Skip to content

Commit ff5162e

Browse files
jduimovichjduimovich
committed
verify ec and sboms from private registry
- also changed ci-test and setup to do private registry as default and disable ACS if you do - you can switch back to public by setting TEST_PRIVATE_REGISTRY=false before running ci-test and other setups. TODO -- the env file is being created in multiple places -- would be good to make that common in one place.
1 parent 9df1d41 commit ff5162e

6 files changed

+28
-4
lines changed

build-pipeline.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ cp -r rhtap $BUILD/
3131
# ENV with params
3232
SETUP_ENV=$BUILD/rhtap/env.sh
3333
cp rhtap/env.template.sh $SETUP_ENV
34-
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
34+
sed -i "s!\${{ values.image }}!$IMAGE_TO_BUILD!g" $SETUP_ENV
3535
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
3636
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
3737
sed -i "s!\${{ values.repoURL }}!$OPTIONAL_REPO_UPDATE!g" $SETUP_ENV

ci-test.sh

+8-1
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ function updateBuild() {
3232
mkdir -p $REPO/rhtap
3333
SETUP_ENV=$REPO/rhtap/env.sh
3434
cp rhtap/env.template.sh $SETUP_ENV
35-
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
35+
sed -i "s!\${{ values.image }}!$IMAGE_TO_BUILD!g" $SETUP_ENV
3636
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
3737
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
3838
sed -i "s!\${{ values.repoURL }}!$GITOPS_REPO_UPDATE!g" $SETUP_ENV
@@ -46,6 +46,13 @@ function updateBuild() {
4646
echo "export IGNORE_REKOR=$IGNORE_REKOR" >> $SETUP_ENV
4747
echo "export TUF_MIRROR=$TUF_MIRROR" >> $SETUP_ENV
4848
echo "# Update forced CI test $(date)" >> $SETUP_ENV
49+
50+
if [[ "$TEST_PRIVATE_REGISTRY" == "true" ]]; then
51+
echo "WARNING Due to private repos, disabling ACS"
52+
sed -i '/export DISABLE_ACS=/d' $SETUP_ENV
53+
echo "export DISABLE_ACS=true" >> $SETUP_ENV
54+
fi
55+
4956
updateGitAndQuayRefs $SETUP_ENV
5057
cat $SETUP_ENV
5158
}

promote-pipeline.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ fi
1919
cp -r rhtap $GITOPS/rhtap
2020
SETUP_ENV=$GITOPS/rhtap/env.sh
2121
cp rhtap/env.template.sh $SETUP_ENV
22-
sed -i "s!\${{ values.image }}!quay.io/$MY_QUAY_USER/bootstrap!g" $SETUP_ENV
22+
sed -i "s!\${{ values.image }}!$IMAGE_TO_BUILD!g" $SETUP_ENV
2323
sed -i "s!\${{ values.dockerfile }}!Dockerfile!g" $SETUP_ENV
2424
sed -i "s!\${{ values.buildContext }}!.!g" $SETUP_ENV
2525
sed -i "s!\${{ values.repoURL }}!!g" $SETUP_ENV

rhtap/download-sbom-from-url-in-attestation.sh

+7
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,13 @@ fi
120120

121121
jq -r '.components[].containerImage' <<< "$IMAGES" | while read -r image; do
122122
echo "Getting attestation for $image"
123+
124+
image_registry="${image/\/*/}"
125+
# If the repo is not publicly accessible we need to authenticate so ec can access it
126+
prepare-registry-user-pass $image_registry
127+
echo "cosign login to registry $image_registry"
128+
cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
129+
123130
mkdir -p "$WORKDIR/$image"
124131
cosign_verify_multiple_attestation_types \
125132
--type slsaprovenance02 \

rhtap/verify-enterprise-contract.sh

+2-1
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,8 @@ function validate() {
4747
local image_registry="${first_image_ref/\/*/}"
4848
# If the repo is not publicly accessible we need to authenticate so ec can access it
4949
prepare-registry-user-pass $image_registry
50-
buildah login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
50+
echo "cosign login to registry $image_registry"
51+
cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry
5152

5253
ec validate image \
5354
"--images" \

setup-local-dev-repos.sh

+9
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,15 @@ GITLAB_GITOPS=$TMP_REPOS/gitlab-gitops
102102
JENKINS_BUILD=$TMP_REPOS/jenkins-build
103103
JENKINS_GITOPS=$TMP_REPOS/jenkins-gitops
104104

105+
# Change this for public or private image testing
106+
export TEST_PRIVATE_REGISTRY=${TEST_PRIVATE_REGISTRY:-true}
107+
if [[ "$TEST_PRIVATE_REGISTRY" == "true" ]]; then
108+
echo "Note, private image being built by ci-test, acs disabled"
109+
IMAGE_TO_BUILD=quay.io/$MY_QUAY_USER/private-image
110+
else
111+
IMAGE_TO_BUILD=quay.io/$MY_QUAY_USER/bootstrap
112+
fi
113+
105114
cloneRepo $UPSTREAM_BUILD_REPO ${TEST_BUILD_REPO_SSH:-$TEST_BUILD_REPO} $TEST_BUILD_REPO $BUILD
106115
cloneRepo $UPSTREAM_GITOPS_REPO ${TEST_GITOPS_REPO_SSH:-$TEST_GITOPS_REPO} $TEST_GITOPS_REPO $GITOPS
107116
cloneRepo $UPSTREAM_BUILD_REPO ${TEST_BUILD_GITLAB_REPO_SSH:-$TEST_BUILD_GITLAB_REPO} $TEST_BUILD_GITLAB_REPO $GITLAB_BUILD

0 commit comments

Comments
 (0)