles workspaces: - - name: output + - name: source workspace: workspace - taskSpec: - steps: - - name: run-unit-tests - image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 - script: | - #!/bin/bash - cd / && cd workspace/output - GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml index 42612abee..83a6a9b2e 100644 --- a/.tekton/rekor-server-push.yaml +++ b/.tekton/rekor-server-push.yaml @@ -362,20 +362,21 @@ spec: operator: in values: - "false" - - name: unit-test + - name: run-unit-test runAfter: - - clone-repository + - prefetch-dependencies + taskRef: + params: + - name: name + value: go-unit-test + - name: bundle + value: quay.io/securesign/go-unit-test@sha256:2743ce9106dd0eeb15dd60f6b9e0e79f69e7f0854969f9da7e0cd9251aff7217 + - name: kind + value: task + resolver: bundles workspaces: - - name: output + - name: source workspace: workspace - taskSpec: - steps: - - name: run-unit-tests - image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 - script: | - #!/bin/bash - cd / && cd workspace/output - GOFLAGS="" make test workspaces: - name: workspace - name: git-auth diff --git a/.tekton/unit-test.yaml b/.tekton/unit-test.yaml new file mode 100644 index 000000000..0b7e9282a --- /dev/null +++ b/.tekton/unit-test.yaml @@ -0,0 +1,22 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: go-unit-test + annotations: + tekton.dev/title: "Go Unit Test Task" +spec: + workspaces: + - name: source + steps: + - name: run-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:e91cbbd0b659498d029dd43e050c8a009c403146bfba22cbebca8bcd0ee7925f + workingDir: $(workspaces.source.path) + script: | + #!/usr/bin/env sh + go test ./... + +# This file bundles the unit tests for Rekor. +# If any changes are made to this file, it must be pushed to Quay using the following command: +# 'tkn bundle push quay.io/securesign/go-unit-test:v1 -f .tekton/unit-test.yaml'. +# This will generate a new SHA for the bundle. +# Ensure that this new SHA is updated in the pull and push pipeline files for each component. From e99449113086295125ea711a9cd93d5d1b6bfc1c Mon Sep 17 00:00:00 2001 From: Lance Ball Date: Wed, 27 Sep 2023 17:43:50 -0400 Subject: [PATCH 7/7] :open_file_folder: update Red Hat specific files --- .tekton/backfill-redis-pull-request.yaml | 401 +++++++++++++++++++++++ .tekton/backfill-redis-push.yaml | 398 ++++++++++++++++++++++ .tekton/rekor-cli-pull-request.yaml | 401 +++++++++++++++++++++++ .tekton/rekor-cli-push.yaml | 398 ++++++++++++++++++++++ .tekton/rekor-server-pull-request.yaml | 401 +++++++++++++++++++++++ .tekton/rekor-server-push.yaml | 398 ++++++++++++++++++++++ Dockerfile | 10 +- Dockerfile.backfill-redis | 21 ++ Dockerfile.cli | 21 ++ Makefile | 2 +- OWNERS | 12 + redhat/patches/0001-dockerfile.patch | 28 ++ redhat/patches/0002-makefile.patch | 13 + redhat/patches/0003-storage.patch | 13 + redhat/release/update-to-head.sh | 105 ++++++ scripts/storage.sql | 2 +- 16 files changed, 2620 insertions(+), 4 deletions(-) create mode 100644 .tekton/backfill-redis-pull-request.yaml create mode 100644 .tekton/backfill-redis-push.yaml create mode 100644 .tekton/rekor-cli-pull-request.yaml create mode 100644 .tekton/rekor-cli-push.yaml create mode 100644 .tekton/rekor-server-pull-request.yaml create mode 100644 .tekton/rekor-server-push.yaml create mode 100644 Dockerfile.backfill-redis create mode 100644 Dockerfile.cli create mode 100644 OWNERS create mode 100644 redhat/patches/0001-dockerfile.patch create mode 100644 redhat/patches/0002-makefile.patch create mode 100644 redhat/patches/0003-storage.patch create mode 100755 redhat/release/update-to-head.sh diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml new file mode 100644 index 000000000..7adc6ac49 --- /dev/null +++ b/.tekton/backfill-redis-pull-request.yaml @@ -0,0 +1,401 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[pull_request]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: backfill-redis + pipelines.appstudio.openshift.io/type: build + name: backfill-redis-on-pull-request + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.backfill-redis + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/backfill-redis:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "true" + description: Execute the build with network isolation + name: hermetic + type: string + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml new file mode 100644 index 000000000..6822086b1 --- /dev/null +++ b/.tekton/backfill-redis-push.yaml @@ -0,0 +1,398 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[push]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: backfill-redis + pipelines.appstudio.openshift.io/type: build + name: backfill-redis-on-push + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.backfill-redis + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/backfill-redis:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "true" + description: Execute the build with network isolation + name: hermetic + type: string + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml new file mode 100644 index 000000000..84db92b7b --- /dev/null +++ b/.tekton/rekor-cli-pull-request.yaml @@ -0,0 +1,401 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[pull_request]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-cli + pipelines.appstudio.openshift.io/type: build + name: rekor-cli-on-pull-request + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.cli + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-cli:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "true" + description: Execute the build with network isolation + name: hermetic + type: string + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml new file mode 100644 index 000000000..44acf8821 --- /dev/null +++ b/.tekton/rekor-cli-push.yaml @@ -0,0 +1,398 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[push]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-cli + pipelines.appstudio.openshift.io/type: build + name: rekor-cli-on-push + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile.cli + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-cli:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "true" + description: Execute the build with network isolation + name: hermetic + type: string + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:e607665f13adadbd4a8d0b32768fc1b24a90884d867ecb681e15c5bc25434f71 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml new file mode 100644 index 000000000..b017f28a0 --- /dev/null +++ b/.tekton/rekor-server-pull-request.yaml @@ -0,0 +1,401 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[pull_request]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-server + pipelines.appstudio.openshift.io/type: build + name: rekor-server-on-pull-request + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-server:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "true" + description: Execute the build with network isolation + name: hermetic + type: string + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:ebbf3859d0fe10e655dd9df47a1133157d0f2d11ea2faa7d060df0f9268e2a4e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml new file mode 100644 index 000000000..42612abee --- /dev/null +++ b/.tekton/rekor-server-push.yaml @@ -0,0 +1,398 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/securesign/rekor?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-event: '[push]' + pipelinesascode.tekton.dev/on-target-branch: '[redhat-v1.2.2]' + creationTimestamp: null + labels: + appstudio.openshift.io/application: rekor + appstudio.openshift.io/component: rekor-server + pipelines.appstudio.openshift.io/type: build + name: rekor-server-on-push + namespace: securesign-tenant +spec: + params: + - name: dockerfile + value: Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/securesign-tenant/rekor/rekor-server:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:7db0af43dcebaeb33e34413148370e17078c30fd2fc78fb84c8941b444199f36 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:e69f53a3991d7088d8aa2827365ab761ab7524d4269f296b4a78b0f085789d30 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: The path to your source code + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "true" + description: Execute the build with network isolation + name: hermetic + type: string + - default: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}] + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:26586a7ef08c3e86dfdaf0a5cc38dd3d70c4c02db1331b469caaed0a0f5b3d86 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:1f84973a21aabea38434b1f663abc4cb2d86565a9c7aae1f90decb43a8fa48eb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c7b7f13d5d2a1545e95c2d56521327001d56ba54645900db41aa414607eff1e5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:ebbf3859d0fe10e655dd9df47a1133157d0f2d11ea2faa7d060df0f9268e2a4e + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:bbc286f0a2ad94e671ceb9d0f1debd96f36b8c38c1147c5030957820b4125fc6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: source + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:4938fedb0f61ba30cc93925194298187d08898439efd525a34834bcf0d51587f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:c5602d9d6dd797da98e98fde8471ea55a788c30f74f2192807910ce5436e9b66 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:9dcd450b454705b9fe22c5f8f7bb7305cebc3cb73e783b85e047f7e721994189 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:cd4e301dd849cbdf7b8e38fd8f4915970b5b60174770df632a6b38ea93028d44 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:397cb2fb20f413dec9653134231bec86edb80806a3441081fbf473677fc40917 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: unit-test + runAfter: + - clone-repository + workspaces: + - name: output + workspace: workspace + taskSpec: + steps: + - name: run-unit-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + script: | + #!/bin/bash + cd / && cd workspace/output + GOFLAGS="" make test + workspaces: + - name: workspace + - name: git-auth + optional: true + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/Dockerfile b/Dockerfile index f2d39ace3..4d335663f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 AS builder +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -31,7 +31,13 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server # Multi-Stage production build -FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 as deploy +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy + +LABEL description="Rekor provides an immutable tamper resistant ledger of metadata generated within a software projects supply chain." +LABEL io.k8s.description="Rekor provides an immutable tamper resistant ledger of metadata generated within a software projects supply chain." +LABEL io.k8s.display-name="Rekor container image for Red Hat Trusted Signer" +LABEL io.openshift.tags="rekor trusted-signer" +LABEL summary="The rekor-server binary provides an immutable, tamper-resistant log." # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/Dockerfile.backfill-redis b/Dockerfile.backfill-redis new file mode 100644 index 000000000..ebaaa10ec --- /dev/null +++ b/Dockerfile.backfill-redis @@ -0,0 +1,21 @@ +#Build stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS build-env +USER root +RUN git config --global --add safe.directory /opt/app-root/src +COPY . . +RUN make backfill-redis + +#Install stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + +LABEL description="Backfillredis is a job that will go through the TLog and make sure that missing entries are added to the search index." +LABEL io.k8s.description="Backfillredis is a job that will go through the TLog and make sure that missing entries are added to the search index." +LABEL io.k8s.display-name="Backfillredis container image for Red Hat Trusted Signer" +LABEL io.openshift.tags="backfill-redis trusted-signer" +LABEL summary="Provides the backfill-redis binary for a rekor server" + +COPY --from=build-env /opt/app-root/src/backfill-redis /usr/local/bin/backfill-redis +WORKDIR /opt/app-root/src/home + +#ENTRYPOINT +ENTRYPOINT [ "backfill-redis" ] diff --git a/Dockerfile.cli b/Dockerfile.cli new file mode 100644 index 000000000..4fc856236 --- /dev/null +++ b/Dockerfile.cli @@ -0,0 +1,21 @@ +#Build stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS build-env +USER root +RUN git config --global --add safe.directory /opt/app-root/src +COPY . . +RUN make rekor-cli + +#Install stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 + +LABEL description="Rekor-cli is a command line interface (CLI) tool used to interact with a rekor server." +LABEL io.k8s.description="Rekor-cli is a command line interface (CLI) tool used to interact with a rekor server." +LABEL io.k8s.display-name="Rekor-cli container image for Red Hat Trusted Signer" +LABEL io.openshift.tags="rekor-cli trusted-signer" +LABEL summary="Provides the rekor CLI binary for interacting with a rekor server" + +COPY --from=build-env /opt/app-root/src/rekor-cli /usr/local/bin/rekor-cli +WORKDIR /opt/app-root/src/home + +#ENTRYPOINT +ENTRYPOINT [ "rekor-cli" ] diff --git a/Makefile b/Makefile index 9c2467b87..4904ad9a6 100644 --- a/Makefile +++ b/Makefile @@ -83,7 +83,7 @@ rekor-server: $(SRCS) CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/rekor-server backfill-redis: $(SRCS) - CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/backfill-redis + CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o backfill-redis ./cmd/backfill-redis test: go test ./... diff --git a/OWNERS b/OWNERS new file mode 100644 index 000000000..45bb15aeb --- /dev/null +++ b/OWNERS @@ -0,0 +1,12 @@ +# The OWNERS file is used by prow to automatically merge approved PRs. + +approvers: +- lance +- cooktheryan +- lkatalin +- sallom + +reviewers: +- JasonPowr +- tommyd450 + diff --git a/redhat/patches/0001-dockerfile.patch b/redhat/patches/0001-dockerfile.patch new file mode 100644 index 000000000..56aecb71b --- /dev/null +++ b/redhat/patches/0001-dockerfile.patch @@ -0,0 +1,28 @@ +diff --git a/Dockerfile b/Dockerfile +index f2d39ac..4d33566 100644 +--- a/Dockerfile ++++ b/Dockerfile +@@ -13,7 +13,7 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + +-FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 AS builder ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder + ENV APP_ROOT=/opt/app-root + ENV GOPATH=$APP_ROOT + +@@ -31,7 +31,13 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o + RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server + + # Multi-Stage production build +-FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 as deploy ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy ++ ++LABEL description="Rekor provides an immutable tamper resistant ledger of metadata generated within a software projects supply chain." ++LABEL io.k8s.description="Rekor provides an immutable tamper resistant ledger of metadata generated within a software projects supply chain." ++LABEL io.k8s.display-name="Rekor container image for Red Hat Trusted Signer" ++LABEL io.openshift.tags="rekor trusted-signer" ++LABEL summary="The rekor-server binary provides an immutable, tamper-resistant log." + + # Retrieve the binary from the previous stage + COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/redhat/patches/0002-makefile.patch b/redhat/patches/0002-makefile.patch new file mode 100644 index 000000000..5f0c9cbea --- /dev/null +++ b/redhat/patches/0002-makefile.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile b/Makefile +index 9c2467b..4904ad9 100644 +--- a/Makefile ++++ b/Makefile +@@ -83,7 +83,7 @@ rekor-server: $(SRCS) + CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/rekor-server + + backfill-redis: $(SRCS) +- CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/backfill-redis ++ CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o backfill-redis ./cmd/backfill-redis + + test: + go test ./... diff --git a/redhat/patches/0003-storage.patch b/redhat/patches/0003-storage.patch new file mode 100644 index 000000000..7866ac384 --- /dev/null +++ b/redhat/patches/0003-storage.patch @@ -0,0 +1,13 @@ +diff --git a/scripts/storage.sql b/scripts/storage.sql +index 1e691a8..939ed12 100644 +--- a/scripts/storage.sql ++++ b/scripts/storage.sql +@@ -129,7 +129,7 @@ CREATE TABLE IF NOT EXISTS SequencedLeafData( + ); + + +-CREATE INDEX SequencedLeafMerkleIdx ++CREATE INDEX IF NOT EXISTS SequencedLeafMerkleIdx + ON SequencedLeafData(TreeId, MerkleLeafHash); + + CREATE TABLE IF NOT EXISTS Unsequenced( diff --git a/redhat/release/update-to-head.sh b/redhat/release/update-to-head.sh new file mode 100755 index 000000000..03c4cbad2 --- /dev/null +++ b/redhat/release/update-to-head.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash + +# Copyright 2023 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The local git repo must have a remote "upstream" pointing +# to upstream sigstore/rekor, and a remote "origin" +# pointing to securesign/rekor + +# Synchs the release-next branch to either the upstream `main` branch +# or a provided git-ref (typically an upstream release tag) and then triggers CI. +# +# NOTE: This requires a corresponding midstream branch to exist in the securesign fork +# with the same name as the upstream branch/ref, but prefixed with "midstream-". +# +# Usage: update-to-head.sh [] + +if [ "$#" -ne 1 ]; then + upstream_ref="main" + midstream_ref="main" + redhat_ref="release-next" +else + upstream_ref=$1 + midstream_ref="midstream-${upstream_ref}" # The overlays and patches for the given version + redhat_ref="redhat-${upstream_ref}" # The midstream repo with overlays and patches applied +fi + +echo "Synchronizing ${redhat_ref} to upstream/${upstream_ref}..." + +set -e +REPO_NAME=$(basename $(git rev-parse --show-toplevel)) + +# Custom files +custom_files=$(cat <. +git fetch upstream $upstream_ref +if [[ "$upstream_ref" == "main" ]]; then + git checkout upstream/main -B ${redhat_ref} +else + git checkout $upstream_ref -B ${redhat_ref} +fi + +# Update redhat's main and take all needed files from there. +git fetch origin $midstream_ref +git checkout origin/$midstream_ref $custom_files + +# Apply midstream patches +if [[ -d redhat/patches ]]; then + git apply redhat/patches/* +fi + +# RHTAP writes its pipeline files to the root of ${redhat_ref} +# Fetch those from origin and apply them to the the release branch +# since we just wiped out our local copy with the upstream ref. +git fetch origin $redhat_ref +git checkout origin/$redhat_ref .tekton + +# Move overlays to root +if [[ -d redhat/overlays ]]; then + git mv redhat/overlays/* . +fi + +git add . # Adds applied patches +git add $custom_files # Adds custom files +git commit -m "${redhat_files_msg}" + +# Push the release-next branch +git push -f origin "${redhat_ref}" + +# Trigger CI +# TODO: Set up openshift or github CI to run on release-next-ci +git checkout "${redhat_ref}" -B "${redhat_ref}"-ci +date > ci +git add ci +git commit -m "${robot_trigger_msg}" +git push -f origin "${redhat_ref}-ci" + +if hash hub 2>/dev/null; then + # Test if there is already a sync PR in + COUNT=$(hub api -H "Accept: application/vnd.github.v3+json" repos/securesign/${REPO_NAME}/pulls --flat \ + | grep -c "${robot_trigger_msg}") || true + if [ "$COUNT" = "0" ]; then + hub pull-request --no-edit -l "kind/sync-fork-to-upstream" -b securesign/${REPO_NAME}:${redhat_ref} -h securesign/${REPO_NAME}:${redhat_ref}-ci -m "${robot_trigger_msg}" + fi +else + echo "hub (https://github.com/github/hub) is not installed, so you'll need to create a PR manually." +fi diff --git a/scripts/storage.sql b/scripts/storage.sql index 1e691a8b8..939ed1272 100644 --- a/scripts/storage.sql +++ b/scripts/storage.sql @@ -129,7 +129,7 @@ CREATE TABLE IF NOT EXISTS SequencedLeafData( ); -CREATE INDEX SequencedLeafMerkleIdx +CREATE INDEX IF NOT EXISTS SequencedLeafMerkleIdx ON SequencedLeafData(TreeId, MerkleLeafHash); CREATE TABLE IF NOT EXISTS Unsequenced(